Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Thu, 18 Jul 2013 21:33:21 +0000
From: "Christey, Steven M." <coley@...re.org>
To: Andrew Nacin <nacin@...dpress.org>
CC: "oss-security@...ts.openwall.com" <oss-security@...ts.openwall.com>,
	"Kurt Seifried" <kseifried@...hat.com>, Jay Turla <shipcodez@...il.com>
Subject: RE: Re: SWFUpload <= (Object Injection/CSRF)
 Vulnerabilities Multiple flaws

Andrew Nacin said:

>So, CVE-2013-4145 is a duplicate of CVE-2012-3414, *not* of CVE-2012-2399.

OK, thanks for the clarification.  I found some additional clarity in your announcement of the SWFUpload fork: http://make.wordpress.org/core/2013/06/21/secure-swfupload/

>That said, given that CVE-2012-2399 was not publicly described at the
>time, I would not be surprised if one or more CVEs have been issued
>for the same XSS via buttonText at one point.

Oh, me neither.  Think I ran across a couple examples already.

- Steve

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.