|
Message-Id: <20160103170346.0AA4933213E@smtpvbsrv1.mitre.org> Date: Sun, 3 Jan 2016 12:03:46 -0500 (EST) From: cve-assign@...re.org To: dregad@...tisbt.org Cc: cve-assign@...re.org, oss-security@...ts.openwall.com Subject: Re: CVE Request: MantisBT SOAP API can be used to disclose confidential settings -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 > This was the case with the MantisBT master cryptographic salt > (crypto_master_salt): it was incorrectly spelt. > > Affected versions: > >= 1.3.0-beta.1 > > Fixed in versions: > 1.3.0 (not yet released), possibly 1.3.0-rc.2 if we decide we need > another release candidate before that. >> http://sourceforge.net/p/mantisbt/mailman/message/32948048/ >> 2014-10-19 >> - case 'master_crypto_salt': >> + case 'crypto_master_salt': In general, a vendor can choose to request a CVE ID for a vulnerability in beta software. This is unusual and (in cases of many other products) often not a good idea, but there is no absolute restriction on having a CVE ID. In this case, the 1.3 development code in question was apparently noted in 2014. Use CVE-2014-9759 for the vulnerability caused by the master_crypto_salt spelling. There is no CVE ID for the general issue of "Implement a white list of options ... This is a safer approach than the previous blacklist method," which seems to be a pre-release design change, not specifically a vulnerability fix on its own. > Further details available in our issue tracker [3] > [3] https://mantisbt.org/bugs/view.php?id=20277 It currently gives an "Access Denied." error. - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJWiVOFAAoJEL54rhJi8gl58iIQALSkEnUs34DR9JM6DQUfTTS6 VePVAgUo25rpfQkqL7HpsuWEo/L4nYw7E9PCI7P0yHMmOH5O1uY1cucA5PEsukXK FaPjLZU0GHtbSAG1ioaincMVJ8W+YidMJyUNGrxLRnL3W+bjE63HZLNNiswSuUFK NTKrzOZtSHRDVRKbdvak3pVvKQ5MXPwM6BRYVZBK5UetaOkKLkQJMH3RjGkyl9AM yhtIF3XEKNXrIoVtLRka9/OabS1FG9ULE6oL8jqA2S8jL0D0ABo8QOYC2rH3wR3Z 8CaJig5h8ximZIvA0Cg5xSiIQMhk3En7W3QSB1kyAAkrviz0H2f1XJenyifXMkM6 IfXw0d5k9KSglJxpxd/VYBmZhz7rCWwa/0f5vnSpL278u6Sxccfh36EdBmoASs4X BAjdaEkGZJpoa+KGFKx7lGfSHMMvVGdM8j0ybaDEzruSL/0C8w4OZZxmE4Abbbu7 3Nt1Pmq7YDVWNA6RxXwxp8C32hpxMLhNjNYzsgEZ8lBB2Og3vjSydY2FAav0Zsb+ buyYkSqPqlnUJTMW0nYWnhXRfSOq0H1ndsdpAiSIvRKM28sDjIJnRyIe6QhN+h/u bF4wu44H2pOqtT69k6wJ7kW/CznpxBdwGcC+jKZKAQT9dXszQdaBrCv5kOGpDRK1 v0DW5xesLDZMu/sbqrLk =r4cR -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.