[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: [oss-security] Re: CVE requests for Review Board
From: Christian Hammond <christian () beanbaginc ! com>
Date: 2014-07-23 0:13:18
Message-ID: etPan.53cefe1e.5cc4ca6f.13beb () varia ! chipx86 ! com
[Download RAW message or body]
My apologies. We usually go through someone else for CVEs, and he directed us this time to \
contact this address. We'll be more careful in the future.
Thanks!
- Christian
--
Christian Hammond - christian@beanbaginc.com
Review Board - http://www.reviewboard.org
Beanbag, Inc. - http://www.beanbaginc.com
On July 22, 2014 at 2:40:58 PM, cve-assign@mitre.org (cve-assign@mitre.org) wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
> https://www.reviewboard.org/news/2014/07/22/review-board-1-7-27-and-2-0-3-security-releases/ \
> July 22, 2014 - 2:07 AM
> Review Board 1.7.27 and 2.0.3 security releases
> One of the security vulnerabilities allowed an attacker to construct a
> URL that would inject custom JavaScript into the page, which could
> then be passed to a user, allowing the custom code to run in their
> session.
Use CVE-2014-5027.
> The other vulnerability allowed users without access to a private
> review request to construct a URL for accessing original or patched
> files from the repository, if they knew the right series of database
> IDs.
Use CVE-2014-5028.
(Incidentally, we're not sure whether the original request sent July 21
was within the oss-security list charter. MITRE does not control the list
charter, but
http://oss-security.openwall.org/wiki/mailing-lists/oss-security
says "List Content Guidelines ... Public security issues only please"
whereas the original request said "two security vulnerabilities ...
Neither are publicly disclosed." If you want a CVE ID for an
undisclosed vulnerability in the future -- for example, because you
want to include the CVE ID number when the
https://www.reviewboard.org/news/ entry first becomes public -- there
are other options, such as sending the CVE request directly to
cve-assign@mitre.org instead.)
- --
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)
iQEcBAEBAgAGBQJTztl7AAoJEKllVAevmvmsFjEH/i3c93xE5j9OKoAH9pgUkAkV
9VOoEgRoGaHXR2YDxPkEfapYhV7RZhjTcoQlW5oftH7QXE0FsyY7VhXbetn4GMv7
bEhpzmkfz2kZN0YlBRHZr9FtuOsX8zqe77fHK3lsZsy/nBEh+W8onxZWCvThZvnA
pucywbiGjkSAIgjKzLBF2YRRs0Xv660td8zZWHz9PunJPH5yWGLi6WywUmtkCidC
pF22tWpvwJmGorN1kQFYjwavXSeE9jXRFt9kacFmWibA/z2srtMnx8EGgbbV9IrT
ENjapy6bzUo7oTO0UoALRBnGj2IbO4CvQlKMK0kwudDsplFpb7i/nrTO77uFjQw=
=STIj
-----END PGP SIGNATURE-----
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic