Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <509DEA85.4020105@redhat.com>
Date: Fri, 09 Nov 2012 22:47:49 -0700
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
CC: Matthew Wilkes <matthew.wilkes@...ne.org>,
        Jan Lieskovsky <jlieskov@...hat.com>,
        "Steven M. Christey" <coley@...us.mitre.org>,
        Jan Pokorny <jpokorny@...hat.com>,
        Plone Security Team <security@...ne.org>,
        Mitre CVE assign department <cve-assign@...re.org>
Subject: Re: Re: CVE Request - Zope / Plone: Multiple vectors
 corrected within 20121106 fix

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 11/09/2012 01:46 AM, Kurt Seifried wrote:
> On 11/07/2012 09:30 AM, Matthew Wilkes wrote:
>> Hi *,
> 
>> Jan has asked me for a breakdown of what patches in our bulk
>> hotfix relate to what issues, so here you go:
> 
> [snip]
> 
>>> =>  preliminary 24 CVE ids needed.
> 
>> Once we get twenty four assigned I'll match them against this list
>> in the same order.
> 
>> Matt
> 
> Some questions, I put the CWE's/credits in as well:
> 
> https://plone.org/products/plone/security/advisories/20121106/01 -
> registerConfiglet.py CWE-306

Please use CVE-2012-5485 for this issue.

> https://plone.org/products/plone/security/advisories/20121106/02 -
> setHeader.py CWE-113

Please use CVE-2012-5486 for this issue.

> https://plone.org/products/plone/security/advisories/20121106/03 -
> allowmodule.py CWE-749

Please use CVE-2012-5487 for this issue.

> https://plone.org/products/plone/security/advisories/20121106/04 -
> python_scripts.py createObject CWE-95

Please use CVE-2012-5488 for this issue.

> https://plone.org/products/plone/security/advisories/20121106/05 -
> get_request_var_or_attr.py CWE-306

Please use CVE-2012-5489 for this issue.

> https://plone.org/products/plone/security/advisories/20121106/06 -
> kssdevel.py CWE-79 Richard Mitchell (Plone security team)

Please use CVE-2012-5490 for this issue.

> https://plone.org/products/plone/security/advisories/20121106/07 -
> widget_traversal.py CWE-749 David Glick (Plone Security Team)

Please use CVE-2012-5491 for this issue.

> https://plone.org/products/plone/security/advisories/20121106/08 -
> uid_catalog.py CWE-749, CWE-306 Richard Mitchell (Plone security Team)

Please use CVE-2012-5492 for this issue.

> https://plone.org/products/plone/security/advisories/20121106/09 -
> gtbn.py CWE-20 Alan Hoey (Plone security team)

Please use CVE-2012-5493 for this issue.

> https://plone.org/products/plone/security/advisories/20121106/10 -
> python_scripts.py {u,}translate CWE-79 John Carr (Isotoma)

Please use CVE-2012-5494 for this issue.

> https://plone.org/products/plone/security/advisories/20121106/11 -
> python_scripts.py go_back CWE-95

Please use CVE-2012-5495 for this issue.

> https://plone.org/products/plone/security/advisories/20121106/12 -
> kupu_spellcheck.py CWE-116, CWE-138 Richard Mitchell (Plone security team)

Please use CVE-2012-5496 for this issue.

> https://plone.org/products/plone/security/advisories/20121106/13 -
> membership_tool.py CWE-749, CWE-359 Daniel Kraft (d9t.de)

Please use CVE-2012-5497 for this issue.

> https://plone.org/products/plone/security/advisories/20121106/14 -
> queryCatalog.py CWE-749 Richard Mitchell (Plone security team)

Please use CVE-2012-5498 for this issue.

> https://plone.org/products/plone/security/advisories/20121106/15 -
> python_scripts.py formatColumns CWE-749 Richard Mitchell (Plone
> security team)

Please use CVE-2012-5499 for this issue.

> https://plone.org/products/plone/security/advisories/20121106/16 -
> renameObjectsByPaths.py CWE-749, CWE-359

Please use CVE-2012-5500 for this issue.

> https://plone.org/products/plone/security/advisories/20121106/17 -
> at_download.py CWE-306 Alessandro SauZheR

Please use CVE-2012-5501 for this issue.

> https://plone.org/products/plone/security/advisories/20121106/18 -
> safe_html.py CWE-79 Mauro Gentile

Please use CVE-2012-5502 for this issue.

> https://plone.org/products/plone/security/advisories/20121106/19 -
> ftp.py CWE-306 mksht80

Please use CVE-2012-5503 for this issue.

> https://plone.org/products/plone/security/advisories/20121106/20 -
> widget_traversal.py CWE-749, CWE-79 Alan Hoey (Plone security team)

Please use CVE-2012-5504 for this issue.

> https://plone.org/products/plone/security/advisories/20121106/21 -
> atat.py CWE-749 Roel Bruggink (fourdigits)

Please use CVE-2012-5505 for this issue.

> https://plone.org/products/plone/security/advisories/20121106/22 -
> python_scripts.py CWE-20 David Beitey (James Cook University)

Please use CVE-2012-5506 for this issue.

> https://plone.org/products/plone/security/advisories/20121106/23 -
> django_crypto.py CWE-208 Bastian Blank

Please use CVE-2012-5507 for this issue.

> https://plone.org/products/plone/security/advisories/20121106/24 -
> random_string CWE-330 Christian Heimes

Please use CVE-2012-5508 for this issue.

> It looks like some of these can be CVE merged, e.g. 14 and 15, 1 and
> 5, can you confirm that these should not be merged?
> 
> http://cve.mitre.org/cve/editorial_policies/cd_abstraction.html

As per Steve ignore the merge stuff.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBAgAGBQJQneqEAAoJEBYNRVNeJnmTmhwP/AqUx62/8yYq8raCGnT0KMtF
8bbFQ+mNIUtn4/ASs29ZhuHbFzukAqtqoNm+eCOk+AOgcwCKJmESaifAu1YllfWj
BvoEXD3pN6ZHDrRfbp+0zHQfW30brYCkE2SLP74Y0wJUIZtL4bW5oQdKK0WH8AZf
SbwGuKzsp1Fcmv2b1zYyX/egf4w2GSbEbP8pqiSX3AsqqhmqE9IcDYYx1pZyZ+Dq
elcpaU0+Xu4yScNKnyZkbJf9DM1FjgiBngRAV02pqEUUXXxdiPzjq1eWfWC7hEHJ
LQXkpl4txw4Fueq9nUZ+bE/vi+jB21cqDorjRFIZssJ0fBRG7rsgBP2IY3gJ4yMs
WJT3qoTCyjqLJydG0E/2zvrKVNTcgMlvtBO4cN8HOL6ZwPteerKtdt5xNhGVSv5c
l7P/8nbBubqxmsMQZvxeZsk958MpzzOxM3OoAXOB13T6dWMnCXsBWwfPjhYY/D3M
/t+WuGChMlrTtIe1pYQnsi5aXTYFztImGTjMN911cwCb+81wf6w9XkR3cAXfTALb
dQQDBBJCpOFG7MdX0rQhaSlNHNBlLwm/WxpUB47usxbR3pJr4RrfIQDR9gml3pvZ
h5d7BLcCd0sVRANPBK+uymHqNt1+h4JsPvVcW4JFbhoLqt5hLxv5EUjNYs6z/jdp
vSMTqypB5+jjhkeaA/u3
=yIva
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.