[VIM] Mantis Bug Tracker 1.1.1 Multiple Vulnerabilities

ascii ascii at katamail.com
Wed May 21 12:36:52 UTC 2008


Steven M. Christey wrote:
> Just to let you know - we created the CVE after Secunia found a changelog
> entry (at the CONFIRM in our references section).  We did not know
> anything else about the other issues, but there was enough information in
> the changelog to know that there was some vulnerability.  Your advisory
> will provide additional details for CVE-2008-2276, and we'll be adding it
> as a reference... plus, adding the other issues that you mentioned as
> separate CVEs.

Thanks Steven for the details,

i never like when things with vendor goes wrong, unluckily this was one
of them. Our first contact mail includes this sentence:

We try to synchronize the disclosure time with the vendor, if the 
details of the vulnerability becomes public we will immediately
disclose the advisory.

and this was what happened.

Add to this that the only vulnerability that was not going to be fixed
(from our knowledge) was the one leaked and credited to Glenn that was
the contact on the Mantis side that told us it was not going to be
fixed but contemporaneously fixed it and made the changelog line.

This confused me and Antonio a lot.

Now i know that Glenn did not acted in bad faith and was mostly victim
of the fate. For this i want to apologize on my side for the
overreaction.

The really sad thing is that this situation could have been avoided in a
hundred of ways on the vendor side.

Have a nice day,
Francesco `ascii` Ongaro
http://www.ush.it/


More information about the VIM mailing list