- 0003375: [security] Bughistory bypasses security on custom fields (thraxisp) - 0005163: [security] Default value for $g_bug_reminder_threshold should be higher than "reporter" (vboctor) - 0007364: [security] Custom field visible in history independent from user role (thraxisp) http://secunia.com/advisories/23258/ The current release with the fixes is an alpha release - maybe wait until a full 1.1.x release?
Web-apps please advise and bump as necessary.
This was just fixed in the 1.0.7 release - web-apps, can we get an ebuild and close this one out? Thanks. http://www.mantisbt.org/changelog.php 2007.04.04 - 1.0.7 This is a maintenance release that includes 3 security fixes, a new logo, and IE7 compatibility fix. All users of previous versions of Mantis (0.x.x and 1.0.x) are encouraged to upgrade to Mantis 1.0.7. - 0007743: [security] Port: CVE-2006-6574 (vboctor) - 0007772: [security] email notifications bypass security on custom fields (vboctor) - 0007784: [security] XSS vulnerabilities (vboctor) - 0007774: [custom fields] custom fields not stored correctly in bug history (vboctor) - 0007783: [filters] Port: Dynamic filter selection (XMLHTTPRequest) broken when using IE7 (vboctor)
Created attachment 116631 [details] Proposed Mantis 1.0.7 ebuild. As an attempt to kick-start this getting into the tree, here's an ebuild. Danger Will Robinson! Danger! - This is my first try at updating an ebuild. - I just read http://gentoo-wiki.com/HOWTO_Create_an_Updated_Ebuild to make it. - Of course, all I had to do was rename the file, so I probably can't have screwed it up that much. ;) (CVS check-in header line still reads 1.0.6.) But, I tried it and it works for me on my server. Someone double check that I'm not a blundering idiot, and hopefully get it into the tree.
mantisbt-1.0.7 is in the tree. Thank Christian Parpart for bump. Philippe, next time attach diff or just note, that coping of the old ebuild works for you. No need to attach full ebuild.
(In reply to comment #4) > Philippe, next time attach diff or just note, that coping of the old ebuild > works for you. No need to attach full ebuild. Roger that. Thanks for getting it into the tree, you guys.
mantisbt was stable some time ago on ppc, but current versions in portage are not stable on all archs. I removed unstable vulnerable version and I think this bug is fixed. Right? :)
Thanks Peter. Updating stuff for future reference.