| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 27 Dec 2012 10:50:25 -0700 From: Kurt Seifried <kseifried@...hat.com> To: "Jason A. Donenfeld" <Jason@...c4.com> Cc: ftownes@...edge.com, full-disclosure@...ts.grok.org.uk, webappsec@...urityfocus.com Subject: Re: Wordpress Remote Exploit - W3 Total Cache -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 12/24/2012 03:56 AM, Jason A. Donenfeld wrote: > On Mon, Dec 24, 2012 at 7:39 AM, Jason A. Donenfeld > <Jason@...c4.com> wrote: >> realizing. I'm copying the author on this email, as he may want >> to include a warning message where nieve folks like myself can >> see it, or document these somewhere if they're not already, or at >> least apply the two .htaccess tweaks mentioned above. > > I thought it might be worth amending to the list that I've just had > a long phone conversation with the author of the vulnerable code, > and we discussed several different solutions to solving the > likelihood of a user's misconfiguration as well as mitigating the > potential damage that could be caused by it. The author said he > intends to release a fix soon. Does this need a CVE identifier? If so please see http://people.redhat.com/kseifrie/CVE-OpenSource-Request-HOWTO.html and send the request to oss-security@...ts.openwall.com so there is a public record of it and I will assign a CVE(s) as appropriate. Thank you. - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with undefined - http://www.enigmail.net/ iQIcBAEBAgAGBQJQ3IphAAoJEBYNRVNeJnmTqhwP/j7EwgwzPfe1lTEZ9gVMGOID IT2YLBXmyXefrsCLqPh61oI84G0tQHK00zodkPZ0uXPEhoRdPEFo1OcrlFmtzVGb jat0B3JUn5GH+7GaC9oFetWQJPu6gaW2Jo3kspIUQSQtCYCzBbkTjXk1fDJil7Xx WwHMABoy1QPMc+XMPoiXAQ/sdhIoddJgKCy+InEI2sPgIxkSjYT77lfKBh5DQpj6 afdxLkGO8azCeHDdAQ3GgkivVXPgxy6jhhK/bvudf5qhXUchb+AkUjhrjYafkCB+ Df8pqkU9qkOUG75Rcp9ocL7AUiw9A3Dc2L4ZE/Z2Wsp9kZ4EMaBZL5+OcwIzWBvW EnCupoeo7WtjYXskGSRKplXuwtSsJc8XcKnqw60YP1tuQLXa1NJlhY6btYsOkKe6 J4V5E3scKMBns9pLEQJUI+I7kf+nJl+5sL3Ci1bGAZGTHY3i26RZWFbWWp9ywxUI jNImJEKbHgvhKsfNneE+Yryiy+aSHMNUlomRM6Np6wsS6SpJJsCxp94h5Y+/pcFo C7+N1c9JqZbum64zqfCTxjX/smgcwZHF882f+H/9O7MOVV5vk0vBo0yfYwU8L8fS EwKkj5ZUrmoRh/oh+6ravkI2R3/0eijza4WXiBeaJJLsBHPmTMOu/hOU71WTTBzz mezA8ZLisITzfhCevOJl =831H -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists