Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 09 Aug 2012 11:51:11 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
CC: Robbie Mackay <robbie@...ahidi.com>, Heather Leson <HLeson@...ahidi.com>
Subject: Re: CVE request for Ushahidi

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 08/01/2012 10:50 PM, Robbie Mackay wrote:
> Hi Kurt, I've added info on which researcher discovered the
> vulnerability in each commit. Anything other info needed?
> 
> Thanks, Robbie Mackay Software Developer, External Projects,
> Ushahidi Inc

Ok I split these up by reporter as per CVE guidelines.

***********************
> * Multiple SQL injections (Reported by Timothy D. Morgan, Kees
> Cook, postmodern )

=====================
> https://github.com/ushahidi/Ushahidi_Web/commit/fdb48d1 (identified
> by Ushahidi dev team) 
> https://github.com/ushahidi/Ushahidi_Web/commit/4764792 (identified
> by Ushahidi dev team) 
> https://github.com/ushahidi/Ushahidi_Web/commit/d954093 (identified
> by Ushahidi dev team)

Please use CVE-2012-3468 for these issues

=====================
> https://github.com/ushahidi/Ushahidi_Web/commit/6f6a919
> (postmodern) 
> https://github.com/ushahidi/Ushahidi_Web/commit/68d9916
> (postmodern) 
> https://github.com/ushahidi/Ushahidi_Web/commit/e0e2b66
> (postmodern) 
> https://github.com/ushahidi/Ushahidi_Web/commit/a11d43c
> (postmodern)

Please use CVE-2012-3469 for these issues

=====================
> https://github.com/ushahidi/Ushahidi_Web/commit/3301e48 (Kees
> Cook)

Please use CVE-2012-3470 for these issues

=====================
> https://github.com/ushahidi/Ushahidi_Web/commit/3f14fa0 (Timothy
> D. Morgan)

Please use CVE-2012-3471 for these issues

**************************
> * Missing authentication on comments, reports, email API calls 
> (Reported by Kees Cook, Dennison Williams)


=====================
> https://github.com/ushahidi/Ushahidi_Web/commit/4c24325 (Dennison 
> Williams)

Please use CVE-2012-3472 for these issues

=====================
> https://github.com/ushahidi/Ushahidi_Web/commit/f67f4ad (Kees
> Cook) https://github.com/ushahidi/Ushahidi_Web/commit/13ca6f4 (Kees
> Cook)

Please use CVE-2012-3473 for these issues

**************************
> * User details exposed in comments API (Discovered by internal dev
> team) https://github.com/ushahidi/Ushahidi_Web/commit/529f353

Please use CVE-2012-3474 for these issues

**************************
> * Admin user hijacking through the installer (Reported by Wil
> Clouser) https://github.com/ushahidi/Ushahidi_Web/commit/7892559 
> https://github.com/ushahidi/Ushahidi_Web/commit/fcdad03

Please use CVE-2012-3475 for these issues

**************************
> * Stored XSS on member profile pages (Reported by Amy K. Farrell) 
> https://github.com/ushahidi/Ushahidi_Web/commit/00eae4f

Please use CVE-2012-3476 for these issues

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJQI/iPAAoJEBYNRVNeJnmTvAsQAIuh48sIqfM2/07hWmp0uHAX
azRSwwHA863udTc9Mkk7GAKwBToZvIzOuITGhfZFIAPIs8wnzAYLNn8fjy2iKfFd
7E7ihEmK1EVeYdwa1KAULaJkyqfiiK0ThMZ9M+oV4KStyqR2C0EPtSXGt+qBeFPE
fwVqv/FIyadvVic/y/GIKubF29urV8ji7OtYxNQoT2Zll7Kr9J2GUNUdykrK5lZz
ibYpgfZgpNkhHkNy59GYkPtlZMpmWqIMTHhlEMEYGvqakLfU9tO8wL4cYq3oSL9I
ihHCeSW1pWzcjjw2CKcfzc7ZCbRd/8PucVOCcIZyaTHcHSG3/A34YWWzLdRrFsix
ivZoRJv/zRCL4Jc2Fr+U24iKly4wwGpQ/pyOxA7o/aOy1r4Mf9M7maR40AGSqB8z
WQfkzfJZ6b5FuPtWssLHl2LdfRR1/6y/uOzi9LVtzp4vEbi3JZLp4UxNQ8mJOJLe
RSNwBOehO9pYHzOppmYsecaNiarpdLKDXzNvHVMl00BUzm0QaHV/3yQAxek/cLPK
0b46CYOl85Cd6Ff1OQ6fUL1IDp7Sb2/25/eS32z1b5rcvulfkFXTdL3EoR03H09q
PgS9XSdnjZK/4O1kZpXGryWIe1aq6IOTHbjqX8oWo7+I+tgeWsGuZdlLRE99Gunq
0krB19ynPqhtYZNe8jcp
=CTk4
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ