Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <20121113202432.309c5fe2@melee>
Date: Tue, 13 Nov 2012 20:24:32 +0000
From: Hanno Böck <hanno@...eck.de>
To: oss-security@...ts.openwall.com
Cc: kseifried@...hat.com
Subject: Re: CVE request: mantis before 1.2.12

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On Tue, 13 Nov 2012 11:26:39 -0700
Kurt Seiifried <kseifried@...hat.com> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> On 11/13/2012 07:52 AM, Hanno Böck wrote:
> > http://www.mantisbt.org/bugs/changelog_page.php?version_id=150
> > 
> > New mantis bugtracker release. Two fixes are security relevant 
> > (althouhg both sound minor)
> 
> Just to confirm I understand these issues:

I'm not really into the development and only made the request based on
the release changelog, but I think I agree for the second being an
information disclosure, the first seems to be more general a
"wrong permission"-issue, although the consequence is probably also
"just" an information disclosure.

- -- 
Hanno Böck		mail/jabber: hanno@...eck.de
GPG: BBB51E42		http://www.hboeck.de/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.19 (GNU/Linux)

iQIcBAEBCAAGBQJQoqyDAAoJEKWIAHK7tR5C3Q0P/R4Doqli1gTdwwcu2UCJUYdg
yj3mDvg8aIDXcIYlF9eKsQgY5a4LpzPmlyWQg/5sF5HgNViQmqH9S8eDbpqRhpeb
j38HxyjekZ1qFBpW3KT3LpSI2BJKbdIESJLn+VhsBEFoRly+/b9GO8UoebQIkhIF
vvpap3kDSUSQJv0TLWZ3j82EcTyaOcn4JABOpIeAPvgyZK9tUPmcI/88XSnSZiHj
FOx4QYNAEiD6ryPQlJLxZdfe4+7jFIB5qaTuPuafuAr6NDLw7CST8WgFKDkhRbYD
yQJaMYvKKOpjA6pwID8cPeZL3FO9Ijukgt+gUFngiJy986z7CMGpaNFncg59YxBr
6c1ppUWYPPVIWRt2HFw3MLaqGydGtp9bc1s9Rb3TJgBc+6NYNYgIADN0V9uDL536
Of+3uVjtGIkEQwzrVq+EWPmfpoGF1e+t3cFyf+ISaCMabwQnqP2tCcBBpYa9MOFu
sxuvCBa4Vk0HRqgkS15m6L7PntaEL/iJZ0OSBke5lljouX/t8WmtSWzL/2AMEJ8d
CyDe1JQ7H8b6b2mY4hkuZYiTtrLe/GNusBXyWPQqzAYpRhzzMOGs1X830CJ1PSbJ
RpeA6m/V4V+xvib0hadvrEO5p0Cp8ZWVIZgFZQ9+nCQ8hajSHzOzJoEM8dDWNGuo
meG04rDUkMkU7Jch5F9v
=qj8K
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.