oss-sec mailing list archives
Re: [security] CVE Request - SA-CORE-2013-001 (one JQuery X < 1.63 issue and two Drupal modules issues)
From: Forest Monsen <forest.monsen () gmail com>
Date: Sun, 20 Jan 2013 21:39:22 -0800
CVE assignment team: Please at least copy security () drupal org when all four CVE identifiers have been assigned, and we'll make sure they're publicly attached to the vulnerabilities as usual. Thanks again to Jan for ferreting out this issue. Best, Forest On Fri, Jan 18, 2013 at 3:02 PM, Greg Knaddison <greg.knaddison () gmail com>wrote:
Response below. On Thu, Jan 17, 2013 at 8:50 AM, Jan Lieskovsky <jlieskov () redhat com> wrote:@Drupal security team - could you clarify if to fix the first issue, there was yet some other Drupal specific patch / change (besides the JQuery library update), which would require yet another (fourth) CVE id to be allocated?The fix we added to Drupal does not require (or implement) an update to the jQuery library at all; rather it works around the issue entirely within Drupal's code. I think that means it should get its own CVE ID. We did it this way because it means that any other Drupal packages, such as drupal7-jquery_update, would not be expected to have a vulnerability as long as the core update is applied. I believe this means that yes, we will need a fourth CVE id to be allocated. Thanks, Greg -- [ Security | http://lists.drupal.org/mailman/listinfo/security ] [Security team mailing list management and scheduling is documented here | https://security.drupal.org/handling-list-emails]
Current thread:
- CVE Request - SA-CORE-2013-001 (one JQuery X < 1.63 issue and two Drupal modules issues) Jan Lieskovsky (Jan 17)
- Re: [security] CVE Request - SA-CORE-2013-001 (one JQuery X < 1.63 issue and two Drupal modules issues) Greg Knaddison (Jan 18)
- Re: [security] CVE Request - SA-CORE-2013-001 (one JQuery X < 1.63 issue and two Drupal modules issues) Forest Monsen (Jan 20)
- Re: [security] CVE Request - SA-CORE-2013-001 (one JQuery X < 1.63 issue and two Drupal modules issues) Greg Knaddison (Jan 18)