Date: Mon, 4 Jan 2016 16:47:57 +0100 From: Damien Regad <dregad@...tisbt.org> To: oss-security@...ts.openwall.com Subject: Re: CVE Request: MantisBT SOAP API can be used to disclose confidential settings On 2016-01-03 18:03, cve-assign@...re.org wrote: > In general, a vendor can choose to request a CVE ID for a > vulnerability in beta software. This is unusual and (in cases of many > other products) often not a good idea, but there is no absolute > restriction on having a CVE ID. The reason for requesting a CVE for a beta release is that this code has been out there and used "in production" for several years, despite being "beta" (change was committed  in Feb 2010). > Use CVE-2014-9759 for the vulnerability caused by the > master_crypto_salt spelling. Thank you. > There is no CVE ID for the general issue of "Implement a white list of > options . None was needed. The issue, as you correctly interpreted, is the disclosure of the crypto salt. >> Further details available in our issue tracker  >>  https://mantisbt.org/bugs/view.php?id=20277 > > It currently gives an "Access Denied." error. Apologies, I forgot to make the issue public after releasing the patch. It is available now.  https://github.com/mantisbt/mantisbt/commit/eb5623605
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ