Je reproduis avec Firefox seulement aussi, sur la version 2.6.3 et 2.7-dev -- Philippe
2014-07-08 16:41 GMT+02:00 Nicolas <[email protected]>: > Je reproduis aussi mais uniquement avec le panda bleu ! :-) > > > 2014-07-08 16:40 GMT+02:00 Julien Wajsberg <[email protected]>: > >> je reproduis sur mon blog (mais qui a pas la dernière version) >> >> >> On 8 July 2014 16:26, Franck Paul <[email protected]> wrote: >> >> > JPCERT97966327 >> > >> > >> > 2014-07-08 16:22 GMT+02:00 Julien Wajsberg <[email protected]>: >> > >> > > faut le mot de passe :) >> > > >> > > >> > > On 8 July 2014 16:04, Dotclear (contact) <[email protected]> wrote: >> > > >> > > > L'archive qui détaille un peu tout : >> > > > https://dl.dropboxusercontent.com/u/58521/JVN61637002_report.zip >> > > > >> > > > >> > > > 2014-07-08 15:08 GMT+02:00 Dotclear (contact) <[email protected] >> >: >> > > > >> > > > > Jour les gens, >> > > > > >> > > > > On a reçu ce matin un rapport au sujet d'une faille XSS (voir >> > > ci-dessous, >> > > > > le mot de passe de l'archive est JPCERT97966327) mais je n'arrive >> > pas à >> > > > > reproduire la faille. >> > > > > Quelqu'un peut regarder ça de son côté ? >> > > > > >> > > > > Franck >> > > > > >> > > > > ---------- Forwarded message ---------- >> > > > > From: JPCERT/CC <[email protected]> >> > > > > Date: 2014-07-08 4:36 GMT+02:00 >> > > > > Subject: Re: Inquiry on vulnerability found in Dotclear 2.6.3 VN: >> > > > > JVN#61637002 / TN: JP CERT#97966327JPCERT#97966327 >> > > > > To: Dotclear Development Team <[email protected]> >> > > > > >> > > > > >> > > > > Hello xave @ the Dotclear Team, >> > > > > >> > > > > We have received a vulnerability report for one of your products: >> > > > > >> > > > > - Dotclear 2.6.3 vulnerable to cross-site scripting >> > > > > >> > > > > I have attached the details of the reported vulnerability to this >> > > email. >> > > > > The password for the zip file will be sent in a separate email. >> > > > > The original report was against version 2.6.2, but the issue was >> also >> > > > > verified to still exist in 2.6.3. Please see the report for more >> > > details. >> > > > > >> > > > > Please take a look at the report and return to us with the >> > information >> > > > > such as; >> > > > > -validate the products, and whether the reported vulnerability is >> > > > > confirmed or not >> > > > > -solutions (e.g., patch or module update) >> > > > > -workarounds if any >> > > > > -estimated time for creation of fixes >> > > > > -preferable date for public release on your site >> > > > > *we will also publish an advisory for this issue on our >> > vulnerability >> > > > > knowledge base, JVN, http://jvn.jp, http://jvn.jp/en/, >> > > > > synchronizing with your release schedule. >> > > > > >> > > > > **Caution** >> > > > > We have assigned the tracking number for this vulnerability >> issue; >> > > > > [VN: JVN#61637002 / TN: JPCERT#97966327] >> > > > > Please be sure to include these numbers in the subject line for >> > > > > future communication with us. We appreciate your cooperation on >> > > this. >> > > > > >> > > > > If you have any questions and concerns, please do not hesitate to >> > > > > contact us any time. >> > > > > >> > > > > Thank you in advance for your attention on this matter. >> > > > > We are looking forward to hearing from you. >> > > > > >> > > > > Sincerely yours, >> > > > > >> > > > > Takayuki Uchiyama >> > > > > JPCERT/CC Vulnerability Handling Team >> > > > > >> > > > > > Hello, >> > > > > > >> > > > > > Please be aware that Dotclear 2.6.2 is not the latest version: >> > v2.6.3 >> > > > > > was released in May to patch vulnerabilities found in 2.6.2 >> (listed >> > > at >> > > > > > >> > > > > >> > > > >> > > >> > >> http://www.cvedetails.com/vulnerability-list/vendor_id-3572/Dotclear.html >> > > > > > ) >> > > > > > >> > > > > > If the vulnerabilities you found are not the one listed and still >> > > > > > exist in 2.6.3, please send any information to >> > [email protected] >> > > > > > where you'll reach several members of the team (we do not use a >> GPG >> > > > > > key). >> > > > > > >> > > > > > xave, for the Dotclear Team. >> > > > > > >> > > > > > >> > > > > > >> > > > > > On Wed, Jun 25, 2014 at 5:10 AM, JPCERT/CC <[email protected]> >> > > wrote: >> > > > > > > To whom it may concern, >> > > > > > > >> > > > > > > Hello. This is Noriko Takahashi from JPCERT/CC Vulnerability >> > > > > > > Handling Team. Please excuse the sudden contact. >> > > > > > > >> > > > > > > If you're not familiar with us or our activities, please >> > > > > > > check the following websites for more information. >> > > > > > > >> > > > > > > http://www.jpcert.or.jp/english/ >> > > > > > > http://www.jpcert.or.jp/english/vh/project.html >> > > > > > > >> > > > > >> > http://www.meti.go.jp/english/information/data/IT-policy/securityl.htm >> > > > > > > http://jvn.jp/en/ >> > > > > > > >> > > > > > > We have received a report of a vulnerability found in the >> > > > > > > product "Dotclear 2.6.2" from a researcher/user here in Japan >> > > > > > > under the vulnerability handling framework called "Information >> > > > > > > Security Early Warning Partnership" and the official >> announcement >> > > > > > > #235 "Software Vulnerability Related Information Handling >> > Measures" >> > > > > > > which were designed by Ministry of Economy, Trade and Industry >> > > > (METI), >> > > > > > > a Japanese cabinet. >> > > > > > > >> > > > > > > From the website >> > > > > > > http://dotclear.org/contact >> > > > > > > we found this email address. We would like to coordinate with >> you >> > > > > > > to solve the reported vulnerability, and your cooperation would >> > be >> > > > > > > greatly appreciated. >> > > > > > > >> > > > > > > Before we provide you the details of the reported >> vulnerability, >> > > > > > > we would like to know the appropriate point-of-contact person, >> > > > > > > or department/group/team to communicate in regards to this >> issue. >> > > > > > > It would be greatly appreciated if you could provide us the >> below >> > > > > > > information at your earliest convenience. >> > > > > > > -Name of the person/team who is in charge of such issues >> > > > > > > -Email address >> > > > > > > -PGP key if available >> > > > > > > >> > > > > > > Once we receive your reply and and point-of-contact >> information, >> > > > > > > we will then send you the original vulnerability report and the >> > > > > > > details either in a PGP encrypted message or in a password >> > > protected >> > > > > > > zip file. >> > > > > > > >> > > > > > > If you have any questions or concerns, please do not hesitate >> > > > > > > to contact us any time. >> > > > > > > >> > > > > > > Thank you in advance for your attention to this email. >> > > > > > > We would very much appreciate your prompt reply. >> > > > > > > >> > > > > > > Sincerely yours, >> > > > > > > >> > > > > > > Noriko Takahashi >> > > > > > > Leader of Vulnerability Handling Team >> > > > > > > Information Coordination Group >> > > > > >> > ====================================================================== >> > > > > JPCERT Coordination Center (JPCERT/CC) >> > > > > TEL: +81-3-3518-4600 FAX: +81-3-3518-4602 EMAIL: >> [email protected] >> > > > > PGP key: 0x33E6021D: B9 E8 68 35 2D 39 19 29 63 89 52 D4 F8 8D 50 >> FC >> > > > > https://www.jpcert.or.jp/english http://jvn.jp/en/ >> > http://jvn.jp >> > > > > >> > > > > >> > > > > >> > > > > -- >> > > > > Dotclear Team >> > > > > >> > > > >> > > > >> > > > >> > > > -- >> > > > Dotclear Team >> > > > -- >> > > > Dev mailing list - [email protected] - >> > > > http://ml.dotclear.org/listinfo/dev >> > > > >> > > -- >> > > Dev mailing list - [email protected] - >> > > http://ml.dotclear.org/listinfo/dev >> > > >> > >> > >> > >> > -- >> > Franck >> > -- >> > Dev mailing list - [email protected] - >> > http://ml.dotclear.org/listinfo/dev >> > >> -- >> Dev mailing list - [email protected] - >> http://ml.dotclear.org/listinfo/dev >> > -- > Dev mailing list - [email protected] - http://ml.dotclear.org/listinfo/dev -- Dev mailing list - [email protected] - http://ml.dotclear.org/listinfo/dev
