'[oss-security] Re: CVE requests for Review Board'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] Re: CVE requests for Review Board
From:       Christian Hammond <christian () beanbaginc ! com>
Date:       2014-07-23 0:13:18
Message-ID: etPan.53cefe1e.5cc4ca6f.13beb () varia ! chipx86 ! com
[Download RAW message or body]


My apologies. We usually go through someone else for CVEs, and he directed us this time to \
contact this address. We'll be more careful in the future.

Thanks!

- Christian

--  
Christian Hammond -  christian@beanbaginc.com
Review Board -  http://www.reviewboard.org
Beanbag, Inc. -  http://www.beanbaginc.com

On July 22, 2014 at 2:40:58 PM, cve-assign@mitre.org (cve-assign@mitre.org) wrote:

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA1  

> https://www.reviewboard.org/news/2014/07/22/review-board-1-7-27-and-2-0-3-security-releases/  \
>  July 22, 2014 - 2:07 AM  
> Review Board 1.7.27 and 2.0.3 security releases  

> One of the security vulnerabilities allowed an attacker to construct a  
> URL that would inject custom JavaScript into the page, which could  
> then be passed to a user, allowing the custom code to run in their  
> session.  

Use CVE-2014-5027.  


> The other vulnerability allowed users without access to a private  
> review request to construct a URL for accessing original or patched  
> files from the repository, if they knew the right series of database  
> IDs.  

Use CVE-2014-5028.  

(Incidentally, we're not sure whether the original request sent July 21  
was within the oss-security list charter. MITRE does not control the list  
charter, but  

http://oss-security.openwall.org/wiki/mailing-lists/oss-security  

says "List Content Guidelines ... Public security issues only please"  
whereas the original request said "two security vulnerabilities ...  
Neither are publicly disclosed." If you want a CVE ID for an  
undisclosed vulnerability in the future -- for example, because you  
want to include the CVE ID number when the  
https://www.reviewboard.org/news/ entry first becomes public -- there  
are other options, such as sending the CVE request directly to  
cve-assign@mitre.org instead.)  

- --  
CVE assignment team, MITRE CVE Numbering Authority  
M/S M300  
202 Burlington Road, Bedford, MA 01730 USA  
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1.4.14 (SunOS)  

iQEcBAEBAgAGBQJTztl7AAoJEKllVAevmvmsFjEH/i3c93xE5j9OKoAH9pgUkAkV  
9VOoEgRoGaHXR2YDxPkEfapYhV7RZhjTcoQlW5oftH7QXE0FsyY7VhXbetn4GMv7  
bEhpzmkfz2kZN0YlBRHZr9FtuOsX8zqe77fHK3lsZsy/nBEh+W8onxZWCvThZvnA  
pucywbiGjkSAIgjKzLBF2YRRs0Xv660td8zZWHz9PunJPH5yWGLi6WywUmtkCidC  
pF22tWpvwJmGorN1kQFYjwavXSeE9jXRFt9kacFmWibA/z2srtMnx8EGgbbV9IrT  
ENjapy6bzUo7oTO0UoALRBnGj2IbO4CvQlKMK0kwudDsplFpb7i/nrTO77uFjQw=  
=STIj  
-----END PGP SIGNATURE-----  



[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic