Date: Fri, 14 Nov 2014 13:36:11 +0000 (UTC) From: Damien Regad <dregad@...tisbt.org> To: oss-security@...ts.openwall.com Subject: Re: CVE-2014-8598: MantisBT XML Import/Export plugin unrestricted access Hanno Böck <hanno@...> writes: > What's holding this up? Just me doing this in my spare time, and not having much of that at the moment, sorry... > Makes me feel mantis isn't really handling security issues in a > responsible way I resent your comment. We have released patches to the public for all identified vulnerabilities, so from my perspective it's not like we're leaving the community without a solution for known issues. I personally believe it's better (i.e. more "responsible") to disclose an issue with a fix for it, thus allowing admins to patch their systems, rather than hide the problem until we're ready to go live with a new release. If you can't wait for 1.2.18 to come out, you are welcome to patch your system manually. With regards to the XML plugin issues, you can also simply deactivate it. Best regards D. Regad MantisBT Developer
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.