Bug List: (This bug is not in your last search results)   Show last search results      Search page      Enter new bug
Bug#: 222649
Alias:
Product:
Component:
Status: RESOLVED
Resolution: FIXED
Assigned To: Gentoo Security <security@gentoo.org>
Hardware:
OS:
Version:
Priority:
Severity:
Reporter: Robert Buchholz <rbu@gentoo.org>
Add CC:
CC:
Remove selected CCs
URL:
Summary:
Status Whiteboard:
Keywords:
Flags: Requestee:
 
 
  ()

Filename Description Type Creator Created Size Actions
adv.txt adv.txt text/plain Peter Volkov 2008-09-29 07:43 0000 7.80 KB Details
Create a New Attachment (proposed patch, testcase, etc.) View All

Bug 222649 depends on: 229105 233336 Show dependency tree
Bug 222649 blocks:

Additional Comments: (this is where you put emerge --info)


Not eligible to see or edit group visibility for this bug.






View Bug Activity   |   Format For Printing   |   XML   |   Clone This Bug

Description:   Opened: 2008-05-18 13:56 0000 
CVE-2008-2276 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-2276):
  Cross-site request forgery (CSRF) vulnerability in Mantis 1.1.1 allows remote
  attackers to create new administrative users via user_create.

------- Comment #1 From Gunnar Wrobel 2008-05-19 04:22:20 0000 ------- 
Backporting the patch to 1.1.1 seems rather involved. So I'd suggest waiting
for 1.2.0 here.

------- Comment #2 From Peter Volkov 2008-05-19 08:32:13 0000 ------- 
There were a rumors about upcoming 1.1.2, so I'd wait too but for that version.
I'm sure 1.2.0 is too unstable to mark it stable...

------- Comment #3 From Robert Buchholz 2008-05-20 21:10:51 0000 ------- 
The fixes introduced in 1.1.2 are not enough.

Please note that new vulnerabilities have been discovered, see:
http://www.ush.it/team/ush/hack-mantis111/adv.txt

------- Comment #4 From Peter Volkov 2008-05-21 06:02:57 0000 ------- 
Thank you for the link, I'll check that all that bugs be fixed in 1.1.2. 1.1.2
is not released yet and work on backporting security and other fixes is in
progress.

------- Comment #5 From Peter Volkov 2008-07-13 21:40:29 0000 ------- 
New version was added to the tree. Robert the link you posted here is
unavailable now, but at time you posted it here, I've showed it to mantis
developers and I remember that the issues that were raised there were in TODO
list for 1.1.2 release. So I can not check now but I hope that everything is
fixed.

------- Comment #6 From Peter Volkov 2008-09-29 07:26:46 0000 ------- 
Well, link is available now and I've checked that all things reported there
were fixed in 1.1.2 release, which is already stable in our tree. Please, mark
this bug as appropriate. Thank you.

------- Comment #7 From Peter Volkov 2008-09-29 07:43:04 0000 ------- 
Created an attachment (id=166739) [details]
adv.txt

Attaching text Robert gave link in comment #3 not to loose it anymore.

------- Comment #8 From Christian Hoffmann 2008-10-15 18:13:17 0000 ------- 
Should be GLSAed together with bug 238570 and bug 241940.
Security, please file the GLSA request.

------- Comment #9 From Robert Buchholz 2008-11-26 19:27:49 0000 ------- 
CVE-2008-2276 was resolved in GLSA 200809-10, the other issues in the adv.txt
are CVE-2008-3331 and CVE-2008-3332, which were bug 233336.
Bug List: (This bug is not in your last search results)   Show last search results      Search page      Enter new bug