Bug#904215: marked as done (civicrm: CVE-2018-1999022: CIVI-SA-2018-07: Remote code execution in QuickForm)

Wed, 01 Jan 2020 15:40:02 -0800 

Your message dated Thu, 02 Jan 2020 10:38:09 +1100
with message-id <1808859.EikRYtdFKE@deblab>
and subject line Re: Bug#904215: civicrm: CIVI-SA-2018-07: Remote Code 
Execution in Quickform
has caused the Debian Bug report #904215,
regarding civicrm: CVE-2018-1999022: CIVI-SA-2018-07: Remote code execution in 
QuickForm
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
904215: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=904215
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message --- 
Source: civicrm
Version: 4.7.30+dfsg-1
Severity: grave
Tags: security upstream
Control: fixed -1 5.3.1+dfsg-1

https://civicrm.org/advisory/civi-sa-2018-07-remote-code-execution-in-quickform

This is already fixed, so this bug is to track the issue in the BTS.
No CVEs seem to be assigned for the CIVI advisories.

Speaking of that, might you convince upstream to request CVE
identifiers when they plan to release a CiviCRM security advisory?

Regards,
Salvatore

--- End Message ---
--- Begin Message --- 
Closing obsolete bug...

On Sunday, 22 July 2018 5:11:39 AM AEDT Salvatore Bonaccorso wrote:
> https://civicrm.org/advisory/civi-sa-2018-07-remote-code-execution-in-quick
> form
> 
> This is already fixed, so this bug is to track the issue in the BTS.
> No CVEs seem to be assigned for the CIVI advisories.

Maybe CVE was assigned later? The URL above refers to CVE-2018-1999022.


> Speaking of that, might you convince upstream to request CVE
> identifiers when they plan to release a CiviCRM security advisory?

I can try but I'm not sure how to make a convincing case... Do you have a 
good reasons to recommend or maybe a best practice document I could refer to?

Thanks.

-- 
All the best,
 Dmitry Smirnov.

---

Richard Nixon got kicked out of Washington for tapping one hotel suite.
Today we're tapping every American citizen in the country, and no one has
been put on trial for it or even investigated. We don't even have an
inquiry into it.
        -- Edward Snowden

Attachment: signature.asc
Description: This is a digitally signed message part.


--- End Message ---

Reply via email to