Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Thu, 16 Dec 2010 08:58:34 -0500 (EST)
From: Josh Bressers <bressers@...hat.com>
To: oss-security@...ts.openwall.com
Cc: coley <coley@...re.org>
Subject: Re: CVE request: MantisBT <=1.2.3 (db_type)
 Cross-Site Scripting & Path Disclosure Vulnerability

Please use CVE-2010-4348 for the XSS.
CVE-2010-4349 for the path disclosure.

Thanks.

-- 
    JB


----- "David Hicks" <hickseydr@...usnet.com.au> wrote:

> This is a CVE request for a vulnerability discovered in MantisBT
> <1.2.4
> by Gjoko Krstic of Zero Science Lab as per the following advisory:
> 
> http://www.zeroscience.mk/en/vulnerabilities/ZSL-2010-4983.php
> 
> MantisBT 1.2.4 has been released to resolve this issue.
> 
> For distributions or users using MantisBT 1.1.x, the following patch
> can
> be applied:
> http://git.mantisbt.org/?p=mantisbt.git;a=commitdiff_plain;h=2641fdc60d2032ae1586338d6416e1eadabd7590
> 
> Please note that MantisBT 1.1.x is not recommended for use due to
> many
> security improvements and features implemented in MantisBT 1.2.x (but
> not backported to 1.1.x).
> 
> Detailed information about this vulnerability can be found in this
> bug
> report: http://www.mantisbt.org/bugs/view.php?id=12607
> 
> Regards,
> 
> David Hicks
> MantisBT Developer
> mantisbt.org, #mantishelp freenode

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.