Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Fri, 14 Nov 2014 16:47:50 -0500 (EST)
From: cve-assign@...re.org
To: vdanen@...hat.com
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: old CVE assignments for JQuery 1.10.0

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

We're not sure why you listed Ticket #6016 twice, but here are the CVE
IDs for these http://jqueryui.com/changelog/1.10.0/ XSS issues:

> Title, reported by shadowman131
> http://bugs.jqueryui.com/ticket/6016
> https://github.com/jquery/jquery-ui/commit/7e9060c109b928769a664dbcc2c17bd21231b6f3

Use CVE-2010-5312.


> combobox demo, reported by DJtomy
> http://bugs.jqueryui.com/ticket/8859
> https://github.com/jquery/jquery-ui/commit/5fee6fd5000072ff32f2d65b6451f39af9e0e39e

> default content - 8859 follow-on work by scott.gonzalez
> http://bugs.jqueryui.com/ticket/8861
> https://github.com/jquery/jquery-ui/commit/f2854408cce7e4b7fc6bf8676761904af9c96bde

As far as we can tell, 5fee6fd5000072ff32f2d65b6451f39af9e0e39e
doesn't fix anything in the jQuery library, and it is reverted in
f2854408cce7e4b7fc6bf8676761904af9c96bde. We're not sure about
conventions for changelogs, but it seems potentially misleading to
just include "Fixed: XSS in combobox demo. (#8859, 5fee6fd)" in the
1.10.0 changelog anyway.

A side issue is that 5fee6fd5000072ff32f2d65b6451f39af9e0e39e, by
itself, only modified the demos/autocomplete/combobox.html file. We
realize that the demos are shipped in the jquery-ui distribution.
However, the demos typically wouldn't be part of the deployed product,
so there's a question of whether combobox.html could have its own
CVEs. In this case, the question seems largely irrelevant because
changing the combobox.html code wasn't a useful way to address a
vulnerability.

Use CVE-2012-6662 for the issue fixed in
f2854408cce7e4b7fc6bf8676761904af9c96bde.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJUZnfKAAoJEKllVAevmvmscLYH/0EyGlrnj/nUyFM+RzuWzBsk
iziDAeXEyC4/5zgc38/j38eKIshmdUg7Wp49rRUXj9z88zfihZowExE+ojVZFdtC
EjK4+SZPjdb7dTdSVkeNnS4Dv6a8u6Kq2XGuV7FZ9Tx1Qs7kIscn7N2uixR8o8Tz
KatmHEksbC1phQq8QdMb+Xw/Juc3cc7aB7/vuYfkiAvEOtWfs2+EtEMnT/Y3kfVj
otiwMGAvGrCHQN9W5Vr1MNEp/rhnEsdbH7YYZMHrF3QlPN4UDlq+rk+Oooo+0nxp
aEpyLQ8VibM3nV/JUCnUCpNFt9cGlAORYOdSC8YvPlrTQ5ihHj8YVjcx+BzQo7Y=
=X1NZ
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.