oss-sec mailing list archives
Re: CVE request: moin
From: "Steven M. Christey" <coley () linus mitre org>
Date: Thu, 21 May 2009 17:52:23 -0400 (EDT)
On Wed, 6 May 2009, Steffen Joeris wrote:
This upstream commit[0] is slightly different then the issues described in CVE-2009-1482 and I think it deserves another CVE id to separate the XSS issues. The debian bug[1] can also be used as a reference. Steve, what do you think?
This is a different vector that isn't directly covered by that CVE, and may not have been fixed entirely when CVE-2009-1482 was fixed, so a new CVE can be considered. However, we generally avoid including "defense-in-depth" fixes unless they can be demonstrated to be exploitable - or, if a vendor plans to release an advisory "just to be safe." The changeset says "maybe not XSS exploitable though" so I'm not sure whether a CVE's needed yet. - Steve
Current thread:
- CVE request: moin Steffen Joeris (May 06)
- Re: CVE request: moin Steven M. Christey (May 21)