Openwall Project   /home  Owl  JtR  Pro  crypt  pam_passwdqc  tcb  phpass  scanlogd  popa3d  msulogin  /  Linux  BIND  /  advisories  presentations  /  services  donations  /  wordlists  passwords  /  news  community  lists  wiki  CVSweb  mirrors  signatures
bringing security into open environments
 
Password Recovery Resources on the Net
[<prev] [next>] [<thread-prev] [month] [year] [list] 
Date: Thu, 21 May 2009 17:52:23 -0400 (EDT)
From: "Steven M. Christey" <coley@...us.mitre.org>
To: oss-security@...ts.openwall.com
cc: "Steven M. Christey" <coley@...us.mitre.org>
Subject: Re: CVE request: moin


On Wed, 6 May 2009, Steffen Joeris wrote:

> This upstream commit[0] is slightly different then the issues described in
> CVE-2009-1482 and I think it deserves another CVE id to separate the XSS
> issues. The debian bug[1] can also be used as a reference.
> Steve, what do you think?

This is a different vector that isn't directly covered by that CVE, and
may not have been fixed entirely when CVE-2009-1482 was fixed, so a new
CVE can be considered.

However, we generally avoid including "defense-in-depth" fixes unless they
can be demonstrated to be exploitable - or, if a vendor plans to release
an advisory "just to be safe."

The changeset says "maybe not XSS exploitable though" so I'm not sure
whether a CVE's needed yet.

- Steve

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Hosted by DataForce ISP - Powered by Openwall GNU/*/Linux