oss-sec mailing list archives
Re: CVE request - Evergreen
From: cve-assign () mitre org
Date: Tue, 3 Mar 2015 22:15:20 -0500 (EST)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Thanks for the clarification. Reorganizing and rewording gives these three CVE IDs: CVE-2013-7435 http://evergreen-ils.org/security-releases-evergreen-2-7-4-2-6-7-and-2-5-9/ http://evergreen-ils.org/downloads/ChangeLog-2.7.3-2.7.4 https://bugs.launchpad.net/evergreen/+bug/1206589 http://git.evergreen-ils.org/?p=Evergreen.git;a=commit;h=ac588e879cf73ff1b65617e0bd273361d3529063 scope = - in version 2.7.3, there is a major vulnerability in which a setting's history can be viewed by an unauthenticated attacker CVE-2015-2203 http://evergreen-ils.org/security-releases-evergreen-2-7-4-2-6-7-and-2-5-9/ http://evergreen-ils.org/downloads/ChangeLog-2.7.3-2.7.4 https://bugs.launchpad.net/evergreen/+bug/1206589 http://git.evergreen-ils.org/?p=Evergreen.git;a=commit;h=ac588e879cf73ff1b65617e0bd273361d3529063 scope = - in version 2.7.4, there is a minor vulnerability in which a setting's history can be viewed by all persons with the staff role, which would include unauthorized staff in many realistic deployments. This might be fixed in a future release by forcing all access to use cstore, or by some other undetermined change. CVE-2015-2204 http://evergreen-ils.org/security-releases-evergreen-2-7-4-2-6-7-and-2-5-9/ http://evergreen-ils.org/downloads/ChangeLog-2.7.3-2.7.4 https://bugs.launchpad.net/evergreen/+bug/1424755 http://git.evergreen-ils.org/?p=Evergreen.git;a=commit;h=3a0f1cc7b2efa517ee4cd4c6a682237554fed307 - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (SunOS) iQEcBAEBAgAGBQJU9nhRAAoJEKllVAevmvmspb0H/0a0gf5sm39980V0DRgH9op6 vrrrqEdcfoFSyG2vNst5Atnv+rQZEs9LoRSP8j/RbsbMCXdxz1Cyg7J67xIKhWKq Dy5kuEzfoX1n96WOv/+MA5+35JmbX6/WZtojukeS/y6ubv12JBMleqFF8sZht/Ri UZdMt/Uro+oMpm6POd/wuQt6YQ/z4Z6wjYLbamDhJqrW67bZYsA+dh5lbkzrjXXD 8QFWNSLnur/wcKtqTTw0kSoWdZAjj70u8RnFY3kHrmPtWR7MlVlaTU0PFLGnJoUC 5zk7+k5ULwWM3Fre8dPYIMaAU4ZRnP3OdpqN/7RTic+9op+0RxpoF7W+02VhQfM= =ynfk -----END PGP SIGNATURE-----
Current thread:
- Re: CVE Request cve-assign (Jan 03)
- <Possible follow-ups>
- CVE request Daniel Strøm (Jan 08)
- Re: CVE request cve-assign (Jan 11)
- Re: CVE request Daniel Strøm (Jan 11)
- Re: CVE request cve-assign (Jan 11)
- CVE request Galen Charlton (Mar 03)
- Re: CVE request - Evergreen cve-assign (Mar 03)
- Re: CVE request - Evergreen Galen Charlton (Mar 03)
- Re: CVE request - Evergreen cve-assign (Mar 03)
- Re: CVE request - Evergreen cve-assign (Mar 03)