|
Message-ID: <5230D682.3040105@redhat.com> Date: Wed, 11 Sep 2013 14:45:54 -0600 From: Kurt Seifried <kseifried@...hat.com> To: oss-security@...ts.openwall.com CC: Kousuke Ebihara <ebihara@...imaya.com>, security@...npne.jp Subject: Re: CVE Request: OpenPNE 3, opWebAPIPlugin, opOpenSocialPlugin -- XXE vulnerability fix -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 09/09/2013 11:03 PM, Kousuke Ebihara wrote: > Hi, > > I'm a member of OpenPNE security handling team. > > We've released our OSS product, OpenPNE 3, opWebAPIPlugin and > opOpenSocialPlugin to fix XXE vulnerability. > > Whould you assign CVEs to them? > > 1. OpenPNE 3 XXE Vulnerabilities Affects: 3.8.7, 3.6.11, 3.4.21.1, > 3.2.7.6, 3.0.8.5 Fixed: 3.8.7.1, 3.6.11.1, 3.4.21.2, 3.2.7.7, > 3.0.8.6 Commit: > https://github.com/openpne/OpenPNE3/commit/6147099848185a82a18d1ba8aa84e69a7eadfcba > > Security Advisory: http://www.openpne.jp/archives/12091/ > Original reporter of this vulnerability: Kousuke Ebihara > > Access Vector: Network exploitable Access Complexity: Low > Authentication: Not required to exploit Impact Type: Allows > unauthorized disclosure of information; Allows unauthorized > modification; Allows disruption of service Please use CVE-2013-4333 for this issue. > 2. opWebAPIPlugin XXE Vulnerabilities Affects: 0.5.1, 0.4.0, 0.1.0 > Fixed: 0.5.1.1, 0.4.0.1, 0.1.0.1 Commit: > https://github.com/ebihara/opWebAPIPlugin/commit/8820a4a8d7b8c8fbfa4533cc5645f371d454ca5b > > Security Advisory: http://www.openpne.jp/archives/12091/ > Original reporter of this vulnerability: Kousuke Ebihara > > Access Vector: Network exploitable Access Complexity: Low > Authentication: Not required to exploit Impact Type: Allows > unauthorized disclosure of information; Allows unauthorized > modification; Allows disruption of service Please use CVE-2013-4334 for this issue. > 3. opOpenSocialPlugin XXE Vulnerabilities Affects: 0.8.2.1, > 0.9.9.2, 0.9.13, 1.2.6 Fixed: 0.8.2.2, 0.9.9.3, 0.9.13.1, 1.2.6.1 > Commit: > https://github.com/openpne-ospt/opOpenSocialPlugin/commit/a19c02997cf3045ad18b57c14a05465bfb3ae88c > > Security Advisory: http://www.openpne.jp/archives/12091/ > Original reporter of this vulnerability: Kousuke Ebihara > > Access Vector: Network exploitable Access Complexity: Low > Authentication: Not required to exploit Impact Type: Allows > unauthorized disclosure of information; Allows unauthorized > modification; Allows disruption of service Please use CVE-2013-4335 for this issue. > Thanks, Kousuke > - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (GNU/Linux) iQIcBAEBAgAGBQJSMNaBAAoJEBYNRVNeJnmTPpUP/RHcEUpXO/xpUzn+Pa2O+Zwu E7pJ7UYaGgxbjKXLhiFd6GiAhcNk/b1fWPJp1vtqHTSsgx9Ev6RGqy+UCdTnoD5O mPOoueo3mc1uKlTdCOkaiYZaEw5NERMrFB6me+1Gbsy71lBrIaEoE867udMgtcRZ tkV/C6H2UoGxV/4DH8sBIA/RxS0YDdzH2u/yVM/ituxYql6yLuCT1/eX1T4V6GCY HrSxhd/nX3QJD0Orcd9G3+LoLHgSF1QkWUZ8r9d6DvlspwlDiIQA7+SCOmYt7O3c kqiNp51xHkkCGTfQVscGiHlWBuTKY40jFPJp7Bfm2LW1KNFsQVbywLfC1W7UuHIY B7N1QendnIUdvi/X9PLyjsmTjzhQu6+axdvta3gEKfR1Uxc1xaNprPppi8TKuZqp Bx8uC1YwVseHow2W66kEjlKQ+H1amoiSGQzNUle2zoEv2DdKlJYpSFiaU3O2Lz8C dzzzjnzxXXJY0AqOIIhnQ0CPKvro47enAGgnk2vnOMhvL7qabBGvFb4AxkPCwtPr HpIr5i5BNxYuVsA+DAXwVWaWNPdRM6adUfJF0PbDojylU39cB4eVmDb/D8h86DW8 H/9H8Enk50AGWARQ86JCpNC6+2I9EcxGhsaLU31JdGhjmajEU6pZLhI/2qL7/YlC 1o1T3J7ooYbAGcYPxRqR =u5Lj -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.