[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: [oss-security] Re: YUI 2.x security issue regarding embedded SWF files -- or, How Not To Handle A Se
From: cve-assign () mitre ! org
Date: 2012-11-16 17:22:44
Message-ID: 201211161722.qAGHMiRP017397 () linus ! mitre ! org
[Download RAW message or body]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
>Ok please use CVE-2012-5475 for this issue.
Here's an explanation of why MITRE didn't use CVE-2012-5475.
In 2010, YUI announced these three issues (see the
http://web.archive.org/web/20101028125444/http://yuilibrary.com/support/2.8.2/
URL):
charts.swf XSS affecting 2.4.0 through 2.8.1
uploader.swf XSS affecting 2.5.0 through 2.8.1
swfstore.swf XSS affecting 2.8.0 through 2.8.1
These were assigned 3 CVEs to reflect the different affected versions:
CVE-2010-4207
CVE-2010-4208
CVE-2010-4209
The recent 2012 announcement at
http://yuilibrary.com/support/20121030-vulnerability/ had an
essentially identical pattern of affected versions. Because of this,
we published 3 CVEs for consistency with the 2010 outcome:
CVE-2012-5881 charts.swf XSS affecting 2.4.0 through 2.9.0
CVE-2012-5882 uploader.swf XSS affecting 2.5.0 through 2.9.0
CVE-2012-5883 swfstore.swf XSS affecting 2.8.0 through 2.9.0
CVE-2012-5475 needed to be rejected in the process:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5475
We don't know why the original URL for the 2010 disclosure isn't
available with its original content. (Currently /support/2.8.2/ is a
301 redirect to the new
http://yuilibrary.com/support/20121030-vulnerability/ web page.) In
any case, the web.archive.org URL above has the 2010 data that
supports the 2010 abstraction choice.
We'll most likely update CVE-2010-4207, CVE-2010-4208, and
CVE-2010-4209 to delete the old
CONFIRM:http://yuilibrary.com/support/2.8.2/
reference, and add the new
CONFIRM:http://web.archive.org/web/20101028125444/http://yuilibrary.com/support/2.8.2/
reference. We think this is a good idea when a discloser's original
URL for one vulnerability is suddenly changed to only cover another
vulnerability. (We're much less certain that it's a good idea to
change to a web.archive.org URL, if one exists, in all of the many 404
and 403 error cases for other references in other CVEs.)
- --
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (SunOS)
iQEcBAEBAgAGBQJQpnReAAoJEGvefgSNfHMd1MMH/iTfETyz8Sypj6swjHxIwtWy
m9Cv8/NgYcIydHDI3442Iyr7BbXKJ+duDH5v3kz30iznwcUnQRsqm13S4e68k3Xr
JBstDxN146GjRerJo21CU1kRxRBiMVtQ0AQYLmDzTaSRDZDQpvCCFEhVu6FJK8xj
wsuELgdY6ka5G/X7lERvSKjgOflhkEcSCK7ue51ow+LtO8tzwI88hCCNzBnVYxKj
bpyLO+P8uThucIqxsnYqCP1r3Xqi+mywmDOp2Q4o2Sh5x6rhK4UWlBkbdUmvlCKF
ql+HcJR88k220o684xI1uA7/dcR+baCKiPbnCb2M8yvDXrS/cfYqSXkKU1FGR/Q=
=fn2A
-----END PGP SIGNATURE-----
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic