Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <loom.20141114T142435-20@post.gmane.org>
Date: Fri, 14 Nov 2014 13:36:11 +0000 (UTC)
From: Damien Regad <dregad@...tisbt.org>
To: oss-security@...ts.openwall.com
Subject: Re: CVE-2014-8598: MantisBT XML Import/Export plugin unrestricted access

Hanno Böck <hanno@...> writes:
> What's holding this up?

Just me doing this in my spare time, and not having much of that at the
moment, sorry...

> Makes me feel mantis isn't really handling security issues in a
> responsible way 

I resent your comment. We have released patches to the public for all
identified vulnerabilities, so from my perspective it's not like we're
leaving the community without a solution for known issues. 

I personally believe it's better (i.e. more "responsible") to disclose an
issue with a fix for it, thus allowing admins to patch their systems, rather
than hide the problem until we're ready to go live with a new release.

If you can't wait for 1.2.18 to come out, you are welcome to patch your
system manually. With regards to the XML plugin issues, you can also simply
deactivate it.

Best regards

D. Regad
MantisBT Developer

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.