oss-sec mailing list archives
Re: CVE-2014-8598: MantisBT XML Import/Export plugin unrestricted access
From: Damien Regad <dregad () mantisbt org>
Date: Fri, 14 Nov 2014 13:36:11 +0000 (UTC)
Hanno Böck <hanno@...> writes:
What's holding this up?
Just me doing this in my spare time, and not having much of that at the moment, sorry...
Makes me feel mantis isn't really handling security issues in a responsible way
I resent your comment. We have released patches to the public for all identified vulnerabilities, so from my perspective it's not like we're leaving the community without a solution for known issues. I personally believe it's better (i.e. more "responsible") to disclose an issue with a fix for it, thus allowing admins to patch their systems, rather than hide the problem until we're ready to go live with a new release. If you can't wait for 1.2.18 to come out, you are welcome to patch your system manually. With regards to the XML plugin issues, you can also simply deactivate it. Best regards D. Regad MantisBT Developer
Current thread:
- CVE-2014-8598: MantisBT XML Import/Export plugin unrestricted access Damien Regad (Nov 07)
- Re: CVE-2014-8598: MantisBT XML Import/Export plugin unrestricted access Hanno Böck (Nov 14)
- Re: CVE-2014-8598: MantisBT XML Import/Export plugin unrestricted access Damien Regad (Nov 14)
- Re: CVE-2014-8598: MantisBT XML Import/Export plugin unrestricted access Hanno Böck (Nov 14)