Gentoo Bug 238570 - www-apps/mantisbt <1.1.2-r1 Insecure cookie session hijacking (CVE-2008-3102)

Bug List: (This bug is not in your last search results) Show last search results Search page Enter new bug

Bug#:	238570
Alias:
Product:
Component:
Status:	RESOLVED
Resolution:	FIXED
Assigned To:	Gentoo Security <security@gentoo.org>

Hardware:
OS:
Version:
Priority:
Severity:

Reporter:	Robert Buchholz <rbu@gentoo.org>
Add CC:
CC:	Remove selected CCs

URL:
Summary:
Status Whiteboard:
Keywords:

Flags:			Requestee:
	Pending
	Approved
	Assigned_To		()

Filename	Description	Type	Creator	Created	Size	Actions
Create a New Attachment (proposed patch, testcase, etc.)						View All

Bug 238570 depends on:			Show dependency tree
Bug 238570 blocks:			Show dependency tree

Additional Comments: (this is where you put emerge --info)

Add to CC list

Not eligible to see or edit group visibility for this bug.

Leave as RESOLVED FIXED
Reopen bug
Mark bug as VERIFIED
Mark bug as CLOSED

View Bug Activity | Format For Printing | XML | Clone This Bug

Description:

Opened: 2008-09-24 15:13 0000

CVE-2008-3102 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-3102):
  Mantis does not set the secure flag for the session cookie in an
  https session, which can cause the cookie to be sent in http requests
  and make it easier for remote attackers to capture this cookie.

------- Comment #1 From Peter Volkov 2008-09-25 12:33:34 0000 -------

mantisbt-1.1.2-r1 should fix this issue. But please wait until monday (29.09)
to ask for stabilization. It's possible that upstream will roll out new release
that we'll better stabilize it...

------- Comment #2 From Peter Volkov 2008-09-29 07:25:10 0000 -------

Eh, I forgot to commit it to the tree, but now I did that. Taking into account
how long it sometime takes upstream to release new version, lest stabilize this
one. Arch teams, please, do it.

Target keywords:
www-apps/mantisbt-1.1.2-r1: amd ppc x6

------- Comment #3 From Tobias Scherbaum 2008-10-01 17:52:26 0000 -------

ppc stable

------- Comment #4 From Markus Meier 2008-10-01 20:50:45 0000 -------

amd64/x86 stable, all arches done.

------- Comment #5 From Tobias Heinlein 2008-10-01 21:19:31 0000 -------

Ready for vote, I vote YES.

------- Comment #6 From Christian Hoffmann 2008-10-15 18:15:08 0000 -------

Should be GLSAed together with bug 222649 and bug 241940.
GLSA request still to be filed.

------- Comment #7 From Robert Buchholz 2008-11-26 19:41:02 0000 -------

YES

------- Comment #8 From Robert Buchholz 2008-12-02 17:56:02 0000 -------

GLSA 200812-07

Bug List: (This bug is not in your last search results) Show last search results Search page Enter new bug

Bugzilla Bug 238570

www-apps/mantisbt <1.1.2-r1 Insecure cookie session hijacking (CVE-2008-3102)

Last modified: 2008-12-02 17:56:02 0000