Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 16 Jul 2012 20:48:41 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
Subject: Re: CVE id request: libjs-swfupload

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 07/16/2012 01:07 PM, Nico Golde wrote:
> Hi, * Kurt Seifried <kseifried@...hat.com> [2012-07-16 20:32]:
>> On 07/16/2012 12:17 PM, Nico Golde wrote:
>>> Hi, there is an XSS issue in libjs-swfupload. Can we get a CVE
>>> id for this?
>>> 
>>> Details: 
>>> https://nealpoole.com/blog/2012/05/xss-and-csrf-via-swf-applets-swfupload-plupload/
>>>
>>>
>>
>>> 
http://code.google.com/p/swfupload/issues/detail?id=376
>>> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=681323
>>> 
>> 
>> There also appears to be a CSRF vulnerability. Is there a reason
>> for only mentioning the XSS?
> 
> The CSRF is for pupload which we don't ship and I haven't looked
> at.
> 
> Cheers Nico

It's open source though, with the rest of it right?

Public service announcement/request:

When requesting CVE's it would be nice if people not only request
CVE's for the specific bits in an update/etc. they care about, but for
all the issues, then I have less work to do and we also get a more
complete CVE database =).


- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJQBNKIAAoJEBYNRVNeJnmT1UoQAILX+PKDDotRajhIBInZVdxB
4T3fvtzo4WJO64FnxXv6K3EXA0rl8GkG4cxmA5BZh62qP8YsowgtEaFJstOiOj+V
RO0W8rTxrTLRURs1FFapfCZpO75zDjYkPtHlRoFxzirw9Fq3E47pyxkvd6v948Qo
cH8qAn+7jKUpi2QTV/EzO9Yh67egMsxAtwT3vvnS3idguS4r5H8z/nDHMm0g/3O0
lkmcwYVcJtd1uOPqtX/I3Q3uyzSPVuupYnLMONYUV6AUZaiSrg40prLPBv1/qjYy
yGvRvXIOtj8N6yCbmCP+WgiS8roPSStd/klgZCC2bhUK4hiwN3eduHxRx0ZrH/w4
2TWGShCJi4CFF2s3f0QfUyUM9tMlkiToW3SC/A7+nSPIBPtVMHmcEMhtyfCnjFdQ
2MWWNDPy+XTCkq4opL9dXaDdHgm5aJHNwUqnx0xPq/CNSWefDdra5ZdzyLK0RgFj
rbM30WC3USadkv7eVR6V2waxEMnuvg327soPM8pU+GU8l/f35Tzh3ZAk24tbJH3K
wPRBnNdcvlg/EIVcl6h6JDP/5bQ59nBfw1nIZfPjm8VrxLTj/Q328Ml2cer6hcHV
Rtv0N9XFpn7WrlmATbCpJ6vXj6NT07vNhD+dfLUPqb9jRpPH48NDHNB16FAagRI2
ooNL0+chZSYW+UnozYqJ
=TuOH
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.