oss-sec mailing list archives
Re: CVE request: drupal issue in < 5.9
From: Miklos Vajna <vmiklos () frugalware org>
Date: Sun, 27 Jul 2008 16:59:59 +0200
On Sat, Jul 26, 2008 at 04:44:16PM -0400, "Steven M. Christey" <coley () linus mitre org> wrote:
My interpretation of this new advisory is that they meant to fix the session fixation in 5.8, but they didn't. The original advisory covered multiple other issues as well. So this new advisory might better be considered a clarification of versions for the session fixation, rather than a regression error or incomplete fix (which would require a new CVE). Granted, the lack of specifics from Drupal makes it difficult to be certain about what happened.
As far as I see, they wanted to fix the session fixation issue in 5.8, but the fix did not solve the problem, as you say. I asked for a CVE because we already released an advisory for 5.8 with the old CVE, we released a new one for 5.9 and I thought it's better if there is a common id for the new "session fixation in 5.8" issue.
Attachment:
_bin
Description:
Current thread:
- CVE request: drupal issue in < 5.9 Miklos Vajna (Jul 26)
- Re: CVE request: drupal issue in < 5.9 Nico Golde (Jul 26)
- Re: CVE request: drupal issue in < 5.9 Miklos Vajna (Jul 26)
- Re: CVE request: drupal issue in < 5.9 Steven M. Christey (Jul 26)
- Re: CVE request: drupal issue in < 5.9 Nico Golde (Jul 27)
- Re: CVE request: drupal issue in < 5.9 Miklos Vajna (Jul 27)
- Re: CVE request: drupal issue in < 5.9 Nico Golde (Jul 27)
- Re: CVE request: drupal issue in < 5.9 Miklos Vajna (Jul 27)
- Re: CVE request: drupal issue in < 5.9 Miklos Vajna (Jul 26)
- Re: CVE request: drupal issue in < 5.9 Nico Golde (Jul 26)