Please read this before reporting a bug:
https://wiki.archlinux.org/title/Bug_reporting_guidelines
Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.
REPEAT: Do NOT report bugs for outdated packages!
https://wiki.archlinux.org/title/Bug_reporting_guidelines
Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.
REPEAT: Do NOT report bugs for outdated packages!
FS#43841 - [mantisbt] CVE-2014-8986
Attached to Project:
Community Packages
Opened by Paul (grangeway) - Monday, 16 February 2015, 10:48 GMT
Last edited by Maxime Gauduin (Alucryd) - Friday, 10 April 2015, 07:11 GMT
Opened by Paul (grangeway) - Monday, 16 February 2015, 10:48 GMT
Last edited by Maxime Gauduin (Alucryd) - Friday, 10 April 2015, 07:11 GMT
|
DetailsHello,
ArchLinux reports that CVE-2014-8986 is fixed in their distribution of Mantis. This is not the case as the vulnerable code is still included. Please see http://issue-track.org/security/CVE-2014-8986.html for original patch for this issue and status. Thanks |
This task depends upon
Closed by Maxime Gauduin (Alucryd)
Friday, 10 April 2015, 07:11 GMT
Reason for closing: Fixed
Additional comments about closing: 1.2.19-2
Friday, 10 April 2015, 07:11 GMT
Reason for closing: Fixed
Additional comments about closing: 1.2.19-2
A confirmation from someone running this would be nice, however the initial finder confirms that the patch you applied mitigates the issue [0].
I just wanted to say that IMHO i do not think this is a 'critical' issue (highest possible severity) as its XSS and also requires administrator privileges to perform, but never-mind its still a bad issue :)
[0] http://www.openwall.com/lists/oss-security/2015/02/16/2