'Re: [oss-security] CVE request: MantisBT <1.2.7 search.php multiple'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] CVE request: MantisBT <1.2.7 search.php multiple
From:       Josh Bressers <bressers () redhat ! com>
Date:       2011-08-19 19:40:23
Message-ID: 1476048552.143760.1313782823697.JavaMail.root () zmail01 ! collab ! prod ! int ! phx2 ! redhat ! com
[Download RAW message or body]

Please use CVE-2011-2938 for the multiple XSS issues.

Thanks.

-- 
    JB


----- Original Message -----
> Original vulnerability report by Net.Edit0r (Net.Edit0r@Att.net) from
> BlACK Hat Group [http://black-hg.org] is available at:
> http://packetstormsecurity.org/files/104149
> 
> MantisBT bug report for full details of the issue:
> http://www.mantisbt.org/bugs/view.php?id=13245
> 
> Please note that the second SQL injection vulnerability identified by
> Net.Edit0r is not reproducible (refer to the MantisBT bug report above
> for reasons why).
> 
> A patch for 1.2.6 is available at:
> https://github.com/mantisbt/mantisbt/commit/317f3db3a3c68775de3acf3b15f55b1e3c18f93b
> 
> MantisBT 1.2.7 is currently being packaged and will be available
> shortly
> through usual channels for distributions and standalone users to pick
> up.
> 
> Bug reports cross-posted elsewhere:
> Gentoo: https://bugs.gentoo.org/show_bug.cgi?id=379739
> Fedora/Red Hat: https://bugzilla.redhat.com/show_bug.cgi?id=731777
> Debian: Submitted (queued)
> Ubuntu: https://bugs.launchpad.net/ubuntu/+source/mantis/+bug/828857
> 
> Thanks,
> 
> David Hicks
> MantisBT Developer
> mantisbt.org, #mantishelp on freenode
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic