Menu
▾
▴
Re: [mantisbt-dev] [Fwd: [oss-security] CVE request: MantisBT before 1.2.13 match_type XSS vulnerability]
|
From: Roland B. <ro...@at...> - 2013-01-18 21:19:51
|
I am a bit worried about releasing 1.2.13 next week. Robert, are you > 99,99% sure that SOAP API is not broken by your changes for [1] There is a lot of new code in it which is hardly tested on various platforms. Maybe we should at least run this code on our own site for some days before cutting the release? [1] http://www.mantisbt.org/bugs/view.php?id=14871 Roland Robert Munteanu <rob...@gm...> hat am 18. Januar 2013 um 21:45 geschrieben: > On Fri, Jan 18, 2013 at 3:01 PM, Damien Regad > <dam...@me...> wrote: > > David Hicks <d <at> hx.id.au> writes: > >> Are you able to build and deploy a new MantisBT 1.2.13 release to > >> resolve the below mentioned XSS issue (bug #15373)? > > > > Thanks for the quick response and the patch David... I intended to fix the > > issue > > this afternoon, turns out you were faster than me ;-) > > > > I'm off skiing this weekend (yay!) and have a business trip on Monday, so > > the > > earliest I can do to prepare the release (i.e. build tarballs, etc) is > > middle of > > next week. > > > >> Damien has some valid points in #15373 about a better long term fix for > >> a future version of MantisBT (treating match_type as an integer type > >> rather than a string). I figured this could wait until MantisBT 1.2.14 > >> or a later release. > > > > Agreed. However, considering my constraints above, there may be enough time > > for > > rombert to make this change before I cut the release. > > There was enough time it appears :-) . I updated the code to use > gpc_get_int and the XSS is still fixed. > > Thanks for the quick reaction. > > Robert > > > > >> -------- Forwarded Message -------- > >> > To: oss-security@... > >> > > >> > Jakub Galczyk discovered[1][2] a cross site scripting (XSS) > >> > vulnerability in MantisBT 1.2.12 and earlier versions that allows a > > > > Rectification: this affects *only* version 1.2.12, as earlier versions did > > not > > contain the commit introducing the 'match type' filtering feature. > > > > I'll post the same on oss-security. > > > > Damien |