Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Mon, 4 Jan 2016 16:47:57 +0100
From: Damien Regad <dregad@...tisbt.org>
To: oss-security@...ts.openwall.com
Subject: Re: CVE Request: MantisBT SOAP API can be used to disclose
 confidential settings

On 2016-01-03 18:03, cve-assign@...re.org 
wrote:
> In general, a vendor can choose to request a CVE ID for a
> vulnerability in beta software. This is unusual and (in cases of many
> other products) often not a good idea, but there is no absolute
> restriction on having a CVE ID.

The reason for requesting a CVE for a beta release is that this code has 
been out there and used "in production" for several years, despite being 
"beta" (change was committed [1] in Feb 2010).

> Use CVE-2014-9759 for the vulnerability caused by the
> master_crypto_salt spelling.

Thank you.

> There is no CVE ID for the general issue of "Implement a white list of
> options .

None was needed. The issue, as you correctly interpreted, is the 
disclosure of the crypto salt.

>> Further details available in our issue tracker [3]
>> [3] https://mantisbt.org/bugs/view.php?id=20277
>
> It currently gives an "Access Denied." error.

Apologies, I forgot to make the issue public after releasing the patch. 
It is available now.


[1] https://github.com/mantisbt/mantisbt/commit/eb5623605

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ