Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <52123D9E.2010706@redhat.com>
Date: Mon, 19 Aug 2013 09:45:34 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: kseifried@...hat.com
CC: oss-security@...ts.openwall.com, Thijs Kinkhorst <thijs@...ian.org>
Subject: Re: [CVE request] Django 1.4.6 security release

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 08/14/2013 09:06 PM, Kurt Seifried wrote:
> On 08/14/2013 02:11 AM, Thijs Kinkhorst wrote:
>> On Wed, August 14, 2013 09:42, Kurt Seifried wrote:
>>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
>>> 
>>> On 08/13/2013 11:31 PM, Moritz Muehlenhoff wrote:
>>>> Hi, this needs two CVE assignments: 
>>>> https://www.djangoproject.com/weblog/2013/aug/13/security-releases-issued/
>
>>>> 
>>>> 
>>> Please provide links to the vulnerable code/fixed code thanks.
> 
>> Links to the patches of the various affected release branches
>> can be found at the bottom of the quoted URL.
> 
> 
>> Thijs
> 
> For the Issue: Cross-site scripting (XSS) in admin interface
> please use CVE-2013-4249 for this issue.
> 
> For Issue: Cross-site scripting (XSS) in admin interface I'm going
> to consider this as security hardening unless someone tells me
> otherwise.

Ahh this should be:

For the Issue: Cross-site scripting (XSS) in admin interface please
use CVE-2013-4249 for this issue.

For the second issue: Issue: Possible XSS via is_safe_url I'm going to
consider this as security hardening unless someone tells me otherwise.

Thanks to vdanen for pointing this out.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (GNU/Linux)

iQIcBAEBAgAGBQJSEj2dAAoJEBYNRVNeJnmTKeoQAIz5AHdXMEji0E/6yY1vfqCZ
yIoqoA9tGOcmdai7q0//6dHb4vBML/m6QmfBknc7BVEcehrA78A0pJeRGtQ/Waga
IhSWSGU7Wr0Pk+rWFZhMu1DYWQqaa+fdGrB/d3jSU83lJMwMvEEnwodnp/LMCbC2
0k4BL8rbj1E6R8pJcyqG85RMdWqoMJW4+7bnFxlz8di5UWuGwuThvCiqibqCYmv5
fsj9E5OuXrm7eOa7HKddmhl8ZnLVln8E5jcGrdiC8s++qGDdoHps3+Q4DJwrV/J3
KMm/PZPzHWQ5pI3/+XlMX+b00ekJsgJXzmpT1qw0wMinnQWjBb2/Mtc8C44ogPyr
sl5gL9Py6+u2rcc3V0lY240BILMruQMB8NFolN3dXtmeQvxI1ip2tUphKjxJidfB
d+0ntbPaKdA5v1+AxZOnnV9NmpUW20YBXqX6kznGdNjknBxjp6RqvbqfKYz0YUcn
KjpCUzOcbnRcUrWhv8Vp/dtCLf+SAX2+KDj+Q6AHLTRuzwucgijH/tAhE8gaah3k
JwxzpZh1DjlHxhjfGA4f74/+9yYTPPYuvbSMZ8NuCu/V9GMVTWjgq0A8HKUt9CH0
urwqspp6hh4NG8EOICPF8uk0sYzOron3WMEuABnXzJTLTSmERdRARGXOYy0EbrO9
O3urq3HysUte9cf5L5Bc
=PR5f
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.