| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <Pine.LNX.4.64.0901150641440.28002@forced.attrition.org> Date: Thu, 15 Jan 2009 06:46:51 +0000 (UTC) From: security curmudgeon <jericho@...rition.org> To: bugtraq@...urityfocus.com Cc: secalert_us@...cle.com, CVE <cve@...re.org> Subject: Re: iDefense Security Advisory 01.13.09: Oracle Secure Backup Administration Server login.php Command Injection Vulnerability iDefense, CVE or Oracle; The two iDefense advisories present a bit of confusion over the CVE assignments and number of vulnerabilities. There appear to be two vulnerabilities (login.php and common.php) that may have 3 CVE numbers assigned. Could anyone clarify? First advisory, mail list post and original jibe suggesting common.php issue is CVE-2008-5449: iDefense Security Advisory 01.13.09: Oracle Secure Backup Administration Server login.php Command Injection Vulnerability http://archives.neohapsis.com/archives/bugtraq/2009-01/0111.html The vulnerability is in a function of common.php which is called from the login.php page. The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2008-5449 to this issue. Oracle Secure Backup Administration Server login.php Command Injection Vulnerability http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=769 The vulnerability is in a function of common.php which is called from the login.php page. The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2008-5449 to this issue. Second advisory, mail list post and original do not match, mentioning CVE-2008-4006 and then CVE-2008-5448 for what appear to be login.php and common.php. This implies that common.php may have had two CVE assigned: iDefense Security Advisory 01.13.09: Oracle Secure Backup Administration Server login.php Command Injection Vulnerability http://archives.neohapsis.com/archives/bugtraq/2009-01/0110.html The first vulnerability is in "php/login.php". The second vulnerability is in "php/common.php". The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2008-4006 to this issue. Oracle Secure Backup Administration Server login.php Command Injection Vulnerability http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=768 The first vulnerability is in "php/login.php". The second vulnerability is in "php/common.php". The Common Vulnerabilities and Exposures (CVE) project has assigned the names CVE-2008-4006 and CVE-2008-5448 to this issue. Any clarification would be appreciated.
Powered by blists - more mailing lists