Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20081020091652.5f6e358a@redhat.com>
Date: Mon, 20 Oct 2008 09:16:52 +0200
From: Tomas Hoger <thoger@...hat.com>
To: oss-security@...ts.openwall.com
Cc: hoffie@...too.org, coley@...re.org
Subject: Re: CVE request: mantisbt < 1.1.4: RCE

On Sun, 19 Oct 2008 11:18:31 +0200 Christian Hoffmann
<hoffie@...too.org> wrote:

> has a CVE id been already assigned to the recent remote code execution
> issue in mantis < 1.1.4? If not, please do so.
> 
> References:
> http://www.mantisbt.org/bugs/view.php?id=0009704
> http://mantisbt.svn.sourceforge.net/viewvc/mantisbt/branches/BRANCH_1_1_0/mantisbt/core/utility_api.php?r1=5679&r2=5678&pathrev=5679
> http://www.milw0rm.com/exploits/6768
> https://bugs.gentoo.org/show_bug.cgi?id=242722

There's actually at least one issue fixed in 1.1.3 that probably
deserves a CVE:

- 0009321: [security] Users can get title and status of issues that
they don't have access to. (vboctor) - closed.
  http://www.mantisbt.org/bugs/view.php?id=9321

Additionally, Gentoo bug:
  http://bugs.gentoo.org/show_bug.cgi?id=241940

points out another fix in 1.1.3:

- 0009664: [authentication] Logout without unsetting session cookie
(jreese) - closed.
  http://www.mantisbt.org/bugs/view.php?id=9664

Which seems to be on the edge between security fix and security
enhancement, not sure if this kind of fixes get CVE ids assigned.

Thanks!

-- 
Tomas Hoger / Red Hat Security Response Team

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.