It was found that config options of crypto_master_salt was available via SOAP API, due to wrong spelling, since MantisBT sensitive config options were blacklisted to prevent their access via SOAP API. Upstream report: http://sourceforge.net/p/mantisbt/mailman/message/32948048/ CVE assignment: http://seclists.org/oss-sec/2016/q1/4 After this vulnerability appeared, MantisBT was hardened to use whitelist approach instead of blacklisting: https://github.com/mantisbt/mantisbt/commit/7927c275
Created mantis tracking bugs for this issue: Affects: fedora-all [bug 1295394] Affects: epel-5 [bug 1295395]
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.