oss-sec mailing list archives
Re: Re: CVE Request - Zope / Plone: Multiple vectors corrected within 20121106 fix
From: Kurt Seifried <kseifried () redhat com>
Date: Fri, 09 Nov 2012 22:47:49 -0700
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 11/09/2012 01:46 AM, Kurt Seifried wrote:
On 11/07/2012 09:30 AM, Matthew Wilkes wrote:Hi *,Jan has asked me for a breakdown of what patches in our bulk hotfix relate to what issues, so here you go:[snip]=> preliminary 24 CVE ids needed.Once we get twenty four assigned I'll match them against this list in the same order.MattSome questions, I put the CWE's/credits in as well: https://plone.org/products/plone/security/advisories/20121106/01 - registerConfiglet.py CWE-306
Please use CVE-2012-5485 for this issue.
https://plone.org/products/plone/security/advisories/20121106/02 - setHeader.py CWE-113
Please use CVE-2012-5486 for this issue.
https://plone.org/products/plone/security/advisories/20121106/03 - allowmodule.py CWE-749
Please use CVE-2012-5487 for this issue.
https://plone.org/products/plone/security/advisories/20121106/04 - python_scripts.py createObject CWE-95
Please use CVE-2012-5488 for this issue.
https://plone.org/products/plone/security/advisories/20121106/05 - get_request_var_or_attr.py CWE-306
Please use CVE-2012-5489 for this issue.
https://plone.org/products/plone/security/advisories/20121106/06 - kssdevel.py CWE-79 Richard Mitchell (Plone security team)
Please use CVE-2012-5490 for this issue.
https://plone.org/products/plone/security/advisories/20121106/07 - widget_traversal.py CWE-749 David Glick (Plone Security Team)
Please use CVE-2012-5491 for this issue.
https://plone.org/products/plone/security/advisories/20121106/08 - uid_catalog.py CWE-749, CWE-306 Richard Mitchell (Plone security Team)
Please use CVE-2012-5492 for this issue.
https://plone.org/products/plone/security/advisories/20121106/09 - gtbn.py CWE-20 Alan Hoey (Plone security team)
Please use CVE-2012-5493 for this issue.
https://plone.org/products/plone/security/advisories/20121106/10 - python_scripts.py {u,}translate CWE-79 John Carr (Isotoma)
Please use CVE-2012-5494 for this issue.
https://plone.org/products/plone/security/advisories/20121106/11 - python_scripts.py go_back CWE-95
Please use CVE-2012-5495 for this issue.
https://plone.org/products/plone/security/advisories/20121106/12 - kupu_spellcheck.py CWE-116, CWE-138 Richard Mitchell (Plone security team)
Please use CVE-2012-5496 for this issue.
https://plone.org/products/plone/security/advisories/20121106/13 - membership_tool.py CWE-749, CWE-359 Daniel Kraft (d9t.de)
Please use CVE-2012-5497 for this issue.
https://plone.org/products/plone/security/advisories/20121106/14 - queryCatalog.py CWE-749 Richard Mitchell (Plone security team)
Please use CVE-2012-5498 for this issue.
https://plone.org/products/plone/security/advisories/20121106/15 - python_scripts.py formatColumns CWE-749 Richard Mitchell (Plone security team)
Please use CVE-2012-5499 for this issue.
https://plone.org/products/plone/security/advisories/20121106/16 - renameObjectsByPaths.py CWE-749, CWE-359
Please use CVE-2012-5500 for this issue.
https://plone.org/products/plone/security/advisories/20121106/17 - at_download.py CWE-306 Alessandro SauZheR
Please use CVE-2012-5501 for this issue.
https://plone.org/products/plone/security/advisories/20121106/18 - safe_html.py CWE-79 Mauro Gentile
Please use CVE-2012-5502 for this issue.
https://plone.org/products/plone/security/advisories/20121106/19 - ftp.py CWE-306 mksht80
Please use CVE-2012-5503 for this issue.
https://plone.org/products/plone/security/advisories/20121106/20 - widget_traversal.py CWE-749, CWE-79 Alan Hoey (Plone security team)
Please use CVE-2012-5504 for this issue.
https://plone.org/products/plone/security/advisories/20121106/21 - atat.py CWE-749 Roel Bruggink (fourdigits)
Please use CVE-2012-5505 for this issue.
https://plone.org/products/plone/security/advisories/20121106/22 - python_scripts.py CWE-20 David Beitey (James Cook University)
Please use CVE-2012-5506 for this issue.
https://plone.org/products/plone/security/advisories/20121106/23 - django_crypto.py CWE-208 Bastian Blank
Please use CVE-2012-5507 for this issue.
https://plone.org/products/plone/security/advisories/20121106/24 - random_string CWE-330 Christian Heimes
Please use CVE-2012-5508 for this issue.
It looks like some of these can be CVE merged, e.g. 14 and 15, 1 and 5, can you confirm that these should not be merged? http://cve.mitre.org/cve/editorial_policies/cd_abstraction.html
As per Steve ignore the merge stuff. - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQIcBAEBAgAGBQJQneqEAAoJEBYNRVNeJnmTmhwP/AqUx62/8yYq8raCGnT0KMtF 8bbFQ+mNIUtn4/ASs29ZhuHbFzukAqtqoNm+eCOk+AOgcwCKJmESaifAu1YllfWj BvoEXD3pN6ZHDrRfbp+0zHQfW30brYCkE2SLP74Y0wJUIZtL4bW5oQdKK0WH8AZf SbwGuKzsp1Fcmv2b1zYyX/egf4w2GSbEbP8pqiSX3AsqqhmqE9IcDYYx1pZyZ+Dq elcpaU0+Xu4yScNKnyZkbJf9DM1FjgiBngRAV02pqEUUXXxdiPzjq1eWfWC7hEHJ LQXkpl4txw4Fueq9nUZ+bE/vi+jB21cqDorjRFIZssJ0fBRG7rsgBP2IY3gJ4yMs WJT3qoTCyjqLJydG0E/2zvrKVNTcgMlvtBO4cN8HOL6ZwPteerKtdt5xNhGVSv5c l7P/8nbBubqxmsMQZvxeZsk958MpzzOxM3OoAXOB13T6dWMnCXsBWwfPjhYY/D3M /t+WuGChMlrTtIe1pYQnsi5aXTYFztImGTjMN911cwCb+81wf6w9XkR3cAXfTALb dQQDBBJCpOFG7MdX0rQhaSlNHNBlLwm/WxpUB47usxbR3pJr4RrfIQDR9gml3pvZ h5d7BLcCd0sVRANPBK+uymHqNt1+h4JsPvVcW4JFbhoLqt5hLxv5EUjNYs6z/jdp vSMTqypB5+jjhkeaA/u3 =yIva -----END PGP SIGNATURE-----
Current thread:
- CVE Request - Zope / Plone: Multiple vectors corrected within 20121106 fix Jan Lieskovsky (Nov 07)
- Re: CVE Request - Zope / Plone: Multiple vectors corrected within 20121106 fix Matthew Wilkes (Nov 07)
- Re: Re: CVE Request - Zope / Plone: Multiple vectors corrected within 20121106 fix Kurt Seifried (Nov 09)
- Re: Re: CVE Request - Zope / Plone: Multiple vectors corrected within 20121106 fix cve-assign (Nov 09)
- Re: Re: CVE Request - Zope / Plone: Multiple vectors corrected within 20121106 fix Matthew Wilkes (Nov 09)
- RE: Re: CVE Request - Zope / Plone: Multiple vectors corrected within 20121106 fix Christey, Steven M. (Nov 09)
- Re: Re: CVE Request - Zope / Plone: Multiple vectors corrected within 20121106 fix Kurt Seifried (Nov 09)
- Re: Re: CVE Request - Zope / Plone: Multiple vectors corrected within 20121106 fix Kurt Seifried (Nov 09)
- Re: CVE Request - Zope / Plone: Multiple vectors corrected within 20121106 fix Matthew Wilkes (Nov 07)