[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] CVE request: moin
From:       "Steven M. Christey" <coley () linus ! mitre ! org>
Date:       2009-05-21 21:52:23
Message-ID: Pine.GSO.4.51.0905211745010.18536 () faron ! mitre ! org
[Download RAW message or body]


On Wed, 6 May 2009, Steffen Joeris wrote:

> This upstream commit[0] is slightly different then the issues described in
> CVE-2009-1482 and I think it deserves another CVE id to separate the XSS
> issues. The debian bug[1] can also be used as a reference.
> Steve, what do you think?

This is a different vector that isn't directly covered by that CVE, and
may not have been fixed entirely when CVE-2009-1482 was fixed, so a new
CVE can be considered.

However, we generally avoid including "defense-in-depth" fixes unless they
can be demonstrated to be exploitable - or, if a vendor plans to release
an advisory "just to be safe."

The changeset says "maybe not XSS exploitable though" so I'm not sure
whether a CVE's needed yet.

- Steve
[prev in list] [next in list] [prev in thread] [next in thread]