oss-sec mailing list archives
Re: Re: CVE Request - Zope / Plone: Multiple vectors corrected within 20121106 fix
From: Kurt Seifried <kseifried () redhat com>
Date: Fri, 09 Nov 2012 01:46:36 -0700
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 11/07/2012 09:30 AM, Matthew Wilkes wrote:
Hi *, Jan has asked me for a breakdown of what patches in our bulk hotfix relate to what issues, so here you go:
[snip]
=> preliminary 24 CVE ids needed.Once we get twenty four assigned I'll match them against this list in the same order. Matt
Some questions, I put the CWE's/credits in as well: https://plone.org/products/plone/security/advisories/20121106/01 - registerConfiglet.py CWE-306 https://plone.org/products/plone/security/advisories/20121106/02 - setHeader.py CWE-113 https://plone.org/products/plone/security/advisories/20121106/03 - allowmodule.py CWE-749 https://plone.org/products/plone/security/advisories/20121106/04 - python_scripts.py createObject CWE-95 https://plone.org/products/plone/security/advisories/20121106/05 - get_request_var_or_attr.py CWE-306 https://plone.org/products/plone/security/advisories/20121106/06 - kssdevel.py CWE-79 Richard Mitchell (Plone security team) https://plone.org/products/plone/security/advisories/20121106/07 - widget_traversal.py CWE-749 David Glick (Plone Security Team) https://plone.org/products/plone/security/advisories/20121106/08 - uid_catalog.py CWE-749, CWE-306 Richard Mitchell (Plone security Team) https://plone.org/products/plone/security/advisories/20121106/09 - gtbn.py CWE-20 Alan Hoey (Plone security team) https://plone.org/products/plone/security/advisories/20121106/10 - python_scripts.py {u,}translate CWE-79 John Carr (Isotoma) https://plone.org/products/plone/security/advisories/20121106/11 - python_scripts.py go_back CWE-95 https://plone.org/products/plone/security/advisories/20121106/12 - kupu_spellcheck.py CWE-116, CWE-138 Richard Mitchell (Plone security team) https://plone.org/products/plone/security/advisories/20121106/13 - membership_tool.py CWE-749, CWE-359 Daniel Kraft (d9t.de) https://plone.org/products/plone/security/advisories/20121106/14 - queryCatalog.py CWE-749 Richard Mitchell (Plone security team) https://plone.org/products/plone/security/advisories/20121106/15 - python_scripts.py formatColumns CWE-749 Richard Mitchell (Plone security team) https://plone.org/products/plone/security/advisories/20121106/16 - renameObjectsByPaths.py CWE-749, CWE-359 https://plone.org/products/plone/security/advisories/20121106/17 - at_download.py CWE-306 Alessandro SauZheR https://plone.org/products/plone/security/advisories/20121106/18 - safe_html.py CWE-79 Mauro Gentile https://plone.org/products/plone/security/advisories/20121106/19 - ftp.py CWE-306 mksht80 https://plone.org/products/plone/security/advisories/20121106/20 - widget_traversal.py CWE-749, CWE-79 Alan Hoey (Plone security team) https://plone.org/products/plone/security/advisories/20121106/21 - atat.py CWE-749 Roel Bruggink (fourdigits) https://plone.org/products/plone/security/advisories/20121106/22 - python_scripts.py CWE-20 David Beitey (James Cook University) https://plone.org/products/plone/security/advisories/20121106/23 - django_crypto.py CWE-208 Bastian Blank https://plone.org/products/plone/security/advisories/20121106/24 - random_string CWE-330 Christian Heimes It looks like some of these can be CVE merged, e.g. 14 and 15, 1 and 5, can you confirm that these should not be merged? http://cve.mitre.org/cve/editorial_policies/cd_abstraction.html - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQIcBAEBAgAGBQJQnMLsAAoJEBYNRVNeJnmTBu4QAJctLDmHK6ls1gbCJlt0O7n3 q2YbmhcviJHlKOAxxmTjEhwRSMp2O7H4vChaDCobSQU/1KUelkbykqD+9r3UPijN dkYOYIwsKpXytEJ3dgcecjEm23Y4lDsGrFIWHsEFD/oBXMV6kZgWxnhZDpGlAoqY D1/joZ7iqg9fp6ZsNmUipCFOLxNcF5gz0pbqfbGtNT4WBW7UAjSZlhAFPTsLWbXK yOnZqeDHt7QsRPrIbL0+nPT07uzoNFxGujpfNMW0YNi8hnM7WgVeacVkySuWg55d skNeHJ13WZMXyGwT5AxwrjZB0Nsr1Xnq+3xmLNo06cIwyq6WnTeUygKQSUm6ZfIz XoMRkx2FTc4mlnhDvCRr47pXxVy+uMKZpwRTumT0NLTR617jz6IG1//ZGumEceVu W7CDQmtyuoBcLSj3tDgabp1wGtIhihp6S4M48W38UTgl4ORl9Gn5/TgcNTzOgCID Ou44Wwp7sKYGEMruWbrdYwvexTCiTMUK9IMxwyK6ZcGffDPOhy+iPjW9Dd3v2VeY 2/7+25b066yZXRdqVHBlhk47JT98ybqNxy5RtZ3X+Rh9VmcaAtAXinjbXlIZAcB/ papl270uREr6I2D1n3/zFmWIx6SGwjXzdbF85zYobqVj1/vfrvH5J1bpI6kSV5w4 OHMfYYAbisJaV+zLJ467 =138r -----END PGP SIGNATURE-----
Current thread:
- CVE Request - Zope / Plone: Multiple vectors corrected within 20121106 fix Jan Lieskovsky (Nov 07)
- Re: CVE Request - Zope / Plone: Multiple vectors corrected within 20121106 fix Matthew Wilkes (Nov 07)
- Re: Re: CVE Request - Zope / Plone: Multiple vectors corrected within 20121106 fix Kurt Seifried (Nov 09)
- Re: Re: CVE Request - Zope / Plone: Multiple vectors corrected within 20121106 fix cve-assign (Nov 09)
- Re: Re: CVE Request - Zope / Plone: Multiple vectors corrected within 20121106 fix Matthew Wilkes (Nov 09)
- RE: Re: CVE Request - Zope / Plone: Multiple vectors corrected within 20121106 fix Christey, Steven M. (Nov 09)
- Re: Re: CVE Request - Zope / Plone: Multiple vectors corrected within 20121106 fix Kurt Seifried (Nov 09)
- Re: Re: CVE Request - Zope / Plone: Multiple vectors corrected within 20121106 fix Kurt Seifried (Nov 09)
- Re: CVE Request - Zope / Plone: Multiple vectors corrected within 20121106 fix Matthew Wilkes (Nov 07)