Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 20 Oct 2008 09:16:52 +0200
From: Tomas Hoger <>
Subject: Re: CVE request: mantisbt < 1.1.4: RCE

On Sun, 19 Oct 2008 11:18:31 +0200 Christian Hoffmann
<> wrote:

> has a CVE id been already assigned to the recent remote code execution
> issue in mantis < 1.1.4? If not, please do so.
> References:

There's actually at least one issue fixed in 1.1.3 that probably
deserves a CVE:

- 0009321: [security] Users can get title and status of issues that
they don't have access to. (vboctor) - closed.

Additionally, Gentoo bug:

points out another fix in 1.1.3:

- 0009664: [authentication] Logout without unsetting session cookie
(jreese) - closed.

Which seems to be on the edge between security fix and security
enhancement, not sure if this kind of fixes get CVE ids assigned.


Tomas Hoger / Red Hat Security Response Team

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.