Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <Pine.GSO.4.51.0905211745010.18536@faron.mitre.org>
Date: Thu, 21 May 2009 17:52:23 -0400 (EDT)
From: "Steven M. Christey" <coley@...us.mitre.org>
To: oss-security@...ts.openwall.com
cc: "Steven M. Christey" <coley@...us.mitre.org>
Subject: Re: CVE request: moin


On Wed, 6 May 2009, Steffen Joeris wrote:

> This upstream commit[0] is slightly different then the issues described in
> CVE-2009-1482 and I think it deserves another CVE id to separate the XSS
> issues. The debian bug[1] can also be used as a reference.
> Steve, what do you think?

This is a different vector that isn't directly covered by that CVE, and
may not have been fixed entirely when CVE-2009-1482 was fixed, so a new
CVE can be considered.

However, we generally avoid including "defense-in-depth" fixes unless they
can be demonstrated to be exploitable - or, if a vendor plans to release
an advisory "just to be safe."

The changeset says "maybe not XSS exploitable though" so I'm not sure
whether a CVE's needed yet.

- Steve

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.