Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <52DA221B.3050700@redhat.com>
Date: Fri, 17 Jan 2014 23:41:31 -0700
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
CC: mmcallis@...hat.com, Kohsuke Kawaguchi <kk@...suke.org>
Subject: Re: CVE-2013-6488: Jenkins fails to sanitize input
 before adding it to the page

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 01/16/2014 11:39 PM, Reed Loden wrote:
> On Fri, 17 Jan 2014 13:02:03 +1100 Murray McAllister
> <mmcallis@...hat.com> wrote:
> 
>> We recently received a report from Teguh P. Alko about an issue 
>> affecting Jenkins. Input was not sanitized before adding it to
>> the page. The fix is public here since the start of 2013:
>> 
>> https://github.com/jenkinsci/jenkins/commit/f8d2a0ba6c2e261f48287bdd95bd7a2d7a8d2d0e
>
>> 
> https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2013-02-16
>
> 
is the security advisory that includes the above fix.
> 
>> This could be used for copy and paste attacks, with the end
>> result being similar to that of cross-site scripting attacks. It
>> has been assigned CVE-2013-6488.
> 
> Fairly sure that's just a dupe of CVE-2013-0328. See 
> http://seclists.org/oss-sec/2013/q1/368.
> 
>> Please credit at least "Teguh P. Alko" in any advisories.
> 
> Why? He/she's not the original reporter.
> 
>> I am Cc'ing Reed to see if he knows who the other independent
>> reporter is (from that Jira "SECURITY-46" bug in the above
>> commit; as I understand it those bugs are not made public but I
>> could be wrong).
> 
> Jenkins's SECURITY-46 maps to 
> https://bugzilla.mozilla.org/show_bug.cgi?id=819251, which I just 
> opened up. The reporter is "Atulkumar Hariba Shedage".
> 
> Hope that helps.
> 
> ~reed

The problem is we can't easily map things against a security advisory
such as

https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2013-02-16

because there is minimal details. There is no mention of which issue
if which and so on. If you can include the ISSUE-NN number in
advisories in future that will prevent such problems, thanks!

If this is indeed a duplicate than yes we need to REJECT CVE-2013-6488

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJS2iIbAAoJEBYNRVNeJnmTCPkP/jowT8Y+V2yCHoi3gtUq2miF
RbZiXL9xussZEs2e3B6F1jGua7lDa7sYC5vi4hDgRZU38+GMhQSj3pAEVykddnL5
5s9X8AFtpwOfs7N556BYGloDeIRpQ3GpgyIOzh8l7rV5r5C39sQsGcIqJr3DuiOf
EODHTayODOW2kULvhJyqvWtHywjAWYHxL4AVVnQ6vio+j8pDk7mX2/MDRLNn4cI4
fG0YIZWAVycBvxRbOsSj+ocim3YiDGUXo7kdagDXyHxFBZJMJUh2NJ4TnbOAefKG
hS9QsdI2fey+8XLisT3bA6fJH3gtGT3qjctdSz9pOTklwNGzTss3rTMs7UeDo97i
5AfyznIZDbl2/GoXtV3nJvoX3QuK1RgnvA70C28bNMfx+qh6rPYvAD5/ziDOnlEn
EepXuGVgW+KLgv81EdC/4h1RPJceRrjuCpV1baRUBOfLsAid8udSwccMf6+z1PQp
DQ/srBSXWYOx7Erp58jFLfjnTJiBa2syhlFoOJ6asenik+spNWehmXzURTdujtHW
PJQSXj7DYv8J2GeLOG8CoUnpaHXhV8tp2g/d23i0ygHeIDWISCo19o/eNWLdfydk
D9AX47dy4dB20s7eVIcx3O17++t0W83mczj/8nXUZGViYHdfVc0Jal5dnatvIjIn
uSNKaaP57hIXeHGdaDKC
=vb1o
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.