Re: CVE's for Drupal Contrib 2012 001 through 057 (67 new CVE assignments)

[Greg Knaddison <greg.knaddison () acquia com>]

On Tue, Apr 10, 2012 at 1:08 PM, Kurt Seifried <kseifried () redhat com> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 04/10/2012 10:30 AM, Greg Knaddison wrote:
> > "NO CVE","SA-CONTRIB-2012-050","CDN2 Video -
> > > Unsupported","https://drupal.org/node/1506542";
> >
> > While the backend service and module are no longer active, there
> > are 70 sites using this module who are vulnerable to CSRF/XSS. What
> > is the reason not to give it a CVE?
>
> I was under the impression that if the backend was off the plugin
> wouldn't work/expose the vuln, I could of course be wrong, if so I'll
> assign a CVE.

I believe the XSS exists even without the backend. On review I'm less
confident the CSRF is in the module or the service.

> > If you have any further suggestions on how we can improve the
> > content or formatting of the SAs please let me know.
>
> Direct links to the code commits fixing them would be nice =)

We probably can't do this, though it is a fairly common request. Our
current policy is not to discuss the specific details for at least 2
weeks and closer to 6 months if possible. Project usage shows that
most site builders don't upgrade very quickly.

I didn't see an answer to my question about asking for CVE-identifier
on Wednesdays after the SAs are released. I assumed that would be
helpful so I just started doing that.

Thanks!
Greg

-- 
Director Security Services | +1-720-310-5623
Skype: greg.knaddison | http://twitter.com/greggles | http://acquia.com