oss-sec mailing list archives
Re: CVE Request for Drupal Contributed Modules
From: Kurt Seifried <kseifried () redhat com>
Date: Wed, 03 Oct 2012 23:39:40 -0600
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 10/03/2012 10:23 PM, Joshua Brauer wrote:
Thanks these have been posted and I'll have more catching up tomorrow. Just to verify the process CVE-2012-4472 SA-CONTRIB-2012-108 is for multiple vulnerabilities which Drupal issued one advisory about. In the past I think these got separate CVE's and we have in our process to report it once for each vulnerability. Which leads to the questions: 1) Should it have multiple CVE's? 2) Should we be reporting these separately or all on one?
Sorry I was reading the titles of the advisories, usually they say "multiple issues" when there are multiple issues, "SA-CONTRIB-2012-108 - - Drag & Drop Gallery - Arbitrary PHP code execution". Oops.
Thanks, Josh
Thanks, Josh - on behalf of the Drupal security team.Perfect, this is easy =). Please use the following CVEs: CVE-2012-4468 SA-CONTRIB-2012-104 CVE-2012-4469 SA-CONTRIB-2012-105 CVE-2012-4470 SA-CONTRIB-2012-106 CVE-2012-4471 SA-CONTRIB-2012-107 CVE-2012-4472 SA-CONTRIB-2012-108 CVE-2012-4473 SA-CONTRIB-2012-109 CVE-2012-4474 SA-CONTRIB-2012-110 CVE-2012-4475 SA-CONTRIB-2012-111
Ok so a clarification on CVE-2012-4472 SA-CONTRIB-2012-108 and some additional CVEs: SA-CONTRIB-2012-108 - Drag & Drop Gallery - Cross Site Scripting Please use CVE-2012-4476 for this issue. SA-CONTRIB-2012-108 - Drag & Drop Gallery - Access bypass Please use CVE-2012-4477 for this issue. SA-CONTRIB-2012-108 - Drag & Drop Gallery - Cross Site Request Forgery Please use CVE-2012-4478 for this issue. SA-CONTRIB-2012-108 - Drag & Drop Gallery - SQL Injection Please use CVE-2012-4479 for this issue. SA-CONTRIB-2012-108 - Drag & Drop Gallery - Arbitrary PHP code execution Please continue to use CVE-2012-4472 (it's the most serious one and listed in the title of the web page currently). - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iQIcBAEBAgAGBQJQbSEcAAoJEBYNRVNeJnmTzGEP/RsG5IUUr9moP/p7qC3NJmw1 0p1khI8zXxmlZtUNU6suh4LRBPSOYcA2SGMC7xsTuDGV1tbJkN7Rr5t+SYeJ6qQP KNrf6XYPP3HZsQJvkE8Hg/X7W62W9Vjc+4OOny2LYIMIM+i8GqS2W56YGodvbQQv wOtIcLdq0jwG8yOmKDhtNxJeyY1v89Ln5cjoqB6oPgb/EOq5EnAvHyLGiXppZ45H PV3xWiMvondje/zo1VP9ARmS/fPdXM66hRxlkgbaWhgIGKgEvUUFSQfiTxjfxbBv SQc45bFx9AU08thaVEWKSqLgBKnLAa5yBVADaP4CwMf+X8Yrw8v62ZuzKS3Bro/N phDZW9eGyLF+hHhlS1vor8cqBS+EF3VOYpMRx5Zf3bV0QycKhKYuvijN8B5sSX2z zRwm8Z0k1Rc3Mya2nlaO4Rrt1wIvAEEBjUOj04UdG8eiwmEuUi2jWKoGaaIGYGSp QFUqUzTPM4pf/PYf8QGYev7KBJDZt66LkRe/1B+l5qYo8qtXaEWS/oyf3zCQKS9t 39xkP3sNbO0QVCajnKgwZSOuE2v4hmoKnaxevdsMhozsFCllfIy3bt5pcXwHXPzY 0jX7441KtJ3FjSRmrjSoXljBvsv+bn6b6V9pLTi4AjZe0gpf0DR71IJw7WTOcWc8 Un86Mt7mCTh2VPCziQm5 =avGB -----END PGP SIGNATURE-----
Current thread:
- CVE Request for Drupal Contributed Modules Joshua Brauer (Oct 03)
- Re: CVE Request for Drupal Contributed Modules Kurt Seifried (Oct 03)
- Re: CVE Request for Drupal Contributed Modules Joshua Brauer (Oct 03)
- Re: CVE Request for Drupal Contributed Modules Kurt Seifried (Oct 03)
- Re: CVE Request for Drupal Contributed Modules Joshua Brauer (Oct 03)
- <Possible follow-ups>
- CVE Request for Drupal Contributed Modules Joshua Brauer (Oct 04)
- Re: CVE Request for Drupal Contributed Modules Kurt Seifried (Oct 06)
- Re: CVE Request for Drupal Contributed Modules Steven M. Christey (Oct 31)
- Re: CVE Request for Drupal Contributed Modules Greg Knaddison (Nov 05)
- Re: CVE Request for Drupal Contributed Modules Kurt Seifried (Oct 06)
- Re: CVE Request for Drupal Contributed Modules Kurt Seifried (Oct 03)
- CVE Request for Drupal Contributed Modules Forest Monsen (Nov 17)
- Re: CVE Request for Drupal Contributed Modules Kurt Seifried (Nov 20)
- Re: CVE Request for Drupal Contributed Modules Forest Monsen (Nov 20)
- Re: CVE Request for Drupal Contributed Modules Kurt Seifried (Nov 25)
- Re: CVE Request for Drupal Contributed Modules Forest Monsen (Nov 26)
- Re: CVE Request for Drupal Contributed Modules Kurt Seifried (Nov 26)
- Re: CVE Request for Drupal Contributed Modules Kurt Seifried (Nov 20)