Re: CVE request: lxr
Just to clarify, two XSS bugs were fixed with a single release (new
version 0.9.8), and then ten days later, an update was included to
resolve a third XSS bug. The original CVE was originally requested
for "multiple XSS vulnerabilities", but the description only covers
one of them.
On Mon, May 3, 2010 at 1:49 PM, Henri Salo <henri@...> wrote:
> On Mon, 3 May 2010 13:34:05 -0400 (EDT)
> Josh Bressers <bressers@...> wrote:
>> ----- "Henri Salo" <henri@...> wrote:
>> > On Mon, 3 May 2010 09:31:16 -0400
>> > Dan Rosenberg <dan.j.rosenberg@...> wrote:
>> > > I discovered and reported this bug at the same time as two other
>> > > XSS issues, including the one covered by CVE-2009-4497. While
>> > > the commit may be a few days apart for some of these, I think
>> > > they can safely fall under the same CVE, unless it's standard
>> > > practice to assign CVEs for each of several related minor issues.
>> > Several XSS-vulnerabilities can have one CVE at least when those
>> > vulnerabilities are fixed at the same time.
>> In this instance, I would assign it a new ID, as the old one already
>> exists and doesn't note both XSS fixes (it is possible someone fixed
>> just the one XSS and not both in an update).