|
Message-Id: <201312232030.rBNKUhbR007398@linus.mitre.org> Date: Mon, 23 Dec 2013 15:30:43 -0500 (EST) From: cve-assign@...re.org To: carnil@...ian.org Cc: cve-assign@...re.org, oss-security@...ts.openwall.com, bremner@...ian.org Subject: Re: CVE Request: gitolite world writable files for fresh installs of v3.5.3 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 >> Brief description (main points of announcement): Fresh installs >> between fa06a34 (approx Sep 3rd) and v3.5.3, inclusive, create a few >> world writable files. > gitolite previous to that commit also was vulnerable to a local > filesystem information leak: Depending on the user umask running > gitolite setup, he might create world readable files Use CVE-2013-7203 for this issue that affects additional older versions of gitolite that were not affected by CVE-2013-4451. > altough different versions are affected, if I understand it correctly > both fall under CWE-276 The different-versions observation is what makes it necessary to have separate CVE IDs. - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (SunOS) iQEcBAEBAgAGBQJSuJzUAAoJEKllVAevmvmsdtAH/3E55EfasgiMgNGOmBM/n7PQ 3qJt1aQvx7jj+GkFJqAcZE3OT5QAmZWkUyVmshbS7SPzbYSTV35ZRM0wuE3G/Bhc 2GwirLWVXs1UNvQvSLHOvCyfHobQ/j3hfDK0ExQ+WkQo5xbYXqLpBBOAXaCZ03pZ Zv/E/t4AOWJvuO7R8RE4aljTBiQ1f6I/bTNN+IjFp9csFOWZIoS3JNswXTqYPUWx qXRyCI+P8ebiR25ZLDjL7HKE7Dea3yUda+RNjynovVC+IfnoAgnhu8w6cPzs+0a3 hGI4pYnTvqX3OS/u7Z5UPR4AZIaS61IzswujMYeIO+ZmzB8LCQyrEHkeaTecsRo= =gpze -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.