|
Message-ID: <52DA221B.3050700@redhat.com> Date: Fri, 17 Jan 2014 23:41:31 -0700 From: Kurt Seifried <kseifried@...hat.com> To: oss-security@...ts.openwall.com CC: mmcallis@...hat.com, Kohsuke Kawaguchi <kk@...suke.org> Subject: Re: CVE-2013-6488: Jenkins fails to sanitize input before adding it to the page -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 01/16/2014 11:39 PM, Reed Loden wrote: > On Fri, 17 Jan 2014 13:02:03 +1100 Murray McAllister > <mmcallis@...hat.com> wrote: > >> We recently received a report from Teguh P. Alko about an issue >> affecting Jenkins. Input was not sanitized before adding it to >> the page. The fix is public here since the start of 2013: >> >> https://github.com/jenkinsci/jenkins/commit/f8d2a0ba6c2e261f48287bdd95bd7a2d7a8d2d0e > >> > https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2013-02-16 > > is the security advisory that includes the above fix. > >> This could be used for copy and paste attacks, with the end >> result being similar to that of cross-site scripting attacks. It >> has been assigned CVE-2013-6488. > > Fairly sure that's just a dupe of CVE-2013-0328. See > http://seclists.org/oss-sec/2013/q1/368. > >> Please credit at least "Teguh P. Alko" in any advisories. > > Why? He/she's not the original reporter. > >> I am Cc'ing Reed to see if he knows who the other independent >> reporter is (from that Jira "SECURITY-46" bug in the above >> commit; as I understand it those bugs are not made public but I >> could be wrong). > > Jenkins's SECURITY-46 maps to > https://bugzilla.mozilla.org/show_bug.cgi?id=819251, which I just > opened up. The reporter is "Atulkumar Hariba Shedage". > > Hope that helps. > > ~reed The problem is we can't easily map things against a security advisory such as https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2013-02-16 because there is minimal details. There is no mention of which issue if which and so on. If you can include the ISSUE-NN number in advisories in future that will prevent such problems, thanks! If this is indeed a duplicate than yes we need to REJECT CVE-2013-6488 - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBAgAGBQJS2iIbAAoJEBYNRVNeJnmTCPkP/jowT8Y+V2yCHoi3gtUq2miF RbZiXL9xussZEs2e3B6F1jGua7lDa7sYC5vi4hDgRZU38+GMhQSj3pAEVykddnL5 5s9X8AFtpwOfs7N556BYGloDeIRpQ3GpgyIOzh8l7rV5r5C39sQsGcIqJr3DuiOf EODHTayODOW2kULvhJyqvWtHywjAWYHxL4AVVnQ6vio+j8pDk7mX2/MDRLNn4cI4 fG0YIZWAVycBvxRbOsSj+ocim3YiDGUXo7kdagDXyHxFBZJMJUh2NJ4TnbOAefKG hS9QsdI2fey+8XLisT3bA6fJH3gtGT3qjctdSz9pOTklwNGzTss3rTMs7UeDo97i 5AfyznIZDbl2/GoXtV3nJvoX3QuK1RgnvA70C28bNMfx+qh6rPYvAD5/ziDOnlEn EepXuGVgW+KLgv81EdC/4h1RPJceRrjuCpV1baRUBOfLsAid8udSwccMf6+z1PQp DQ/srBSXWYOx7Erp58jFLfjnTJiBa2syhlFoOJ6asenik+spNWehmXzURTdujtHW PJQSXj7DYv8J2GeLOG8CoUnpaHXhV8tp2g/d23i0ygHeIDWISCo19o/eNWLdfydk D9AX47dy4dB20s7eVIcx3O17++t0W83mczj/8nXUZGViYHdfVc0Jal5dnatvIjIn uSNKaaP57hIXeHGdaDKC =vb1o -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.