Re: CVE request: sympa (try again)

[Kurt Seifried <kseifried () redhat com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 05/12/2012 09:27 AM, micah anderson wrote:
> On Fri, 11 May 2012 23:58:33 -0600, Kurt Seifried
> <kseifried () redhat com> wrote:
> > -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
> >
> > On 05/11/2012 12:03 PM, micah wrote:
> > > Hi,
> > >
> > > Please assign a CVE for Sympa, any version prior to 6.1.11. It
> > > is possible to open the archive management ("arc_manage") page
> > > for any list, even those set to only be available to members,
> > > giving anyone the option to download the archive, or delete the
> > > archive.
> > >
> > > http://www.sympa.org/distribution/latest-stable/NEWS 
> > > https://sourcesup.renater.fr/scm/viewvc.php/branches/sympa-6.0-branch/wwsympa/wwsympa.fcgi.in?root=sympa&r1=6706&r2=7358&pathrev=7358

Please
> > >
use CVE-2012-2352 for this issue.


> > > thank you, micah
> > >
> > > ps - for some reason the previous message is formatted strange,
> > > so I'm sending this one without the signature
> >
> > Ok I see this one and several more:
> >
> > ================================
> >
> > 6.1.11               May 11, 2012 Bug fixes: [7358] wwsympa/wwsympa.fcgi.in:
> > Fixing a potential security issue related to archives
> >
> > Can you confirm these and I will assign CVE's for the outstanding
> > issues.
>
> I am only able to confirm the above issue, I am not a sympa
> developer I just was involved in the above issue.

Ok I will assign one for the above.

> What sort of 'confirmation' are you looking for? It seems like the 
> changelog entries are pretty good confirmation. Perhaps you are
> looking for more details of the issues, those you could obtain from
> the sympa list.

Ideally links to code commits like you included in your request =).

> micah


- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJPrqCUAAoJEBYNRVNeJnmTPwsQALprGRr5jh+S8wpr07iyE5Cl
HUJ9nwiG4odTZQfelpbEsicnozB3r5DiI1tWIa9gXJHMEiczYA8SfqDYcGD4AnBu
YhW3u7UyRrXlkEM8Yr5lQKynoTERkuninY7jsAwp9M1mzzjzv2uy9PEjQflnxkNG
/N7ZBKykn/oNV3CGMT5+rtzCYwVUpygvr8cBQwK+WXKEJ+RQk+RS8h0cDb94krCi
he4bNZVE/Y10p18L9n+SbhfdNrO4Sbk8GiPurTurs7SrZWh0JD8Lm+UITkx2vKg1
42NtRap3o63Zm0Zv1E+lWeM0htO2Cy27A5vWDUprSB7U3yCtaUMIuPijfzmcwjDv
ekoky5OYS/KRs+VFti+VtAM1pQllJcHu9MvzSBKmq39cC0+/nmygqjxTTVDcaMRB
cneg4A9RL2UxehnastMRqtkOwk7W08AqallDHOTH6tQrDRT0rE1x85sHjdtY7P/0
jwRA9wRnik+Qov4p6W6l20a0KktW/vhI9Z8GjxOJVG5qxHW39Cgyj79P4hLi5g+G
tKnVkacl74ZZ/WtzgpY4Q1pHDA3mvYLPlCrumh44wt+LCm1i1ckm+jmJzpxhTlm9
R4/yvtbEJkETSEm8VmpHPapqmA+DDwvICHBMERbeMEYzN5WFKRY8754kVBQSs2L4
LXwLGYWEaBVjm493VZCL
=w6V5
-----END PGP SIGNATURE-----