Re: CVE request: lxr

[Dan Rosenberg <dan.j.rosenberg () gmail com>]

Just to clarify, two XSS bugs were fixed with a single release (new
version 0.9.8), and then ten days later, an update was included to
resolve a third XSS bug.  The original CVE was originally requested
for "multiple XSS vulnerabilities", but the description only covers
one of them.

-Dan

On Mon, May 3, 2010 at 1:49 PM, Henri Salo <henri () nerv fi> wrote:
> On Mon, 3 May 2010 13:34:05 -0400 (EDT)
> Josh Bressers <bressers () redhat com> wrote:
>
> > ----- "Henri Salo" <henri () nerv fi> wrote:
> >
> > > On Mon, 3 May 2010 09:31:16 -0400
> > > Dan Rosenberg <dan.j.rosenberg () gmail com> wrote:
> > >
> > > > I discovered and reported this bug at the same time as two other
> > > > XSS issues, including the one covered by CVE-2009-4497.  While
> > > > the commit may be a few days apart for some of these, I think
> > > > they can safely fall under the same CVE, unless it's standard
> > > > practice to assign CVEs for each of several related minor issues.
> > >
> > > Several XSS-vulnerabilities can have one CVE at least when those
> > > vulnerabilities are fixed at the same time.
> >
> > In this instance, I would assign it a new ID, as the old one already
> > exists and doesn't note both XSS fixes (it is possible someone fixed
> > just the one XSS and not both in an update).
> >
> > I've CC'd Steve Christey, for a second opinion.
> >
> > Thanks
>
> My sentence was for normal cases. I have seen several reports with
> multiple XSS-vulnerabilities. This usually is the case when someone
> audits web-applications.
>
> If the issue already has CVE-identifier already we should
> definately assign new CVE for clarity.
>
> ---
> Henri Salo