|
Message-ID: <5004D289.5020603@redhat.com> Date: Mon, 16 Jul 2012 20:48:41 -0600 From: Kurt Seifried <kseifried@...hat.com> To: oss-security@...ts.openwall.com Subject: Re: CVE id request: libjs-swfupload -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 07/16/2012 01:07 PM, Nico Golde wrote: > Hi, * Kurt Seifried <kseifried@...hat.com> [2012-07-16 20:32]: >> On 07/16/2012 12:17 PM, Nico Golde wrote: >>> Hi, there is an XSS issue in libjs-swfupload. Can we get a CVE >>> id for this? >>> >>> Details: >>> https://nealpoole.com/blog/2012/05/xss-and-csrf-via-swf-applets-swfupload-plupload/ >>> >>> >> >>> http://code.google.com/p/swfupload/issues/detail?id=376 >>> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=681323 >>> >> >> There also appears to be a CSRF vulnerability. Is there a reason >> for only mentioning the XSS? > > The CSRF is for pupload which we don't ship and I haven't looked > at. > > Cheers Nico It's open source though, with the rest of it right? Public service announcement/request: When requesting CVE's it would be nice if people not only request CVE's for the specific bits in an update/etc. they care about, but for all the issues, then I have less work to do and we also get a more complete CVE database =). - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJQBNKIAAoJEBYNRVNeJnmT1UoQAILX+PKDDotRajhIBInZVdxB 4T3fvtzo4WJO64FnxXv6K3EXA0rl8GkG4cxmA5BZh62qP8YsowgtEaFJstOiOj+V RO0W8rTxrTLRURs1FFapfCZpO75zDjYkPtHlRoFxzirw9Fq3E47pyxkvd6v948Qo cH8qAn+7jKUpi2QTV/EzO9Yh67egMsxAtwT3vvnS3idguS4r5H8z/nDHMm0g/3O0 lkmcwYVcJtd1uOPqtX/I3Q3uyzSPVuupYnLMONYUV6AUZaiSrg40prLPBv1/qjYy yGvRvXIOtj8N6yCbmCP+WgiS8roPSStd/klgZCC2bhUK4hiwN3eduHxRx0ZrH/w4 2TWGShCJi4CFF2s3f0QfUyUM9tMlkiToW3SC/A7+nSPIBPtVMHmcEMhtyfCnjFdQ 2MWWNDPy+XTCkq4opL9dXaDdHgm5aJHNwUqnx0xPq/CNSWefDdra5ZdzyLK0RgFj rbM30WC3USadkv7eVR6V2waxEMnuvg327soPM8pU+GU8l/f35Tzh3ZAk24tbJH3K wPRBnNdcvlg/EIVcl6h6JDP/5bQ59nBfw1nIZfPjm8VrxLTj/Q328Ml2cer6hcHV Rtv0N9XFpn7WrlmATbCpJ6vXj6NT07vNhD+dfLUPqb9jRpPH48NDHNB16FAagRI2 ooNL0+chZSYW+UnozYqJ =TuOH -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.