lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <50DC8A61.9060701@redhat.com>
Date: Thu, 27 Dec 2012 10:50:25 -0700
From: Kurt Seifried <kseifried@...hat.com>
To: "Jason A. Donenfeld" <Jason@...c4.com>
Cc: ftownes@...edge.com, full-disclosure@...ts.grok.org.uk,
	webappsec@...urityfocus.com
Subject: Re: Wordpress Remote Exploit - W3 Total Cache

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 12/24/2012 03:56 AM, Jason A. Donenfeld wrote:
> On Mon, Dec 24, 2012 at 7:39 AM, Jason A. Donenfeld
> <Jason@...c4.com> wrote:
>> realizing. I'm copying the author on this email, as he may want
>> to include a warning message where nieve folks like myself can
>> see it, or document these somewhere if they're not already, or at
>> least apply the two .htaccess tweaks mentioned above.
> 
> I thought it might be worth amending to the list that I've just had
> a long phone conversation with the author of the vulnerable code,
> and we discussed several different solutions to solving the
> likelihood of a user's misconfiguration as well as mitigating the
> potential damage that could be caused by it. The author said he
> intends to release a fix soon.

Does this need a CVE identifier? If so please see
http://people.redhat.com/kseifrie/CVE-OpenSource-Request-HOWTO.html

and send the request to oss-security@...ts.openwall.com so there is a
public record of it and I will assign a CVE(s) as appropriate. Thank you.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with undefined - http://www.enigmail.net/

iQIcBAEBAgAGBQJQ3IphAAoJEBYNRVNeJnmTqhwP/j7EwgwzPfe1lTEZ9gVMGOID
IT2YLBXmyXefrsCLqPh61oI84G0tQHK00zodkPZ0uXPEhoRdPEFo1OcrlFmtzVGb
jat0B3JUn5GH+7GaC9oFetWQJPu6gaW2Jo3kspIUQSQtCYCzBbkTjXk1fDJil7Xx
WwHMABoy1QPMc+XMPoiXAQ/sdhIoddJgKCy+InEI2sPgIxkSjYT77lfKBh5DQpj6
afdxLkGO8azCeHDdAQ3GgkivVXPgxy6jhhK/bvudf5qhXUchb+AkUjhrjYafkCB+
Df8pqkU9qkOUG75Rcp9ocL7AUiw9A3Dc2L4ZE/Z2Wsp9kZ4EMaBZL5+OcwIzWBvW
EnCupoeo7WtjYXskGSRKplXuwtSsJc8XcKnqw60YP1tuQLXa1NJlhY6btYsOkKe6
J4V5E3scKMBns9pLEQJUI+I7kf+nJl+5sL3Ci1bGAZGTHY3i26RZWFbWWp9ywxUI
jNImJEKbHgvhKsfNneE+Yryiy+aSHMNUlomRM6Np6wsS6SpJJsCxp94h5Y+/pcFo
C7+N1c9JqZbum64zqfCTxjX/smgcwZHF882f+H/9O7MOVV5vk0vBo0yfYwU8L8fS
EwKkj5ZUrmoRh/oh+6ravkI2R3/0eijza4WXiBeaJJLsBHPmTMOu/hOU71WTTBzz
mezA8ZLisITzfhCevOJl
=831H
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ