oss-sec mailing list archives
Re: CVE request: lxr
From: Dan Rosenberg <dan.j.rosenberg () gmail com>
Date: Fri, 14 May 2010 15:32:18 -0400
Josh, The XSS in the title string was already assigned CVE-2010-1448. Do you mean to assign issue #2, the XSS reflected in search results? -Dan On Fri, May 14, 2010 at 3:28 PM, Josh Bressers <bressers () redhat com> wrote:
----- "Dan Rosenberg" <dan.j.rosenberg () gmail com> wrote:Sorry for not making this explicitly clear. There are three issues: 1. XSS in the ident parameter, as described in CVE-2009-4497. 2. XSS that is reflected via the search results page after issuing a search. 3. XSS that is reflected via the <title> tag on the search page, as described in Raphael's original e-mail a few days ago, which Josh just assigned CVE-2010-1448. Bugs 1 and 2 were fixed simultaneously, as indicated in the 2010-01-05 changelog entry for LXR: 2010-01-05 18:00 mbox * ident, search: Fix for CVE-2009-4497 from Dan Rosenberg Avoid a XSS vulnerability Bug 3 was fixed a few days later on 2010-01-15, as indicated by: 2010-01-15 23:23 mbox * lib/LXR/Common.pm: Fix XSS exploit in title string So, while my original intent at the time of disclosure was to have a single CVE identifier assigned to cover all three of these issues, that obviously did not happen. As it stands, bugs 1 and 3 have their own CVE identifiers, and bug 2 remains unassigned.Sorry this took so long. CVE-2010-1625 lxr lib/LXR/Common.pm: Fix XSS exploit in title string The diff is here: http://lxr.cvs.sourceforge.net/viewvc/lxr/lxr/lib/LXR/Common.pm?r1=1.63&r2=1.64 Thanks -- JB
Current thread:
- CVE request: lxr Raphael Geissert (May 02)
- Re: CVE request: lxr Dan Rosenberg (May 03)
- Re: CVE request: lxr Henri Salo (May 03)
- Re: CVE request: lxr Josh Bressers (May 03)
- Re: CVE request: lxr Henri Salo (May 03)
- Re: CVE request: lxr Dan Rosenberg (May 03)
- Re: CVE request: lxr Henri Salo (May 03)
- Re: CVE request: lxr Steven M. Christey (May 06)
- Re: CVE request: lxr Dan Rosenberg (May 06)
- Re: CVE request: lxr Josh Bressers (May 14)
- Re: CVE request: lxr Dan Rosenberg (May 14)
- Re: CVE request: lxr Josh Bressers (May 14)
- Re: CVE request: lxr Dan Rosenberg (May 03)