|
Message-ID: <5041029B.60607@redhat.com> Date: Fri, 31 Aug 2012 12:29:47 -0600 From: Kurt Seifried <kseifried@...hat.com> To: oss-security@...ts.openwall.com CC: Hanno Böck <hanno@...eck.de> Subject: Re: CVE request: contao before 2.11.4 sql injection -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 08/31/2012 04:21 AM, Hanno Böck wrote: > bug tracker info: https://github.com/contao/core/issues/4427 > > Upstream changelog: > http://contao.org/en/changelog/versions/2.11.html "Fixed a critical > privilege escalation vulnerability which allowed regular users to > make themselves administrators (thanks to Fabian Mihailowitsch) > (see #4427)." > > I think this has no CVE yet, please assign CVE. Please use CVE-2012-4383 for this issue. One note/comment, in the github discussion I see: "I think it is more urgent than the previous two security fixes, but as you say it only works for backend users (but even if they have no user module available). I would not thread it as immediate release, but also not wait a few weeks..." so it looks like they have other issues that may need CVE's as well? - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iQIcBAEBAgAGBQJQQQKbAAoJEBYNRVNeJnmTrcoP/1xMq/fkeYggmEj3jnDSORms u/GEr6oNVe8SYeDe89noVGJ3jxypuCvXG4alu8m+ICYluymi8v+znrjUdSeUX6zY 7pIOd4jCI+lhzq0GFu7kDdkfyLze2LnA0gEK0iypcEjEVQWhyYavB/k2IkanXzhB zAAuwSrL7A05ZAWGhcfEq6N/LLHF07s4JZiGCl+p5b1FZkWqHd6CbWO57R+aymaS JA1g/QwqgZjhiJaeyLyczT2Bj6fAk2uPo7/2JJgfX+29S3UoiGKLFpfaI9y8EQ7r M5ruB7s2c2wfj1hjLw4qzV479H0x+f4+38avBuJe7tLHdOgZkB1CHLAPdZQ5j6zB s+vi+XPysKztG+/rXeaXW28PajIr2Qk842tPPxzhaz5HUhbO9Wcx38yisfZWGyoa +DDlMD8h97bJyB02SwsaFhwO64kgSGDil0CyGSm+GJ85Dn3s0NZVQqdZPpGCogoF XXj75D9AiSHOR51/+Z9HDpI0tO63NQgi5oS04++/Ke9YoKuGv8GHzXW2szLytKHQ tYb4qV0u6ZhiRmmomi7h1j9Jpf9s1XIhWESXuh6JbhbNqKkRYIcEvU3gXagzpVq/ bcY0LRQJgI8eWXpqGQ4qg9ZQh6nfFydY1xC/hnP43GYOP1mI7YoGfi6LaL30pVmV HcUAXdR4VMgIdmRHnX7V =wvPn -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.