Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <4EDBDEAF.9020105@redhat.com>
Date: Sun, 04 Dec 2011 13:57:19 -0700
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
CC: Hanno Böck <hanno@...eck.de>
Subject: Re: CVE-request: Serendipity 'serendipity[filter][bp.ALT]'
 Cross-Site Scripting vulnerability

On 12/04/2011 12:07 PM, Hanno Böck wrote:
> Am Thu, 01 Dec 2011 13:24:19 -0700
> schrieb Kurt Seifried <kseifried@...hat.com>:
>
>> My mistake, this should have been merged into CVE-2011-4090, it's the
>> same vuln type (XSS) and the same version of Serendipity,
>> CVE-2011-4365 is a bad assignment and should be marked as a duplicate
>> of CVE-2011-4090.
> I'd disagree on that.
>
> CVE-2011-4090 is in an (optional) plugin, while CVE-2011-4365 is an
> issue in the main s9y code.
>
> Although the plugin is shipped with the core s9y, the impact is quite
> different. For 4090, you only need to care if you do something with the
> karma-plugin.
>
Correct me if I'm wrong though but in the plugin advisory it says the
fix is to upgrade serendipity to 1.6? If so then it looks like the
problem is more back end than plugin.

-- 

-Kurt Seifried / Red Hat Security Response Team

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.