Re: CVE Request for Drupal Contributed Modules

[Joshua Brauer <joshua () brauerranch com>]

Thanks these have been posted and I'll have more catching up tomorrow.

Just to verify the process CVE-2012-4472 SA-CONTRIB-2012-108 is for multiple vulnerabilities which Drupal issued one 
advisory about. In the past I think these got separate CVE's and we have in our process to report it once for each 
vulnerability. Which leads to the questions:
1) Should it have multiple CVE's?
2) Should we be reporting these separately or all on one?

Thanks,
Josh

On Oct 3, 2012, at 8:20 PM, Kurt Seifried <kseifried () redhat com> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 10/03/2012 06:06 PM, Joshua Brauer wrote:
> > This is a batch CVE request for several already published/resolved
> > issues with contributed modules for the Drupal project.
> >
> > http://drupal.org/node/1649346 | SA-CONTRIB-2012-104 - Privatemsg -
> > Cross Site Scripting (XSS) http://drupal.org/node/1663306 |
> > SA-CONTRIB-2012-105 - Hashcash - Cross Site Scripting (XSS) 
> > http://drupal.org/node/1679412 | SA-CONTRIB-2012-106 - Listhandler
> > - Access Bypass http://drupal.org/node/1679422 |
> > SA-CONTRIB-2012-107 - Search autocomplete - Access bypass 
> > http://drupal.org/node/1679442 | SA-CONTRIB-2012-108 - Drag & Drop
> > Gallery - Arbitrary PHP code execution 
> > http://drupal.org/node/1679442 | SA-CONTRIB-2012-108 - Drag & Drop
> > Gallery - Cross Site Scripting http://drupal.org/node/1679442 |
> > SA-CONTRIB-2012-108 - Drag & Drop Gallery - Access bypass 
> > http://drupal.org/node/1679442 | SA-CONTRIB-2012-108 - Drag & Drop
> > Gallery - Cross Site Request Forgery http://drupal.org/node/1679442
> > | SA-CONTRIB-2012-108 - Drag & Drop Gallery - SQL Injection 
> > http://drupal.org/node/1679466 | SA-CONTRIB-2012-109 - Restrict
> > node page view - Access bypass http://drupal.org/node/1679486 |
> > SA-CONTRIB-2012-110 - Colorbox Node - Cross Site Scripting (XSS) 
> > http://drupal.org/node/1679532 | SA-CONTRIB-2012-111 - Security
> > Questions - Access Bypass
> >
> > Thanks, Josh - on behalf of the Drupal security team.
>
> Perfect, this is easy =).
>
> Please use the following CVEs:
>
> CVE-2012-4468 SA-CONTRIB-2012-104
> CVE-2012-4469 SA-CONTRIB-2012-105
> CVE-2012-4470 SA-CONTRIB-2012-106
> CVE-2012-4471 SA-CONTRIB-2012-107
> CVE-2012-4472 SA-CONTRIB-2012-108
> CVE-2012-4473 SA-CONTRIB-2012-109
> CVE-2012-4474 SA-CONTRIB-2012-110
> CVE-2012-4475 SA-CONTRIB-2012-111
>
> - -- 
> Kurt Seifried Red Hat Security Response Team (SRT)
> PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.12 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://www.enigmail.net/
>
> iQIcBAEBAgAGBQJQbPJzAAoJEBYNRVNeJnmTcsQP/05luypQ2Wp6z+zsSHVd+a8x
> zwj1De0kIKoEugjezID24IAYmy1G2QQTl57mRKEgb2WgWImqNBbUSvJ6fuSB9xq0
> giSwvAWTmoFFzhJBLY1TaF3L+9uo58hqp6hxTH1BpNFTfkORnUvn/HaPanUmAo/9
> DHG1R9efIYLvTTyD3ALoA8xcLTl33vnbTMgnubxOB+y/a6Ovhq1icueyshefmKGc
> AFDqLbZGcpi9D1SF28ys0pNe9q1pGxysruDo9VPJILcfq+UJctVqsf036hRg95Et
> LdhHHVk5vWVbb+yH9A0hWBxloO0iaXlIGJpPtx7xmbUVmewXWpiyvZ9Kh2/SYlEK
> N4xSPEBIbTtbmgm0qjS/zVDd3vlW0ZOeN/TVmm/mg7DZngn3QfWTC1QJ7dIisGfO
> 5FKy+NiA/kQSZdZs2GVR/Aq20oR1/kYH0YTORVR9YtdSvr0dsXv2xJIuXdeTgSR9
> f8uo6KlISk/FOUUeLN/Eoe3VmmLm9MW7OkJY6kVaTD5M/TByPz6bCQxumfXrCw+/
> OusmbwNcvBAmxQn9n9bD61+1JfvdYVsfVKafKQTpm9nXTJsQ1161trC36N1kaH5E
> WU8LeeBANz14xEX6TQVqSwcXNfYDdm9++ePKP4tMQcPav3CHpF4jSPSSEMIQuCWl
> zouflR/IkanhMJlXqCR/
> =Vs4T
> -----END PGP SIGNATURE-----