Home page logo

oss-sec logo oss-sec mailing list archives

CVE Request - SA-CORE-2013-001 (one JQuery X < 1.63 issue and two Drupal modules issues)
From: Jan Lieskovsky <jlieskov () redhat com>
Date: Thu, 17 Jan 2013 10:50:49 -0500 (EST)

Hello Kurt, Steve, Forest, Drupal Security Team, vendors,

  @Forest: Apologize for requesting CVE ids instead of you,
but I will explain the reasons below shortly.

  Drupal upstream has released Drupal 6.28 and Drupal 7.19 versions,
correcting multiple security flaws:
[A] http://drupal.org/SA-CORE-2013-001
* Issue #1 - Cross-site scripting (Various core and contributed modules - Drupal 6 and 7)
* Issue #2 - Access bypass (Book module printer friendly version - Drupal 6 and 7)
* Issue #3 - Access bypass (Image module - Drupal 7)

While the issue #1 affects also version of jquery.js JQuery JavaScript library,
as shipped within Drupal, the original XSS JQuery upstream report is here:
[B] http://bugs.jquery.com/ticket/9521

with mention about the fix in JQuery 1.6.3 version here:
[C] http://blog.jquery.com/2011/09/01/jquery-1-6-3-released/

After further look the same issue needs to be fixed also in drupal7-jquery_update:
[D] https://bugzilla.redhat.com/show_bug.cgi?id=896467
[E] http://drupal.org/project/jquery_update

and python-tw-jquery packages: 
[F] http://toscawidgets.org

Also python-tw2-jquery package:
[G] http://toscawidgets.org

seems to ship various embedded versions of the jquery.js library implementation.
Since there might be more of the components / packages, shipping the vulnerable
JQuery version the first CVE identifier should be allocated to the original
JQuery issue.

@Drupal security team - could you clarify if to fix the first issue,
there was yet some other Drupal specific patch / change (besides the
JQuery library update), which would require yet another (fourth) CVE
id to be allocated?

@Mitre CVE assign department team, could you clarify, if you have already
assigned CVE identifiers for these issue and if so, for which source code
base it was?

If Drupal upstream just updated JQuery version to not-vulnerable 1.6.3 [B], [C]
within Drupal core, then three ids are sufficient (one for JQuery, one for
Drupal Book module issue, one for Drupal Image module issue).

On the other hand, if there was yet some Drupal specific patch (besides JQuery
update) needed to fix #1 issue - four CVE identifiers should be allocated
(after my understanding).

Could you allocate them / if allocated already, let us know the particular
ids and which source code they were allocated for?

Thank you && Regards, Jan.
Jan iankko Lieskovsky / Red Hat Security Response Team

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]