oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Re: CVE Request - Zope / Plone: Multiple vectors corrected within 20121106 fix

From: Kurt Seifried <kseifried () redhat com>
Date: Fri, 09 Nov 2012 22:47:49 -0700
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 11/09/2012 01:46 AM, Kurt Seifried wrote:

On 11/07/2012 09:30 AM, Matthew Wilkes wrote:

Hi *,



Jan has asked me for a breakdown of what patches in our bulk
hotfix relate to what issues, so here you go:


[snip]


=>  preliminary 24 CVE ids needed.



Once we get twenty four assigned I'll match them against this list
in the same order.



Matt


Some questions, I put the CWE's/credits in as well:

https://plone.org/products/plone/security/advisories/20121106/01 -
registerConfiglet.py CWE-306


Please use CVE-2012-5485 for this issue.


https://plone.org/products/plone/security/advisories/20121106/02 -
setHeader.py CWE-113


Please use CVE-2012-5486 for this issue.


https://plone.org/products/plone/security/advisories/20121106/03 -
allowmodule.py CWE-749


Please use CVE-2012-5487 for this issue.


https://plone.org/products/plone/security/advisories/20121106/04 -
python_scripts.py createObject CWE-95


Please use CVE-2012-5488 for this issue.


https://plone.org/products/plone/security/advisories/20121106/05 -
get_request_var_or_attr.py CWE-306


Please use CVE-2012-5489 for this issue.


https://plone.org/products/plone/security/advisories/20121106/06 -
kssdevel.py CWE-79 Richard Mitchell (Plone security team)


Please use CVE-2012-5490 for this issue.


https://plone.org/products/plone/security/advisories/20121106/07 -
widget_traversal.py CWE-749 David Glick (Plone Security Team)


Please use CVE-2012-5491 for this issue.


https://plone.org/products/plone/security/advisories/20121106/08 -
uid_catalog.py CWE-749, CWE-306 Richard Mitchell (Plone security Team)


Please use CVE-2012-5492 for this issue.


https://plone.org/products/plone/security/advisories/20121106/09 -
gtbn.py CWE-20 Alan Hoey (Plone security team)


Please use CVE-2012-5493 for this issue.


https://plone.org/products/plone/security/advisories/20121106/10 -
python_scripts.py {u,}translate CWE-79 John Carr (Isotoma)


Please use CVE-2012-5494 for this issue.


https://plone.org/products/plone/security/advisories/20121106/11 -
python_scripts.py go_back CWE-95


Please use CVE-2012-5495 for this issue.


https://plone.org/products/plone/security/advisories/20121106/12 -
kupu_spellcheck.py CWE-116, CWE-138 Richard Mitchell (Plone security team)


Please use CVE-2012-5496 for this issue.


https://plone.org/products/plone/security/advisories/20121106/13 -
membership_tool.py CWE-749, CWE-359 Daniel Kraft (d9t.de)


Please use CVE-2012-5497 for this issue.


https://plone.org/products/plone/security/advisories/20121106/14 -
queryCatalog.py CWE-749 Richard Mitchell (Plone security team)


Please use CVE-2012-5498 for this issue.


https://plone.org/products/plone/security/advisories/20121106/15 -
python_scripts.py formatColumns CWE-749 Richard Mitchell (Plone
security team)


Please use CVE-2012-5499 for this issue.


https://plone.org/products/plone/security/advisories/20121106/16 -
renameObjectsByPaths.py CWE-749, CWE-359


Please use CVE-2012-5500 for this issue.


https://plone.org/products/plone/security/advisories/20121106/17 -
at_download.py CWE-306 Alessandro SauZheR


Please use CVE-2012-5501 for this issue.


https://plone.org/products/plone/security/advisories/20121106/18 -
safe_html.py CWE-79 Mauro Gentile


Please use CVE-2012-5502 for this issue.


https://plone.org/products/plone/security/advisories/20121106/19 -
ftp.py CWE-306 mksht80


Please use CVE-2012-5503 for this issue.


https://plone.org/products/plone/security/advisories/20121106/20 -
widget_traversal.py CWE-749, CWE-79 Alan Hoey (Plone security team)


Please use CVE-2012-5504 for this issue.


https://plone.org/products/plone/security/advisories/20121106/21 -
atat.py CWE-749 Roel Bruggink (fourdigits)


Please use CVE-2012-5505 for this issue.


https://plone.org/products/plone/security/advisories/20121106/22 -
python_scripts.py CWE-20 David Beitey (James Cook University)


Please use CVE-2012-5506 for this issue.


https://plone.org/products/plone/security/advisories/20121106/23 -
django_crypto.py CWE-208 Bastian Blank


Please use CVE-2012-5507 for this issue.


https://plone.org/products/plone/security/advisories/20121106/24 -
random_string CWE-330 Christian Heimes


Please use CVE-2012-5508 for this issue.


It looks like some of these can be CVE merged, e.g. 14 and 15, 1 and
5, can you confirm that these should not be merged?

http://cve.mitre.org/cve/editorial_policies/cd_abstraction.html


As per Steve ignore the merge stuff.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBAgAGBQJQneqEAAoJEBYNRVNeJnmTmhwP/AqUx62/8yYq8raCGnT0KMtF
8bbFQ+mNIUtn4/ASs29ZhuHbFzukAqtqoNm+eCOk+AOgcwCKJmESaifAu1YllfWj
BvoEXD3pN6ZHDrRfbp+0zHQfW30brYCkE2SLP74Y0wJUIZtL4bW5oQdKK0WH8AZf
SbwGuKzsp1Fcmv2b1zYyX/egf4w2GSbEbP8pqiSX3AsqqhmqE9IcDYYx1pZyZ+Dq
elcpaU0+Xu4yScNKnyZkbJf9DM1FjgiBngRAV02pqEUUXXxdiPzjq1eWfWC7hEHJ
LQXkpl4txw4Fueq9nUZ+bE/vi+jB21cqDorjRFIZssJ0fBRG7rsgBP2IY3gJ4yMs
WJT3qoTCyjqLJydG0E/2zvrKVNTcgMlvtBO4cN8HOL6ZwPteerKtdt5xNhGVSv5c
l7P/8nbBubqxmsMQZvxeZsk958MpzzOxM3OoAXOB13T6dWMnCXsBWwfPjhYY/D3M
/t+WuGChMlrTtIe1pYQnsi5aXTYFztImGTjMN911cwCb+81wf6w9XkR3cAXfTALb
dQQDBBJCpOFG7MdX0rQhaSlNHNBlLwm/WxpUB47usxbR3pJr4RrfIQDR9gml3pvZ
h5d7BLcCd0sVRANPBK+uymHqNt1+h4JsPvVcW4JFbhoLqt5hLxv5EUjNYs6z/jdp
vSMTqypB5+jjhkeaA/u3
=yIva
-----END PGP SIGNATURE-----
Previous By Date Next
Previous By Thread Next

Current thread: