oss-security January 2011 archive
Main Archive Page > Month Archives  > oss-security archives
oss-security: Re: [oss-security] CVE requests: ftpls, xdigger, l

Re: [oss-security] CVE requests: ftpls, xdigger, lbreakout2, calibre, typo3

From: Steven M. Christey <coley_at_nospam>
Date: Fri Jan 14 2011 - 17:47:59 GMT
To: Moritz Mühlenhoff <jmm@inutil.org>

On Fri, 14 Jan 2011, Moritz Mühlenhoff wrote:

> We're still missing CVE assignments for several issues from 2009.
> These have been requested on oss-security before, but couldn't be
> processed by Josh/Red Hat, since RH doesn't have 2009 IDs. As such,
> they need to be handled by MITRE:
> 1. Overkill (this should be a CVE-2009 ID)
> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=549310

Use CVE-2009-5041

> 2. Emacs mode for reStructuredText (from DocUtils) (this should be a CVE-2009 ID)
> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=560755

Use CVE-2009-5042

> 3. FireGPG (this should be a CVE-2008 ID)
> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=514386
> http://securityvulns.com/Udocument757.html

There are 2 CVEs needed:

CVE-2008-7272 - storage of cleartext/passphrase on disk
CVE-2008-7273 - symlink following

> 4. Burn (Homepage: http://www.bigpaul.org/burn/) (That's a CVE-2009 ID)
> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=542329


> 5. pdfroff (from GNU groff) (That's a CVE-2009 ID)
> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=538330
> http://cvsweb.openwall.com/cgi/cvsweb.cgi/Owl/packages/groff/groff-1.20.1-owl-tmp.diff


> 6. Jetty (That's a CVE-2009 ID)
> http://www.ush.it/team/ush/hack-jetty6x7x/jetty-adv.txt

There are a number of CVEs to assign here.

>A) "Dump Servlet" information leak
> (Affected versions: Any)


>B) "FORM Authentication demo" information leak
> (Affected versions: Any)

No CVE assigned - ability to detect presence of a particular
application is not CVE-worthy unless the app's design intends to allow
it to be hidden.

>C) "JSP Dump" reflected XSS
> (Affected versions: Any)
>D) "Session Dump Servlet" stored XSS
> (Affected versions: Any)


>E) "Cookie Dump Servlet" escape sequence injection
     (Affected versions: Any)
>F) Http Content-Length header escape sequence injection
> (Affected versions: Any)


>G) "Cookie Dump Servlet" stored XSS
> (Affected versions: =<6.1.20)


>H) WebApp JSP Snoop page XSS
>(Affected versions: =<6.1.21)


> 7. Konversation (That's a CVE-2009 ID)
> http://bugs.kde.org/show_bug.cgi?id=219985