Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sun,  3 Jan 2016 12:03:46 -0500 (EST)
From: cve-assign@...re.org
To: dregad@...tisbt.org
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: CVE Request: MantisBT SOAP API can be used to disclose confidential settings

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

> This was the case with the MantisBT master cryptographic salt
> (crypto_master_salt): it was incorrectly spelt.
> 
> Affected versions:
>  >= 1.3.0-beta.1
> 
> Fixed in versions:
> 1.3.0 (not yet released), possibly 1.3.0-rc.2 if we decide we need
> another release candidate before that.


>> http://sourceforge.net/p/mantisbt/mailman/message/32948048/
>> 2014-10-19
>> - case 'master_crypto_salt':
>> + case 'crypto_master_salt':

In general, a vendor can choose to request a CVE ID for a
vulnerability in beta software. This is unusual and (in cases of many
other products) often not a good idea, but there is no absolute
restriction on having a CVE ID. In this case, the 1.3 development code
in question was apparently noted in 2014.

Use CVE-2014-9759 for the vulnerability caused by the
master_crypto_salt spelling.

There is no CVE ID for the general issue of "Implement a white list of
options ... This is a safer approach than the previous blacklist
method," which seems to be a pre-release design change, not
specifically a vulnerability fix on its own.

> Further details available in our issue tracker [3]
> [3] https://mantisbt.org/bugs/view.php?id=20277

It currently gives an "Access Denied." error.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJWiVOFAAoJEL54rhJi8gl58iIQALSkEnUs34DR9JM6DQUfTTS6
VePVAgUo25rpfQkqL7HpsuWEo/L4nYw7E9PCI7P0yHMmOH5O1uY1cucA5PEsukXK
FaPjLZU0GHtbSAG1ioaincMVJ8W+YidMJyUNGrxLRnL3W+bjE63HZLNNiswSuUFK
NTKrzOZtSHRDVRKbdvak3pVvKQ5MXPwM6BRYVZBK5UetaOkKLkQJMH3RjGkyl9AM
yhtIF3XEKNXrIoVtLRka9/OabS1FG9ULE6oL8jqA2S8jL0D0ABo8QOYC2rH3wR3Z
8CaJig5h8ximZIvA0Cg5xSiIQMhk3En7W3QSB1kyAAkrviz0H2f1XJenyifXMkM6
IfXw0d5k9KSglJxpxd/VYBmZhz7rCWwa/0f5vnSpL278u6Sxccfh36EdBmoASs4X
BAjdaEkGZJpoa+KGFKx7lGfSHMMvVGdM8j0ybaDEzruSL/0C8w4OZZxmE4Abbbu7
3Nt1Pmq7YDVWNA6RxXwxp8C32hpxMLhNjNYzsgEZ8lBB2Og3vjSydY2FAav0Zsb+
buyYkSqPqlnUJTMW0nYWnhXRfSOq0H1ndsdpAiSIvRKM28sDjIJnRyIe6QhN+h/u
bF4wu44H2pOqtT69k6wJ7kW/CznpxBdwGcC+jKZKAQT9dXszQdaBrCv5kOGpDRK1
v0DW5xesLDZMu/sbqrLk
=r4cR
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ