Home page logo
/

oss-sec logo oss-sec mailing list archives

Re: Re: CVE Request - Zope / Plone: Multiple vectors corrected within 20121106 fix
From: Kurt Seifried <kseifried () redhat com>
Date: Fri, 09 Nov 2012 01:46:36 -0700

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 11/07/2012 09:30 AM, Matthew Wilkes wrote:
Hi *,

Jan has asked me for a breakdown of what patches in our bulk
hotfix relate to what issues, so here you go:

[snip]

=>  preliminary 24 CVE ids needed.

Once we get twenty four assigned I'll match them against this list
in the same order.

Matt

Some questions, I put the CWE's/credits in as well:

https://plone.org/products/plone/security/advisories/20121106/01 -
registerConfiglet.py CWE-306
https://plone.org/products/plone/security/advisories/20121106/02 -
setHeader.py CWE-113
https://plone.org/products/plone/security/advisories/20121106/03 -
allowmodule.py CWE-749
https://plone.org/products/plone/security/advisories/20121106/04 -
python_scripts.py createObject CWE-95
https://plone.org/products/plone/security/advisories/20121106/05 -
get_request_var_or_attr.py CWE-306
https://plone.org/products/plone/security/advisories/20121106/06 -
kssdevel.py CWE-79 Richard Mitchell (Plone security team)
https://plone.org/products/plone/security/advisories/20121106/07 -
widget_traversal.py CWE-749 David Glick (Plone Security Team)
https://plone.org/products/plone/security/advisories/20121106/08 -
uid_catalog.py CWE-749, CWE-306 Richard Mitchell (Plone security Team)
https://plone.org/products/plone/security/advisories/20121106/09 -
gtbn.py CWE-20 Alan Hoey (Plone security team)
https://plone.org/products/plone/security/advisories/20121106/10 -
python_scripts.py {u,}translate CWE-79 John Carr (Isotoma)
https://plone.org/products/plone/security/advisories/20121106/11 -
python_scripts.py go_back CWE-95
https://plone.org/products/plone/security/advisories/20121106/12 -
kupu_spellcheck.py CWE-116, CWE-138 Richard Mitchell (Plone security team)
https://plone.org/products/plone/security/advisories/20121106/13 -
membership_tool.py CWE-749, CWE-359 Daniel Kraft (d9t.de)
https://plone.org/products/plone/security/advisories/20121106/14 -
queryCatalog.py CWE-749 Richard Mitchell (Plone security team)
https://plone.org/products/plone/security/advisories/20121106/15 -
python_scripts.py formatColumns CWE-749 Richard Mitchell (Plone
security team)
https://plone.org/products/plone/security/advisories/20121106/16 -
renameObjectsByPaths.py CWE-749, CWE-359
https://plone.org/products/plone/security/advisories/20121106/17 -
at_download.py CWE-306 Alessandro SauZheR
https://plone.org/products/plone/security/advisories/20121106/18 -
safe_html.py CWE-79 Mauro Gentile
https://plone.org/products/plone/security/advisories/20121106/19 -
ftp.py CWE-306 mksht80
https://plone.org/products/plone/security/advisories/20121106/20 -
widget_traversal.py CWE-749, CWE-79 Alan Hoey (Plone security team)
https://plone.org/products/plone/security/advisories/20121106/21 -
atat.py CWE-749 Roel Bruggink (fourdigits)
https://plone.org/products/plone/security/advisories/20121106/22 -
python_scripts.py CWE-20 David Beitey (James Cook University)
https://plone.org/products/plone/security/advisories/20121106/23 -
django_crypto.py CWE-208 Bastian Blank
https://plone.org/products/plone/security/advisories/20121106/24 -
random_string CWE-330 Christian Heimes

It looks like some of these can be CVE merged, e.g. 14 and 15, 1 and
5, can you confirm that these should not be merged?

http://cve.mitre.org/cve/editorial_policies/cd_abstraction.html




- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBAgAGBQJQnMLsAAoJEBYNRVNeJnmTBu4QAJctLDmHK6ls1gbCJlt0O7n3
q2YbmhcviJHlKOAxxmTjEhwRSMp2O7H4vChaDCobSQU/1KUelkbykqD+9r3UPijN
dkYOYIwsKpXytEJ3dgcecjEm23Y4lDsGrFIWHsEFD/oBXMV6kZgWxnhZDpGlAoqY
D1/joZ7iqg9fp6ZsNmUipCFOLxNcF5gz0pbqfbGtNT4WBW7UAjSZlhAFPTsLWbXK
yOnZqeDHt7QsRPrIbL0+nPT07uzoNFxGujpfNMW0YNi8hnM7WgVeacVkySuWg55d
skNeHJ13WZMXyGwT5AxwrjZB0Nsr1Xnq+3xmLNo06cIwyq6WnTeUygKQSUm6ZfIz
XoMRkx2FTc4mlnhDvCRr47pXxVy+uMKZpwRTumT0NLTR617jz6IG1//ZGumEceVu
W7CDQmtyuoBcLSj3tDgabp1wGtIhihp6S4M48W38UTgl4ORl9Gn5/TgcNTzOgCID
Ou44Wwp7sKYGEMruWbrdYwvexTCiTMUK9IMxwyK6ZcGffDPOhy+iPjW9Dd3v2VeY
2/7+25b066yZXRdqVHBlhk47JT98ybqNxy5RtZ3X+Rh9VmcaAtAXinjbXlIZAcB/
papl270uREr6I2D1n3/zFmWIx6SGwjXzdbF85zYobqVj1/vfrvH5J1bpI6kSV5w4
OHMfYYAbisJaV+zLJ467
=138r
-----END PGP SIGNATURE-----


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]