Re: CVE Request for Drupal Contributed Modules

[Kurt Seifried <kseifried () redhat com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 10/03/2012 10:23 PM, Joshua Brauer wrote:
> Thanks these have been posted and I'll have more catching up
> tomorrow.
>
> Just to verify the process CVE-2012-4472 SA-CONTRIB-2012-108 is for
> multiple vulnerabilities which Drupal issued one advisory about. In
> the past I think these got separate CVE's and we have in our
> process to report it once for each vulnerability. Which leads to
> the questions: 1) Should it have multiple CVE's? 2) Should we be
> reporting these separately or all on one?

Sorry I was reading the titles of the advisories, usually they say
"multiple issues" when there are multiple issues, "SA-CONTRIB-2012-108
- - Drag & Drop Gallery - Arbitrary PHP code execution". Oops.

> Thanks, Josh

> > > > Thanks, Josh - on behalf of the Drupal security team.
>
> Perfect, this is easy =).
>
> Please use the following CVEs:
>
> CVE-2012-4468 SA-CONTRIB-2012-104 CVE-2012-4469
> SA-CONTRIB-2012-105 CVE-2012-4470 SA-CONTRIB-2012-106 CVE-2012-4471
> SA-CONTRIB-2012-107 CVE-2012-4472 SA-CONTRIB-2012-108 CVE-2012-4473
> SA-CONTRIB-2012-109 CVE-2012-4474 SA-CONTRIB-2012-110 CVE-2012-4475
> SA-CONTRIB-2012-111


Ok so a clarification on  CVE-2012-4472 SA-CONTRIB-2012-108 and some
additional CVEs:

SA-CONTRIB-2012-108 - Drag & Drop Gallery - Cross Site Scripting
Please use CVE-2012-4476 for this issue.

SA-CONTRIB-2012-108 - Drag & Drop Gallery - Access bypass
Please use CVE-2012-4477 for this issue.

SA-CONTRIB-2012-108 - Drag & Drop Gallery - Cross Site Request Forgery
Please use CVE-2012-4478 for this issue.

SA-CONTRIB-2012-108 - Drag & Drop Gallery - SQL Injection
Please use CVE-2012-4479 for this issue.

SA-CONTRIB-2012-108 - Drag & Drop Gallery - Arbitrary PHP code execution
Please continue to use CVE-2012-4472 (it's the most serious one and
listed in the title of the web page currently).


- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/

iQIcBAEBAgAGBQJQbSEcAAoJEBYNRVNeJnmTzGEP/RsG5IUUr9moP/p7qC3NJmw1
0p1khI8zXxmlZtUNU6suh4LRBPSOYcA2SGMC7xsTuDGV1tbJkN7Rr5t+SYeJ6qQP
KNrf6XYPP3HZsQJvkE8Hg/X7W62W9Vjc+4OOny2LYIMIM+i8GqS2W56YGodvbQQv
wOtIcLdq0jwG8yOmKDhtNxJeyY1v89Ln5cjoqB6oPgb/EOq5EnAvHyLGiXppZ45H
PV3xWiMvondje/zo1VP9ARmS/fPdXM66hRxlkgbaWhgIGKgEvUUFSQfiTxjfxbBv
SQc45bFx9AU08thaVEWKSqLgBKnLAa5yBVADaP4CwMf+X8Yrw8v62ZuzKS3Bro/N
phDZW9eGyLF+hHhlS1vor8cqBS+EF3VOYpMRx5Zf3bV0QycKhKYuvijN8B5sSX2z
zRwm8Z0k1Rc3Mya2nlaO4Rrt1wIvAEEBjUOj04UdG8eiwmEuUi2jWKoGaaIGYGSp
QFUqUzTPM4pf/PYf8QGYev7KBJDZt66LkRe/1B+l5qYo8qtXaEWS/oyf3zCQKS9t
39xkP3sNbO0QVCajnKgwZSOuE2v4hmoKnaxevdsMhozsFCllfIy3bt5pcXwHXPzY
0jX7441KtJ3FjSRmrjSoXljBvsv+bn6b6V9pLTi4AjZe0gpf0DR71IJw7WTOcWc8
Un86Mt7mCTh2VPCziQm5
=avGB
-----END PGP SIGNATURE-----