headers
Solar Designer | 1 Dec 2011 01:11
Favicon

Re: XSSer v1.6 -beta- aka "Grey Swarm!" released.

All -

On Thu, Dec 01, 2011 at 12:47:56AM +0100, psy wrote:
> There is released a new version of *XSSer* (v1.6-beta-) - the cross site
> scripter framework.

We do not have a strict policy on whether security tool announcements
are appropriate in here or not.  My current stance on it is that
one-time announcements of tools with specific relevance to Open Source
are OK, whereas repeated new version announcements are not.  Thus, I
approved the announcement of XSSer this one time, but I don't intend to
approve an announcement of the next version of XSSer.  Please let me
know if you'd like this approach changed in some way.

Meanwhile, the various CFPs and e-magazine issue announcements that are
arriving to oss-security are being rejected - as we decided previously.

Alexander
Permalink | Reply | 2 comments |
headers
Kurt Seifried | 1 Dec 2011 01:29
Picon
Favicon

Re: XSSer v1.6 -beta- aka "Grey Swarm!" released.

On 11/30/2011 05:11 PM, Solar Designer wrote:

> > All -
> >
> > On Thu, Dec 01, 2011 at 12:47:56AM +0100, psy wrote:
>> >> There is released a new version of *XSSer* (v1.6-beta-) - the cross site
>> >> scripter framework.
> > We do not have a strict policy on whether security tool announcements
> > are appropriate in here or not.  My current stance on it is that
> > one-time announcements of tools with specific relevance to Open Source
> > are OK, whereas repeated new version announcements are not.  Thus, I
> > approved the announcement of XSSer this one time, but I don't intend to
> > approve an announcement of the next version of XSSer.  Please let me
> > know if you'd like this approach changed in some way.
> >
Agreed. Random thought: or if a project makes a major
breakthrough/update/change/once a year type of announcement is probably
sane too? I like hearing about new tools and definitely don't have time
to go through Google/etc any more =).

> > Meanwhile, the various CFPs and e-magazine issue announcements that are
> > arriving to oss-security are being rejected - as we decided previously.
> >
+1

> > Alexander
-- -Kurt Seifried / Red Hat Security Response Team
Permalink | Reply | 1 comment |
headers
Henri Salo | 1 Dec 2011 01:39
Picon
Gravatar

Re: XSSer v1.6 -beta- aka "Grey Swarm!" released.

On Wed, Nov 30, 2011 at 05:29:55PM -0700, Kurt Seifried wrote:
> On 11/30/2011 05:11 PM, Solar Designer wrote:
> 
> > > All -
> > >
> > > On Thu, Dec 01, 2011 at 12:47:56AM +0100, psy wrote:
> >> >> There is released a new version of *XSSer* (v1.6-beta-) - the cross site
> >> >> scripter framework.
> > > We do not have a strict policy on whether security tool announcements
> > > are appropriate in here or not.  My current stance on it is that
> > > one-time announcements of tools with specific relevance to Open Source
> > > are OK, whereas repeated new version announcements are not.  Thus, I
> > > approved the announcement of XSSer this one time, but I don't intend to
> > > approve an announcement of the next version of XSSer.  Please let me
> > > know if you'd like this approach changed in some way.
> > >
> Agreed. Random thought: or if a project makes a major
> breakthrough/update/change/once a year type of announcement is probably
> sane too? I like hearing about new tools and definitely don't have time
> to go through Google/etc any more =).
> 
> 
> > > Meanwhile, the various CFPs and e-magazine issue announcements that are
> > > arriving to oss-security are being rejected - as we decided previously.
> > >
> +1
> 
> > > Alexander
> -- -Kurt Seifried / Red Hat Security Response Team
(Continue reading)

Permalink | Reply | 0 comments |
headers
Henri Salo | 1 Dec 2011 10:59
Picon
Gravatar

CVE-request: Serendipity 'serendipity[filter][bp.ALT]' Cross-Site Scripting vulnerability

Original post: http://seclists.org/bugtraq/2011/Nov/15
Advisory URL: http://www.rul3z.de/advisories/SSCHADV2011-015.txt
New version announcement: http://blog.s9y.org/archives/233-Serendipity-1.6-released.html

I contacted Garvin Hicking and he said this is indeed fixed in 1.6 code, but they changed from SVN to Git so
can't really refer to proper commit. Secunia is linking in http://secunia.com/advisories/46666/ to
https://github.com/s9y/Serendipity/commit/1f037b462761cd592b90541ce4dfda2518ad4711, which
has nothing to do with the actual issue. Shame on Secunia.

This is one of logs, which can act like proof: https://github.com/s9y/Serendipity/commit/db590df6087969e5ef3b07b1b7040e7ec122a4fd

Please notify me if this is not enough information.

- Henri Salo
Permalink | Reply | 9 comments |
headers
Henri Salo | 1 Dec 2011 11:16
Picon
Gravatar

Re: CVE-request: Serendipity 'serendipity[filter][bp.ALT]' Cross-Site Scripting vulnerability

On Thu, Dec 01, 2011 at 11:59:00AM +0200, Henri Salo wrote:
> Original post: http://seclists.org/bugtraq/2011/Nov/15
> Advisory URL: http://www.rul3z.de/advisories/SSCHADV2011-015.txt
> New version announcement: http://blog.s9y.org/archives/233-Serendipity-1.6-released.html
> 
> I contacted Garvin Hicking and he said this is indeed fixed in 1.6 code, but they changed from SVN to Git so
can't really refer to proper commit. Secunia is linking in http://secunia.com/advisories/46666/ to
https://github.com/s9y/Serendipity/commit/1f037b462761cd592b90541ce4dfda2518ad4711, which
has nothing to do with the actual issue. Shame on Secunia.
> 
> This is one of logs, which can act like proof: https://github.com/s9y/Serendipity/commit/db590df6087969e5ef3b07b1b7040e7ec122a4fd
> 
> Please notify me if this is not enough information.

These vulnerabilities also doesn't have CVE-identifiers assigned nor requested if I have correct information:

http://www.rul3z.de/advisories/SSCHADV2011-016.txt http://osvdb.org/show/osvdb/75777
http://www.rul3z.de/advisories/SSCHADV2011-017.txt http://osvdb.org/show/osvdb/76856

If my opinion counts these XSS issues could be put to one CVE-identifier. These have been verified by the
author of Serendipity.

- Henri Salo
Permalink | Reply | 2 comments |
headers
Billy Brumley | 1 Dec 2011 11:42
Picon

CVE-2011-4354 OpenSSL 0.9.8g (32-bit builds) bug leaks ECC private keys

This issue is tracked by CVE-2011-4354. It is publicly disclosed.

Contributors
===========================
Billy Brumley <billy.brumley [at] aalto [dot] fi>
Manuel Barbosa <mbb [at] di.uminho [dot] pt>
Dan Page <page [at] cs.bris.ac [dot] uk>
Fre Vercauteren <fvercaut [at] esat.kuleuven.ac [dot] be>

Vulnerability description
===========================
The openssl-dev mailing list thread

http://marc.info/?t=119271238800004

describes a bug affecting 32-bit builds of OpenSSL 0.9.8g. In extremely 
rare instances, it causes incorrect computation of finite field operations 
when using NIST elliptic curves P-256 or P-384.

Exploiting said bug, we designed and implemented an attack that recovers a 
TLS server's private key. As far as we are aware, this is the first public 
exploitation of the bug.

The bug is fixed in OpenSSL >= 0.9.8h and a series of patches is available 
to resolve it for version 0.9.8g starting from check in version 1.15 at

http://cvs.openssl.org/rlog?f=openssl%2Fcrypto%2Fbn%2Fbn_nist.c

As a more generic countermeasure to these types of attacks, we implemented 
coordinate blinding as a patch to the OpenSSL source, available on the
(Continue reading)

Permalink | Reply | 0 comments |
headers
Henri Salo | 1 Dec 2011 15:14
Picon
Gravatar

Re: CVE-request: Serendipity 'serendipity[filter][bp.ALT]' Cross-Site Scripting vulnerability

On Thu, Dec 01, 2011 at 02:13:16PM +0100, Secunia Research wrote:
> Henri,
> 
> The GIT commit referenced by the Secunia advisory [1] is the correct fix for
> this issue.
> 
> The fix removed a line in the code that displayed an unsanitised variable in
> one of the template files. This variable was inside a JavaScript comment
> block, but this does not prevent exploitation when the payload is prefixed
> with a </script> tag.
> 
> [1]
> https://github.com/s9y/Serendipity/commit/1f037b462761cd592b90541ce4dfda2518
> ad4711
> 
> --
> 
> Med venlig hilsen / Kind Regards,
>  
> Jon Butler
> Junior Security Specialist
>   
> Secunia
> Mikado House
> Rued Langgaardsvej 8
> 2300 Copenhagen S
> Denmark 
> 
> Phone +45 3338 5726
>
(Continue reading)

Permalink | Reply | 0 comments |
headers
Kurt Seifried | 1 Dec 2011 18:12
Picon
Favicon

Re: CVE-request: Serendipity 'serendipity[filter][bp.ALT]' Cross-Site Scripting vulnerability

On 12/01/2011 02:59 AM, Henri Salo wrote:
> Original post: http://seclists.org/bugtraq/2011/Nov/15
> Advisory URL: http://www.rul3z.de/advisories/SSCHADV2011-015.txt
> New version announcement: http://blog.s9y.org/archives/233-Serendipity-1.6-released.html
>
> I contacted Garvin Hicking and he said this is indeed fixed in 1.6 code, but they changed from SVN to Git so
can't really refer to proper commit. Secunia is linking in http://secunia.com/advisories/46666/ to
https://github.com/s9y/Serendipity/commit/1f037b462761cd592b90541ce4dfda2518ad4711, which
has nothing to do with the actual issue. Shame on Secunia.
>
> This is one of logs, which can act like proof: https://github.com/s9y/Serendipity/commit/db590df6087969e5ef3b07b1b7040e7ec122a4fd
>
> Please notify me if this is not enough information.
>
> - Henri Salo
Please use CVE-2011-4365 for this issue.

--

-- 

-Kurt Seifried / Red Hat Security Response Team
Permalink | Reply | 3 comments |
headers
Kurt Seifried | 1 Dec 2011 18:14
Picon
Favicon

Re: CVE-request: Serendipity 'serendipity[filter][bp.ALT]' Cross-Site Scripting vulnerability

On 12/01/2011 03:16 AM, Henri Salo wrote:
> On Thu, Dec 01, 2011 at 11:59:00AM +0200, Henri Salo wrote:
>> Original post: http://seclists.org/bugtraq/2011/Nov/15
>> Advisory URL: http://www.rul3z.de/advisories/SSCHADV2011-015.txt
>> New version announcement: http://blog.s9y.org/archives/233-Serendipity-1.6-released.html
>>
>> I contacted Garvin Hicking and he said this is indeed fixed in 1.6 code, but they changed from SVN to Git so
can't really refer to proper commit. Secunia is linking in http://secunia.com/advisories/46666/ to
https://github.com/s9y/Serendipity/commit/1f037b462761cd592b90541ce4dfda2518ad4711, which
has nothing to do with the actual issue. Shame on Secunia.
>>
>> This is one of logs, which can act like proof: https://github.com/s9y/Serendipity/commit/db590df6087969e5ef3b07b1b7040e7ec122a4fd
>>
>> Please notify me if this is not enough information.
> These vulnerabilities also doesn't have CVE-identifiers assigned nor requested if I have correct information:
>
> http://www.rul3z.de/advisories/SSCHADV2011-016.txt http://osvdb.org/show/osvdb/75777
> http://www.rul3z.de/advisories/SSCHADV2011-017.txt http://osvdb.org/show/osvdb/76856
>
> If my opinion counts these XSS issues could be put to one CVE-identifier. These have been verified by the
author of Serendipity.
>
> - Henri Salo
Merging these two as the fix is to update serendipity for both, the
plug-in appears to simply expose another avenue of attack, not create an
actual XSS as such.

Please use CVE-2011-4366 for this issue.

--

--
(Continue reading)

Permalink | Reply | 1 comment |
headers
Kurt Seifried | 1 Dec 2011 21:24
Picon
Favicon

Re: CVE-request: Serendipity 'serendipity[filter][bp.ALT]' Cross-Site Scripting vulnerability

On 12/01/2011 10:12 AM, Kurt Seifried wrote:
> On 12/01/2011 02:59 AM, Henri Salo wrote:
>> Original post: http://seclists.org/bugtraq/2011/Nov/15
>> Advisory URL: http://www.rul3z.de/advisories/SSCHADV2011-015.txt
>> New version announcement: http://blog.s9y.org/archives/233-Serendipity-1.6-released.html
>>
>> I contacted Garvin Hicking and he said this is indeed fixed in 1.6 code, but they changed from SVN to Git so
can't really refer to proper commit. Secunia is linking in http://secunia.com/advisories/46666/ to
https://github.com/s9y/Serendipity/commit/1f037b462761cd592b90541ce4dfda2518ad4711, which
has nothing to do with the actual issue. Shame on Secunia.
>>
>> This is one of logs, which can act like proof: https://github.com/s9y/Serendipity/commit/db590df6087969e5ef3b07b1b7040e7ec122a4fd
>>
>> Please notify me if this is not enough information.
>>
>> - Henri Salo
> Please use CVE-2011-4365 for this issue.
>
My mistake, this should have been merged into CVE-2011-4090, it's the
same vuln type (XSS) and the same version of Serendipity, CVE-2011-4365
is a bad assignment and should be marked as a duplicate of CVE-2011-4090.

--

-- 

-Kurt Seifried / Red Hat Security Response Team
Permalink | Reply | 2 comments |

Gmane