|
Message-ID: <962175989.11127791.1358437849489.JavaMail.root@redhat.com> Date: Thu, 17 Jan 2013 10:50:49 -0500 (EST) From: Jan Lieskovsky <jlieskov@...hat.com> To: oss-security@...ts.openwall.com Cc: "Steven M. Christey" <coley@...us.mitre.org>, Forest Monsen <forest.monsen@...il.com>, Drupal Security Team <security@...pal.org>, Mitre CVE assign department <cve-assign@...re.org> Subject: CVE Request - SA-CORE-2013-001 (one JQuery X < 1.63 issue and two Drupal modules issues) Hello Kurt, Steve, Forest, Drupal Security Team, vendors, @Forest: Apologize for requesting CVE ids instead of you, but I will explain the reasons below shortly. Drupal upstream has released Drupal 6.28 and Drupal 7.19 versions, correcting multiple security flaws: [A] http://drupal.org/SA-CORE-2013-001 * Issue #1 - Cross-site scripting (Various core and contributed modules - Drupal 6 and 7) * Issue #2 - Access bypass (Book module printer friendly version - Drupal 6 and 7) * Issue #3 - Access bypass (Image module - Drupal 7) While the issue #1 affects also version of jquery.js JQuery JavaScript library, as shipped within Drupal, the original XSS JQuery upstream report is here: [B] http://bugs.jquery.com/ticket/9521 with mention about the fix in JQuery 1.6.3 version here: [C] http://blog.jquery.com/2011/09/01/jquery-1-6-3-released/ After further look the same issue needs to be fixed also in drupal7-jquery_update: [D] https://bugzilla.redhat.com/show_bug.cgi?id=896467 [E] http://drupal.org/project/jquery_update and python-tw-jquery packages: [F] http://toscawidgets.org Also python-tw2-jquery package: [G] http://toscawidgets.org seems to ship various embedded versions of the jquery.js library implementation. Since there might be more of the components / packages, shipping the vulnerable JQuery version the first CVE identifier should be allocated to the original JQuery issue. @Drupal security team - could you clarify if to fix the first issue, there was yet some other Drupal specific patch / change (besides the JQuery library update), which would require yet another (fourth) CVE id to be allocated? @Mitre CVE assign department team, could you clarify, if you have already assigned CVE identifiers for these issue and if so, for which source code base it was? If Drupal upstream just updated JQuery version to not-vulnerable 1.6.3 [B], [C] within Drupal core, then three ids are sufficient (one for JQuery, one for Drupal Book module issue, one for Drupal Image module issue). On the other hand, if there was yet some Drupal specific patch (besides JQuery update) needed to fix #1 issue - four CVE identifiers should be allocated (after my understanding). Could you allocate them / if allocated already, let us know the particular ids and which source code they were allocated for? Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Response Team
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.