From https://bugzilla.redhat.com/show_bug.cgi?id=876371 : Two flaws were noted as being fixed in the Mantis 1.2.12 changelog [1]: - 0014496: [security] Workflow Transitions: Minimal Access Level to Change to this status has no correct 'default' (dregad) - 0014704: [security] Clone and Move issue with Copy bug notes - user get email notice from project without access (dregad) [1] http://www.mantisbt.org/bugs/changelog_page.php?version_id=150
CVE-2012-5523 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5523): core/email_api.php in MantisBT before 1.2.12 does not properly manage the sending of e-mail notifications about restricted bugs, which might allow remote authenticated users to obtain sensitive information by adding a note to a bug before losing permission to view that bug. CVE-2012-5522 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5522): MantisBT before 1.2.12 does not use an expected default value during decisions about whether a user may modify the status of a bug, which allows remote authenticated users to bypass intended access restrictions and make status changes by leveraging a blank value for a per-status setting.
+ 06 Mar 2013; Patrick Lauer <patrick@gentoo.org> +mantisbt-1.2.12.ebuild: + Bump for #443106
(In reply to comment #2) > + 06 Mar 2013; Patrick Lauer <patrick@gentoo.org> +mantisbt-1.2.12.ebuild: > + Bump for #443106 I guess this is not enough: http://www.openwall.com/lists/oss-security/2013/03/03/6
(In reply to comment #3) > (In reply to comment #2) > > + 06 Mar 2013; Patrick Lauer <patrick@gentoo.org> +mantisbt-1.2.12.ebuild: > > + Bump for #443106 > > I guess this is not enough: > http://www.openwall.com/lists/oss-security/2013/03/03/6 Furthermore: MantisBT 1.2.14 is a security update for the stable 1.2.x branch. All installations that are currently running any 1.2.x version are strongly advised to upgrade to this release. Please refer to the release notes for details. - 0015415: [security] XSS vulnerability on Configuration Report page (dregad) - closed. - 0015416: [security] XSS issue in adm_config_report.php when displaying complex value (dregad) - closed. - 0015411: [performance] Huge memory consumption for print_user_option_list() (dregad) - closed. http://mantisbt.org/bugs/changelog_page.php?project=mantisbt&version=1.2.14
Another vulnerability for mantis: https://bugzilla.redhat.com/show_bug.cgi?id=924340 A denial of service flaw was found in the way MantisBT, a free popular web-based issue tracking system, performed processing of certain type of View Issues page search queries. A remote attacker could provide a specially-crafted query (filter combining some criteria and a text search with 'any condition') that, when processed by the MantisBT system, would lead to excessive system resources consumption (denial of service), possibly leading to complete MantisBT server instance unavailability. References: [1] http://www.openwall.com/lists/oss-security/2013/03/21/3 Upstream bug report: [2] http://www.mantisbt.org/bugs/view.php?id=15573 Relevant upstream patch: [3] https://github.com/mantisbt/mantisbt/commit/d16988c3ca232a7
Other vulnerabilities out: http://www.openwall.com/lists/oss-security/2013/04/04/8 1. Close button available to users despite workflow restrictions This issue affects Mantis 1.2.12 and later. It allows low-privileged users to close issues even though the workflow settings do not permit it. Reference: http://www.mantisbt.org/bugs/view.php?id=15453 4. XSS issue on Configuration Report page when displaying complex value This issue affects Mantis 1.2.0rc1 and later. Lack of proper string escaping allows users (having admin access) to enter arbitrary javascript code and have it executed on the user's browser. Reference: http://www.mantisbt.org/bugs/view.php?id=15416 Issues 2 and 3 does not affect gentoo. Please bump 1.2.15
New version is in the tree. Arch teams, please, stabilize 1.2.15.
amd64 stable
x86 stable
GLSA vote: yes
GLSA Vote: Yes Created a New GLSA request.
Multiple vulnerabilities spread across 9 different bugs. No movement from maintainers in over a year.
Package removed