oss-sec mailing list archives
Re: Re: CVE request: webcalendar before 1.2.7
From: Kurt Seifried <kseifried () redhat com>
Date: Thu, 25 Jul 2013 02:35:57 -0600
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 07/22/2013 04:28 PM, security curmudgeon wrote:
Kurt's reply is a good reminder of why he needs that information. Based on the original post, some of these have assignments. : Security fix: Do not show the reason for a failed login (i.e. "no such user") Likely CVE-2013-1422 / OSVDB 90668 : Security fix: Escape HTML characters in category name. Likely CVE-2013-1421 / OSVDB 90669 : Security fix: Check all passed in fields (either via HTML form or via : URL parameter) for certain malicious tags (script, embed, etc.) and : generate fatal error if found. This one seems like it may be new.
To reiterate: so I can confirm CVE assignments, and prevent duplicate assignments you *MUST* provide links to the code commits/vulnerable code. I don't have the time to go hunting through your source code for them. People need to start making better CVE requests, or you're not going to get CVEs from me. - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13 (GNU/Linux) iQIcBAEBAgAGBQJR8ONsAAoJEBYNRVNeJnmTN+cQAM9dH/Yx9vn0dhXd7jiXqNMa w1Os4cwUX9AU5bMvpulnFymG8cvY6/VUBCcS/t9VxVuosgAlpoJfbl4OHGnhshLi LnPYIk6AUmgFnlzzpraYq64ztnVXlAlAXdzA9Uf97r00b1RUxLx4bTwgCZeUlggR AopFO+d0/xbZF340PdMT7WV+HdEP/JWAmyXn8J1njJH+jyKCHk4+0IC82u03JwQM VihfqLA/ahQmGduiywwOHLfHAmxQp6KTHqOd6vkfscHjpS3rvXZneefWPaMVLPHo KPiLa0pNuy09Tetc7BD0g7ahsWQP+Bf8zMfUyKJbisrBLO2evgvWNEGVBqH/IA2H uiEDAlVwCYcCyTSdu9OFal4qh1ppQzB2rY6qBS5l0Ne+GWLUHgpd52hcYwn5t7qm t1okvahtd0lDJuyWXsoV01l6R3j5o5iodPfmVbW0DgssB27vHbbbxW19dKLXtbCx AUzth1CefMK6+av8AXqpiEOVB4L6YrG+6VUu6ttsqIkpUUr0QVTJG13Ubs92Vi6x pOfoFJ99mZB9t9XwN3IcumEpJTMQmN9bcmj8DraDSQonUGBHK2Q01daCnKgLEDpu t/j/pw3ZyOBSYpKhTdlPH5B3E8Ne3OEFOG7AXfXpcSYIxZZYYVMJ9rmCWN72bR8T 6CozuVk6Acmye/PfOrQW =T3Uy -----END PGP SIGNATURE-----
Current thread:
- CVE request: webcalendar before 1.2.7 Hanno Böck (Jul 22)
- Re: CVE request: webcalendar before 1.2.7 Kurt Seifried (Jul 22)
- <Possible follow-ups>
- Re: CVE request: webcalendar before 1.2.7 security curmudgeon (Jul 22)
- Re: Re: CVE request: webcalendar before 1.2.7 Kurt Seifried (Jul 25)