Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 14 Nov 2012 00:18:20 -0700
From: Kurt Seiifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
Subject: Re: CVE request: mantis before 1.2.12

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 11/13/2012 11:26 AM, Kurt Seiifried wrote:
> On 11/13/2012 07:52 AM, Hanno Böck wrote:
>> http://www.mantisbt.org/bugs/changelog_page.php?version_id=150
> 
>> New mantis bugtracker release. Two fixes are security relevant 
>> (althouhg both sound minor)
> 
> Just to confirm I understand these issues:
> 
>> - 0014496: [security] Workflow Transitions: Minimal Access Level 
>> to Change to this status has no correct 'default' (dregad) - 
>> resolved. http://www.mantisbt.org/bugs/view.php?id=14496
> 
> This is an information disclosure: "Consequently, saving the page 
> without changes would cause the config to be saved with all access 
> levels as 'viewer'."

Please use CVE-2012-5522 for this issue.

>> - 0014704: [security] Clone and Move issue with Copy bug notes - 
>> user get email notice from project without access (dregad) - 
>> closed. http://www.mantisbt.org/bugs/view.php?id=14704
> 
> Also an information disclosure: Now any action on IssueB eg. add 
> notes, change status causes send email notice to UserA from
> IssueB. UserA don't have access to IssueB by can read whole history
> and any notes from email body.

Please use CVE-2012-5523 for this issue.

>> Please assign CVEs.


- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/

iQIcBAEBAgAGBQJQo0W8AAoJEBYNRVNeJnmTdo8P/1/xNKJVKTk4tQDOy0rkquxW
oyxuCZT4jioFksYzX5buyqofInlBNNZIz95e8ksg2ppX/KflIv+pz+rkPZGrn99T
miUGId9RKKIBwxI6IPqBLx0D1gC9iZDfEL1j47c/mCoJRgdIKCB+wd1ocG5dTcSD
IuC5DmRF2lfdfKIaodGDOBZGNSKLev9HR8tzeSduAOZ1qzKFZYp9VuwDz0obtYvY
MR5wHYn5cBcSJH7ZtJ7sY2C4Ks1jAqm8fEcY+5GV03OVAlTAN46k6YAX94aIFShX
LQl15PI1xzrAKKs4QEWPmdIlv4aDzaKt3jr1bG5exIR7khnMSR0zxwvu1+AvrZml
VgAUbYcExeHjtod3OzadKqKrHDvfOJJM74N5G3LD1zqA/epGF2O4Mz5SSs8buFkr
K538HQ+gmPy4NfrJvKHE2zFrZIPF9CsNpPR/pj2WHyIWiej0b+R8p4TzaYv3Kqa3
xvu9WI6heUK1RJ1ulSeSgE4HV7CEQEyzky8ztMthoAyYIuTzHkcAIcT5I4UsNXpE
HpBTrMKzZUaBGVzor0pm8w/gwMmbwHtetR6IBpnPMnqxO/1frK0vyurh/E4kyXii
dAdpNRWRJcxq3m846F1HjfMfEqmid0lAbMiA/MRK+hzEUIttekBPfpgR1UU3RoIy
jllL9pXbpUujAWyFoLW+
=kIyP
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ