Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sun, 11 Jan 2015 12:00:55 -0500 (EST)
To: Damien Regad <>
Subject: Re: Re: CVE-2014-6316: URL redirection issue in

> During follow-up tests he performed on the fix for CVE-2014-6316 (which was 
> released in MantisBT 1.2.18), Alejo Popovici noticed [1] that the earlier fix 
> was only partial.
> With certain browsers (FF 34, Chrome 39 but not IE11) it is still possible to 
> effect a cross-domain redirection using a redirect address having a single 
> slash, e.g.
> - or
> -
> This is essentially the same vulnerability that was described in 
> CVE-2014-6316, but due to a different root cause (for which a patch will be 
> issued soon).
> I would like to know if I should be using the same CVE ID, or if a new one 
> needs to be issued.
> Thanks in advance.
> Damien Regad
> MantisBT Developer
> [1]

CVE creates separate identifiers if two bugs do not affect the same 
versions.  This can occur with incomplete fixes.  Since bug 17997 affects 
1.2.18 but CVE-2014-6316 does not, a separate CVE ID is used.

Use CVE-2015-1042.


CVE assignment team, MITRE CVE Numbering Authority M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through ]

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ