oss-sec mailing list archives
Re: Strange CVE situation (at least one ID should come of this)
From: Josh Bressers <bressers () redhat com>
Date: Wed, 5 Dec 2012 20:50:57 -0500 (EST)
----- Original Message -----
* [2012-12-03 22:26:29 -0700] Kurt Seifried wrote:-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 10/26/2012 01:54 PM, Josh Bressers wrote:Hello, This Squirrelmail plugin came to my attention a few weeks back: http://squirrelmail.org/plugin_view.php?id=117 It's from 2004, which is suspect in itself, but I took a look after someone asked. It's pretty scary in there. If I was to list the security problems I found after a few minutes of looking, they are: * It uses MD5 passwordsGoing with this one since there's a good number of MD5 related CVE's already. Please use CVE-2012-5623 for this issue.Shouldn't this be a 2004 CVE, since it was fixed in 2004?
No, it's not fixed at all. The module would need a rather invasive rewrite to "fix" this. I really just wanted a CVE ID as a warning of "don't use this". 2004 is the last time it was updated :) Thanks. -- JB
Current thread:
- Re: Strange CVE situation (at least one ID should come of this), (continued)
- Re: Strange CVE situation (at least one ID should come of this) Henri Salo (Oct 30)
- Re: Strange CVE situation (at least one ID should come of this) Kurt Seifried (Oct 30)
- Re: [security] [oss-security] Strange CVE situation (at least one ID should come of this) Greg Knaddison (Oct 31)
- Re: Strange CVE situation (at least one ID should come of this) Kurt Seifried (Oct 30)
- Re: Strange CVE situation (at least one ID should come of this) Steven M. Christey (Oct 31)
- Re: Strange CVE situation (at least one ID should come of this) Josh Bressers (Nov 02)
- Re: Strange CVE situation (at least one ID should come of this) cve-assign (Nov 02)
- Re: Strange CVE situation (at least one ID should come of this) Vincent Danen (Dec 05)
- Re: Strange CVE situation (at least one ID should come of this) Josh Bressers (Dec 05)
- Re: Strange CVE situation (at least one ID should come of this) Vincent Danen (Dec 05)