Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 16 Feb 2015 09:59:13 -0000
From: "P Richards" <>
To: <>
Cc: <>
Subject: RE: Re: CVE request: XSS in MantisBT

As the initial discoverer of CVE-2014-8986, I can confirm that the commit in
e326b73a does not fix the issue reported in CVE-2014-8986.

The commit
ef41bf40 does fix CVE-2014-8986.

@mitre: The description @ is incorrect -
"MantisBT 1.2.13 through 1.2.17". The issue described in CVE-2014-8986 was
not fixed in either 1.2.18 or .1.2.19. How does one get the status of this
issue updated?


-----Original Message-----
From: Damien Regad [] 
Sent: 16 February 2015 09:53
Subject: [oss-security] Re: CVE request: XSS in MantisBT

P Richards <paul@...> writes:

> According to github
> the fix referenced for CVE-2014-8986 has never been tagged to a 1.2.x 
> release.

It would help if you looked at the 1.2.x commit...

$ git describe --contains e326b73a

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.