P Richards
2014-10-30 15:57:35 UTC
Robert, Damien,
Before I send anything to the list regarding fork (which may be over weekend), I'm sending you two privately the some of the security patches that I have for 1.2.18
001: I deem to be minor - it's a 'safety' catch for if someone accidently configures a server incorrectly - in reality, unlikely to ever be an issue as mantis isn't userable in the state needed to trigger this.
002 - not a security fix as a such, but seemed to fix javascript errors that were making it hard to identify 3
003 - Fixes XSS issue in the extended browser - this only needs to be back ported to 1.2 as the code has gone from master
004 - Fixes a SQL injection issue in the SOAP api - I've emailed cve-***@mitre.org asking for them to reserve a CVE for this (And also emailed them asking them to reserve a CVE for the other issues we've got patches in progress for. I've not yet emailed cve-assign for the 01 or 03 above. I'm wondering for both whether it's necessarily to bother - in the first case (001), I donât think you'd even be able to use mantis properly in the state needed to hit this issue, and in the 2nd case (003) , given you'd need the extended project browser to be on, and be able to set a project name - the first of which I've never seen anyone use...
Once I get a reply with CVE number, I'll forward it to you two again so a complete set of patches can be properly co-ordinated, and we can make sure nothing is missing. And then I'll reply publically to your list-mail rombert about names (don't worry, I've not picked something that will breed confusion), and further details.
Paul
-----Original Message-----
From: Robert Munteanu [mailto:***@gmail.com]
Sent: 21 October 2014 12:06
To: developer discussions
Subject: Re: [mantisbt-dev] Hi All - A change of direction for me.
Hi Paul,
Let me start by acknowledging all the work you did on MantisBT - you definitely contributed a lot and MantisBT is today better due to your contributions, so a big thank you goes out for that.
I wish you good luck with your fork - and hope you don't mind if we cherry-pick fixes that we find useful :-)
On a related note, I echo Damien's comment on naming - it would breed confusion to name your project Mantis Issue Tracker ( MantisIT? ) so please pick another name that
Cheers,
Robert
http://robert.muntea.nu/
Before I send anything to the list regarding fork (which may be over weekend), I'm sending you two privately the some of the security patches that I have for 1.2.18
001: I deem to be minor - it's a 'safety' catch for if someone accidently configures a server incorrectly - in reality, unlikely to ever be an issue as mantis isn't userable in the state needed to trigger this.
002 - not a security fix as a such, but seemed to fix javascript errors that were making it hard to identify 3
003 - Fixes XSS issue in the extended browser - this only needs to be back ported to 1.2 as the code has gone from master
004 - Fixes a SQL injection issue in the SOAP api - I've emailed cve-***@mitre.org asking for them to reserve a CVE for this (And also emailed them asking them to reserve a CVE for the other issues we've got patches in progress for. I've not yet emailed cve-assign for the 01 or 03 above. I'm wondering for both whether it's necessarily to bother - in the first case (001), I donât think you'd even be able to use mantis properly in the state needed to hit this issue, and in the 2nd case (003) , given you'd need the extended project browser to be on, and be able to set a project name - the first of which I've never seen anyone use...
Once I get a reply with CVE number, I'll forward it to you two again so a complete set of patches can be properly co-ordinated, and we can make sure nothing is missing. And then I'll reply publically to your list-mail rombert about names (don't worry, I've not picked something that will breed confusion), and further details.
Paul
-----Original Message-----
From: Robert Munteanu [mailto:***@gmail.com]
Sent: 21 October 2014 12:06
To: developer discussions
Subject: Re: [mantisbt-dev] Hi All - A change of direction for me.
Hi Paul,
Let me start by acknowledging all the work you did on MantisBT - you definitely contributed a lot and MantisBT is today better due to your contributions, so a big thank you goes out for that.
I wish you good luck with your fork - and hope you don't mind if we cherry-pick fixes that we find useful :-)
On a related note, I echo Damien's comment on naming - it would breed confusion to name your project Mantis Issue Tracker ( MantisIT? ) so please pick another name that
Cheers,
Robert
Hi All,
Just to let you know that Iâm going to embark on a new project â
âMantis Issue Trackerâ. This will be a fork from the Mantis Bug
Tracker project with a goal for being used for a helpdesk focus â this
is the environment I currently work in.
After 10 years spent working on Mantis Bug Tracker, it has become
clear that Victorâs planned direction with moving towards a hosted
MantisHub and trying to make a financial return out of Mantis is not
aligned with the goalâs that I set myself for involvement with an open
source project. Iâd like to wish him success with those aims.
Myself, Iâm keen to ensure that in todays hosted world with cloud
services etc, that itâs possible to run a freely available issue tracker for all.
Iâll post more details in a few days.
I still plan to continue to follow the project and submit any pull
requests, but I need to align my coding time with the needs for which
I use Mantis â which is as an issue checker in a MSSQL shop.
In the meantime, please let me know as soon as damien has fixed his
email address, as itâs still broken and it would be good to do a joint
security release.
Paul
----------------------------------------------------------------------
-------- Comprehensive Server Monitoring with Site24x7.
Monitor 10 servers for $9/Month.
Get alerted through email, SMS, voice calls or mobile push notifications.
Take corrective actions from your mobile device.
http://p.sf.net/sfu/Zoho
_______________________________________________
mantisbt-dev mailing list
https://lists.sourceforge.net/lists/listinfo/mantisbt-dev
--Just to let you know that Iâm going to embark on a new project â
âMantis Issue Trackerâ. This will be a fork from the Mantis Bug
Tracker project with a goal for being used for a helpdesk focus â this
is the environment I currently work in.
After 10 years spent working on Mantis Bug Tracker, it has become
clear that Victorâs planned direction with moving towards a hosted
MantisHub and trying to make a financial return out of Mantis is not
aligned with the goalâs that I set myself for involvement with an open
source project. Iâd like to wish him success with those aims.
Myself, Iâm keen to ensure that in todays hosted world with cloud
services etc, that itâs possible to run a freely available issue tracker for all.
Iâll post more details in a few days.
I still plan to continue to follow the project and submit any pull
requests, but I need to align my coding time with the needs for which
I use Mantis â which is as an issue checker in a MSSQL shop.
In the meantime, please let me know as soon as damien has fixed his
email address, as itâs still broken and it would be good to do a joint
security release.
Paul
----------------------------------------------------------------------
-------- Comprehensive Server Monitoring with Site24x7.
Monitor 10 servers for $9/Month.
Get alerted through email, SMS, voice calls or mobile push notifications.
Take corrective actions from your mobile device.
http://p.sf.net/sfu/Zoho
_______________________________________________
mantisbt-dev mailing list
https://lists.sourceforge.net/lists/listinfo/mantisbt-dev
http://robert.muntea.nu/