oss-security - RE: Re: CVE request: XSS in MantisBT

Follow @Openwall on Twitter for new release announcements and other news

[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]

Message-ID: <000a01d049cf$3899b600$a9cd2200$@mantisforge.org>
Date: Mon, 16 Feb 2015 09:59:13 -0000
From: "P Richards" <paul@...tisforge.org>
To: <oss-security@...ts.openwall.com>
Cc: <cve-assign@...re.org>
Subject: RE: Re: CVE request: XSS in MantisBT

As the initial discoverer of CVE-2014-8986, I can confirm that the commit in
e326b73a does not fix the issue reported in CVE-2014-8986.

The commit
https://github.com/mantisbt/mantisbt/commit/cabacdc291c251bfde0dc2a2c945c02c
ef41bf40 does fix CVE-2014-8986.

@mitre: The description @
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8986 is incorrect -
"MantisBT 1.2.13 through 1.2.17". The issue described in CVE-2014-8986 was
not fixed in either 1.2.18 or .1.2.19. How does one get the status of this
issue updated?

Thanks
Paul

-----Original Message-----
From: Damien Regad [mailto:dregad@...tisbt.org] 
Sent: 16 February 2015 09:53
To: oss-security@...ts.openwall.com
Subject: [oss-security] Re: CVE request: XSS in MantisBT

P Richards <paul@...> writes:

> 
> According to github
> https://github.com/mantisbt/mantisbt/commit/cabacdc2
> the fix referenced for CVE-2014-8986 has never been tagged to a 1.2.x 
> release.

It would help if you looked at the 1.2.x commit...

http://github.com/mantisbt/mantisbt/commit/e326b73a

$ git describe --contains e326b73a
release-1.2.18~27

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.