Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 16 Feb 2015 09:59:13 -0000
From: "P Richards" <paul@...tisforge.org>
To: <oss-security@...ts.openwall.com>
Cc: <cve-assign@...re.org>
Subject: RE: Re: CVE request: XSS in MantisBT

As the initial discoverer of CVE-2014-8986, I can confirm that the commit in
e326b73a does not fix the issue reported in CVE-2014-8986.

The commit
https://github.com/mantisbt/mantisbt/commit/cabacdc291c251bfde0dc2a2c945c02c
ef41bf40 does fix CVE-2014-8986.

@mitre: The description @
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8986 is incorrect -
"MantisBT 1.2.13 through 1.2.17". The issue described in CVE-2014-8986 was
not fixed in either 1.2.18 or .1.2.19. How does one get the status of this
issue updated?

Thanks
Paul

-----Original Message-----
From: Damien Regad [mailto:dregad@...tisbt.org] 
Sent: 16 February 2015 09:53
To: oss-security@...ts.openwall.com
Subject: [oss-security] Re: CVE request: XSS in MantisBT

P Richards <paul@...> writes:

> 
> According to github
> https://github.com/mantisbt/mantisbt/commit/cabacdc2
> the fix referenced for CVE-2014-8986 has never been tagged to a 1.2.x 
> release.

It would help if you looked at the 1.2.x commit...

http://github.com/mantisbt/mantisbt/commit/e326b73a

$ git describe --contains e326b73a
release-1.2.18~27



Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ