Date: Tue, 24 Jun 2014 10:29:33 -0400 (EDT) From: cve-assign@...re.org To: hanno@...eck.de Cc: cve-assign@...re.org, oss-security@...ts.openwall.com Subject: Re: CVE request: piwigo before 2.6.3 sql injection -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > So the sql injection only affects the beta and we have another > "unclear" vulnerability and need two CVEs? We will wait a short time for any other comments from anyone before assigning the two CVEs. One other observation is that 3089 says "Product Version 2.6.2" and "An admin can perform an SQL injection." Also, http://piwigo.org/forum/viewtopic.php?id=24009 is from 2014-06-11 whereas http://piwigo.org/bugs/view.php?id=3089 is from 2014-06-12. So, possibly, the requirement for admin access was part of the motivation for not pushing out a new release immediately. And, the lack of the fix in 2.6.3 might be a result of the bug perhaps not being discovered until the day after the 2.6.3 release. - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (SunOS) iQEcBAEBAgAGBQJTqYraAAoJEKllVAevmvmsIosIAKDw3uYMNhOwcPeZ/BHnRuTq 5BTdbwu9W21c717iXIDVKWmiBZ96r7wrt3SeAUA5UidFqCYx7Qlg9+Ff58Tmw7O/ tJ7o5dhJS09nRj1TSG5+W6KdeiitTHVDtCXYDc20xgnAQqnNotuS2O4kqhWjH20j xEIHCH6N1ePel+5vnaSO7vqOwJIoXUsb8VXVeLpnZUUgv2hCbLIFB2PZhmIWylll 2eFABF4i1Uwze/gzeY7Xk7kFRn9hzCASKRZ1p8Bn5fko8FJ1CA+Rx935DoBkPt+n cY7vfdj2zOCJLGPKXvLAUh1GofSI++wiu6pEs4twHz2/B5MxlmE/OFooNURHzwI= =LH2i -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.