Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <Pine.GSO.4.64.1105091522240.1528@faron.mitre.org>
Date: Mon, 9 May 2011 15:26:01 -0400 (EDT)
From: "Steven M. Christey" <coley@...-smtp.mitre.org>
To: oss-security@...ts.openwall.com
Subject: Re: CVE request : client-side file creation via XSLT
 in Webkit


Nicolas,

After deeper investigation, this appears to be CVE-2011-1425, which was 
requested by you and assigned on March 14 (hopefully with email 
notification to you), and published through CVE on April 2 or 3 after an 
xmlsec announcement 
http://www.aleksey.com/pipermail/xmlsec/2011/009120.html

CVE-2011-1425 points to both changeset 79159 and Webkit bug 52688.

Are you talking about a different XSLT file-overwrite issue than 
CVE-2011-1425?

- Steve


On Mon, 9 May 2011, Nicolas Grégoire wrote:

>
> The bug was opened on January 18 :
> https://bugs.webkit.org/show_bug.cgi?id=52688 (restricted)
>
> A patch is available since February 20 :
> http://trac.webkit.org/changeset/79159 (public)
>
> Given some recent mail exchanges with Apple, they still not have
> affected a CVE to this issue. Could you please allocate one, in order
> for me to have an easier job communicating with the numerous impacted
> vendors (many Linux distributions, RIM, Maxthon, ...) ?
>
> Regards,
> Nicolas Grégoire
>
>

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.