Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 16 Apr 2015 13:17:13 -0400 (EDT)
From: cve-assign@...re.org
To: hannes.trunde@...il.com
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: CVE request: SQL injection vulnerability in WordPress plugins Community Events 1.3.5, Tune Library 1.5.4, WP Symposium 15.1

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

>>> 3) WP Symposium plugin SQL injection vulnerability
>>> Affected version: 15.1 (and likely all versions below)
>>> Fixed version: Not yet available, author is working on a fix
>>> Plugin URL: https://wordpress.org/plugins/wp-symposium/  (still disabled by
>>> WordPress.org team)

>> Is this different from
>> 
>>   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8810

> it's definitely a different vulnerability, as CVE-2014-8810 regards a SQL
> injection vulnerability in ajax/mail_functions.php whereas the problem I
> discovered exists in a forum function.

Use CVE-2015-3325.


> By the way - what would be the best way to publish the vulnerability
> details? A reply to this thread or posting it to Exploit-DB, Packet Storm or
> other mailing lists like Fulldisc or Bugtraq?

MITRE doesn't have any role in establishing the policies for use of
the oss-security list. The types of information you sent earlier --
references with vague changelog entries "Fixed for SQL injection
vulnerabilities" and "Fix SQL injection vulnerabilities" -- are
normally considered valid reports of open-source vulnerabilities,
e.g., a person who is neither the discoverer nor the vendor might
notice such a changelog entry and send it here. However, it is
somewhat unusual for a discoverer to choose a multi-stage approach in
which that level of a vague information is provided in one
oss-security post and full details are sent in a later post.

Our only suggestion for this case is that, given that the multi-stage
approach is already in progress, it would probably be best to
establish a link in at least one direction, e.g., either:

  - your full advisory should include a link to
    http://openwall.com/lists/oss-security/2015/04/14/5
    so that this previous discussion can be found

  or

  - you should make a later oss-security post in this thread, with a
    link to the public URL(s) for your full advisory, which might
    be in any of the four locations that you proposed

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJVL+4XAAoJEKllVAevmvmsSRIIAL1P3iPwL+r5WzeumB+X11Ry
4KnNwj/qDbXYHQNHlBov9cG5vwPfk/Z7GR3lJW67Q1Ow9HBthZ9HWRVBytM8far9
aMls9vZ3evFkPYLDjmRsrcHSX7uFC2E7FPnHdhD+ee4dYQYebz5655EFQHvcc3hS
AwqTZBGva7qi/kRz+O2UqFsgOIUivhtx84BFW7NqaLSARwcXpBIXF4hc1mPiA1cQ
u2IKsn+Pnxi8cgCpQtvK4crMPhDznQiCzIIHoynqylgInHNiwL4AjgDYQrJQe6un
SAr2stOjdAsNQeF2OA0m4ajF46v5Kls2tfvbDwmlIrq8xieN3+e9OY8oNf4xl5s=
=5gid
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.