Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Wed, 11 Dec 2013 23:44:44 -0500 (EST)
From: cve-assign@...re.org
To: forest.monsen@...il.com
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: CVE request for Drupal core, and contributed modules

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

SA-CONTRIB-2013-093   CVE-2013-7063

SA-CONTRIB-2013-094   CVE-2013-7064

Note that this says 'The module doesn't sufficiently fiter [sic] and
validate configuration values entered by administrators. This
vulnerability is mitigated by the fact that an attacker must have a
role with the permission "Administer EU Cookie Compliance popup".' Our
perspective is that, typically, web applications do not have a threat
model in which crafted configuration settings entered by admins are a
vector that qualifies for a CVE assignment. You, in the context of
representing the "vendor" of the module, are allowed to have that
threat model if you want to. (This is entirely reasonable if an XSS
attack would realistically result in privilege escalation to a
higher-level admin account.) If you want to reconsider, we can
optionally reject this CVE for you. Otherwise, it will remain a valid
(and non-disputed) CVE.


SA-CONTRIB-2013-095
  Posting content into groups where a user is not a member CVE-2013-7065
  Inconsistent access checking in posting content CVE-2013-7068

SA-CONTRIB-2013-096   CVE-2013-7066

SA-CONTRIB-2013-097   CVE-2013-7067

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJSqT71AAoJEKllVAevmvms7aAH/j6E+fBmktGi/1OQgPxDJ/6R
Fsd45/cHZPqRR3Yx95hQEpCP2lSBkzfdJuyqpq2rrKU0x34nogR9eotbt5rk06qY
jM9Wr1yEY6VWtvkF+7PT7OtYY4eBk3GR66iPwJSxE+za2j6xxfAegyYxBYPnNyZ3
StE20jX4Wr01TPOEfS6mJYJuiOcHbJphf5w2UuGXXnUvVAR7MT5l0d2LJcKwuxCl
2pkD8jWgkKtPgr+RyYUHdk8LhzIpo6ENLtruJRY66wz0sF+XRxds9jyvQovsuhJy
SuJQ1iHK9gf3k/dL+84YA2VpPb1GNKQVjER1AqALpqjWWiwqotySqEQ3GeDW3sk=
=0M9J
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.