Re: [security] CVE Request - SA-CORE-2013-001 (one JQuery X < 1.63 issue and two Drupal modules issues)

[Greg Knaddison <greg.knaddison () gmail com>]

Response below.

On Thu, Jan 17, 2013 at 8:50 AM, Jan Lieskovsky <jlieskov () redhat com> wrote:
> @Drupal security team - could you clarify if to fix the first issue,
> there was yet some other Drupal specific patch / change (besides the
> JQuery library update), which would require yet another (fourth) CVE
> id to be allocated?

The fix we added to Drupal does not require (or implement) an update
to the jQuery library at all; rather it works around the issue
entirely within Drupal's code.  I think that means it should get its
own CVE ID.

We did it this way because it means that any other Drupal packages,
such as drupal7-jquery_update, would not be expected to have a
vulnerability as long as the core update is applied.

I believe this means that yes, we will need a fourth CVE id to be allocated.

Thanks,
Greg