[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] CVE request: XSS is Google Web Toolkit (GWT)
From:       Kurt Seifried <kseifried () redhat ! com>
Date:       2012-10-31 3:22:57
Message-ID: 50909991.9050504 () redhat ! com
[Download RAW message or body]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 10/29/2012 07:26 PM, David Jorm wrote:
> I note that with the release of google web toolkit (GWT) 2.5, a
> security flaw has been resolved. The best details I can find are
> at:
> 
> https://developers.google.com/web-toolkit/release-notes#Release_Notes_2_4_0
> (scroll to "Security vulnerability in GWT 2.4")
> 
> The release notes state:
> 
> "Recently, the GWT team discovered a cross-site scripting
> vulnerability in the 2.4 Beta and Release Candidate releases (not
> in v2.3 GA or v2.4 GA). This vulnerability was partially fixed in
> the 2.4 GA release and completely fixed in the 2.5 GA release. If
> you have an app that's been built with 2.4 then you'll need to get
> the latest 2.5 release, recompile your app, and redeploy."
> 
> I can't find any details on the flaw, a CVE ID, a public bug or a
> commit. I have contacted security@google asking for these details,
> but no response yet. Can we assign a CVE ID to this flaw in the
> absence of these details?
> 
> Thanks

Ok no replies from Google security@ or anyone else at Google.

Please use CVE-2012-4563 for this issue.


- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBAgAGBQJQkJmRAAoJEBYNRVNeJnmT34sQAN1rirRTx9B9EhfXGZ0GiRlF
4XB4UNa6INoW+UREF13ju/QKvdm6oB6c4FtP4FhgoN37Zv11xZqARZlNxlIjgSXB
JaJMLCpP6d4+AA1xnPqBN6aLYYlCyuQ0M9zoIuUJH8dVk51Y4XReJUbQh7Oq+63v
X04dJN52jncMQmjlOkMl1RUErhXWyvz3gwS58TKFZvrUJVQPxnVqwUR3kpMowpZr
NmtDGYu19LMnG6Bwm2pNn7NYy0zPPiG437C+R3QKajAKv2gQoZ7QP/dynlEdVUvb
ne2YR/Ts5Dsh+3WEzhDUB2mmcrTyxGvUgDLVgvVfpWhGW9dTmbAf9Ym7bs2+J6ob
/30uff5NsITdyzHfneuahB5K69I94Ez4LboCdYpyHokkBouR7lMQODsykOIC7V92
rIAK5bs1GB8NI0Km4g4UasZiVb43nIBfmQiRoJ6gQ8VL/PCRFzkUovaldcxX0PYM
cWfcTSKJP9yxOiu16NLzbtzUJpJMaQ7rqj4GEqGoTJVnwEhVI/rZwcCodWrBnWkd
PAEQ/VOs6QUH3um6nFQQ/adOlkHw3LfVDZd1oeSe92oP71nSuu/egVz69ALTsK+L
pMi3C489b8M7L6x+7e14TjajBopi8FuMvglZyrW70W6Try5h4r7iKH2VYESd/7gM
NfzX4to45zP1Wi1axTLi
=2YY8
-----END PGP SIGNATURE-----
[prev in list] [next in list] [prev in thread] [next in thread]