Date: Thu, 8 Dec 2016 01:40:01 -0500 From: <cve-assign@...re.org> To: <carnil@...ian.org> CC: <cve-assign@...re.org>, <oss-security@...ts.openwall.com>, <scott@...terman.com> Subject: Re: CVE Request: html5lib: potential cross-site scripting vulnerablity: quote attributes that need escaping in legacy browsers -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 > As found in > https://www.sourceclear.com/registry/security/cross-site-scripting-xss-/python/sid-3068/fix > html5lib fixed a cross-site scripting vulnerability in upstream > version 0.99999999 with commit > > https://github.com/html5lib/html5lib-python/commit/9b8d8eb5afbc066b7fac9390f5ec75e5e8a7cab7 > > References: > > https://github.com/html5lib/html5lib-python/issues/11 > https://github.com/html5lib/html5lib-python/issues/12 > > Question about the CVE assignment for html5lib was raised as well in > https://github.com/mozilla/bleach/issues/229 We are not sure of the optimal way to represent this in CVE. We are making this mapping, which we feel is adequate: Use CVE-2016-9909 for the mishandling of the '<' character in attribute values. Use CVE-2016-9910 for the mishandling of all of the other mentioned characters in attribute values. - -- CVE Assignment Team M/S M300, 202 Burlington Road, Bedford, MA 01730 USA [ A PGP key is available for encrypted communications at http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJYSPwUAAoJEHb/MwWLVhi2HSwP/3e58+AisDyrqaNcdRNrQvPG ri5lDi8E9AFA38gx2IEdyavHzmzc+dCFUz/KGrapeHV94MLiAszUJTK1kB9nqesI iagSlx9sbYZcwCvbpiKcYex8UvKMR24CX2faoxtzJulycsulrvYzJ9Jskq4aylCQ pw7XipGJMs3gHHaSCThGq2t/w5zEiHdYSfKjixKdwk9jczhLihoRSueGkDDyBy5O M9q27mSccXHEDa2Xq6Eyio6rsTsckA9DRYh0L36JYn83XhMqBdqK00LnfgfUorzi tN4Mrxgci7pAE4JFTqrK9aR+LJht1oLf2Z79foucvIRyiyU5swVEKFz8HekEMbEm wAVmV67qV6A/bfR23/86JoQNSv7WjYoqrfue0tAY4Q1EM5fF4qN590lWT3bfDprT 3wX9o8+3xt+JwSSQZdfw13jqjoJyxX10waJLcM02L72dM57OH7u8vB9c4xIiU14w /lhJxfW4DDNl4DNYuNE3Yj/auAPUCXhJfrY4RpjLFmfFSP48i2PNlgHCGXkE5cen 5OmoaJN58L7Vi2q4cgEtUPdqGCQGawfZ5NXIhOyTrP2dcdAa6r+RqStlMH6MB2Cx IEMvqZCxmKtFKOZdx+svgjtvaQ6zs6Csc+z1GBTQc64nJH52ivV+e6Vb446hJNXR TsPjDC+UafOQstWKp4Qe =ZAOJ -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.