Re: CVE request: eZ Publish: insecure direct object reference

[Kurt Seifried <kseifried () redhat com>]

On 03/20/2012 02:53 AM, Luc ABRIC wrote:
> Hi,
>
> Now that a CVE ID has been attributed, what am I supposed to do with the details of the vulnerability?

A normal workflow would be to work with the vendor(s) on fixing it and
then when they release an update you release a security advisory
publicly at the same time or later (e.g. to give people time to update).

> Should I post them to vendor-sec? We don't want the details to leak to the public before the fix is fully rolled out, 
> but we'd like to start working on the content of the CVE (make sur you have all needed information, etc.).

Vendor-sec no longer exists, the linux-distros list has replaced it,
http://oss-security.openwall.org/wiki/mailing-lists/linux-distros

you can certainly post there but be aware that issues posted there
typically fall under a 2 week max embargo, so if you need longer you
should hold off. Also linux-distros really only applies for stuff that
Linux/BSD distros ship, third party software that no-one ships isn't
really all that relevant. I have no idea if anyone ships eZ publish.

> Also, should I continue posting to oss-sec, or mailing you (Kurt) is enough?

I don't need anything else, I just assign the CVE's. Mitre does the
actual write up based on info, publishing, etc. Posting to oss-sec is
ideal, they will see it for sure.

> Regards,
> Luc.



-- 
Kurt Seifried Red Hat Security Response Team (SRT)