mailing list archives
CVE Request - SA-CORE-2013-001 (one JQuery X < 1.63 issue and two Drupal modules issues)
From: Jan Lieskovsky <jlieskov () redhat com>
Date: Thu, 17 Jan 2013 10:50:49 -0500 (EST)
Hello Kurt, Steve, Forest, Drupal Security Team, vendors,
@Forest: Apologize for requesting CVE ids instead of you,
but I will explain the reasons below shortly.
Drupal upstream has released Drupal 6.28 and Drupal 7.19 versions,
correcting multiple security flaws:
* Issue #1 - Cross-site scripting (Various core and contributed modules - Drupal 6 and 7)
* Issue #2 - Access bypass (Book module printer friendly version - Drupal 6 and 7)
* Issue #3 - Access bypass (Image module - Drupal 7)
as shipped within Drupal, the original XSS JQuery upstream report is here:
with mention about the fix in JQuery 1.6.3 version here:
After further look the same issue needs to be fixed also in drupal7-jquery_update:
and python-tw-jquery packages:
Also python-tw2-jquery package:
seems to ship various embedded versions of the jquery.js library implementation.
Since there might be more of the components / packages, shipping the vulnerable
JQuery version the first CVE identifier should be allocated to the original
@Drupal security team - could you clarify if to fix the first issue,
there was yet some other Drupal specific patch / change (besides the
JQuery library update), which would require yet another (fourth) CVE
id to be allocated?
@Mitre CVE assign department team, could you clarify, if you have already
assigned CVE identifiers for these issue and if so, for which source code
base it was?
If Drupal upstream just updated JQuery version to not-vulnerable 1.6.3 [B], [C]
within Drupal core, then three ids are sufficient (one for JQuery, one for
Drupal Book module issue, one for Drupal Image module issue).
On the other hand, if there was yet some Drupal specific patch (besides JQuery
update) needed to fix #1 issue - four CVE identifiers should be allocated
(after my understanding).
Could you allocate them / if allocated already, let us know the particular
ids and which source code they were allocated for?
Thank you && Regards, Jan.
Jan iankko Lieskovsky / Red Hat Security Response Team
- CVE Request - SA-CORE-2013-001 (one JQuery X < 1.63 issue and two Drupal modules issues) Jan Lieskovsky (Jan 17)