Bug 238570 (CVE-2008-3102)

Summary:	www-apps/mantisbt <1.1.2-r1 Insecure cookie session hijacking (CVE-2008-3102)
Product:	Gentoo Security	Reporter:	Robert Buchholz (RETIRED) <rbu>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	minor	CC:	pva, web-apps
Priority:	High
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	http://int21.de/cve/CVE-2008-3102-mantis.html
Whiteboard:	B4 [glsa]
Package list:		Runtime testing required:	---

Description Robert Buchholz (RETIRED) gentoo-dev

2008-09-24 15:13:58 UTC

CVE-2008-3102 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-3102):
  Mantis does not set the secure flag for the session cookie in an
  https session, which can cause the cookie to be sent in http requests
  and make it easier for remote attackers to capture this cookie.

Comment 1 Peter Volkov (RETIRED) gentoo-dev

2008-09-25 12:33:34 UTC

mantisbt-1.1.2-r1 should fix this issue. But please wait until monday (29.09) to ask for stabilization. It's possible that upstream will roll out new release that we'll better stabilize it...

Comment 2 Peter Volkov (RETIRED) gentoo-dev

2008-09-29 07:25:10 UTC

Eh, I forgot to commit it to the tree, but now I did that. Taking into account how long it sometime takes upstream to release new version, lest stabilize this one. Arch teams, please, do it.

Target keywords:
www-apps/mantisbt-1.1.2-r1: amd ppc x6

Comment 3 Tobias Scherbaum (RETIRED) gentoo-dev

2008-10-01 17:52:26 UTC

ppc stable

Comment 4 Markus Meier gentoo-dev

2008-10-01 20:50:45 UTC

amd64/x86 stable, all arches done.

Comment 5 Tobias Heinlein (RETIRED) gentoo-dev

2008-10-01 21:19:31 UTC

Ready for vote, I vote YES.

Comment 6 Christian Hoffmann (RETIRED) gentoo-dev

2008-10-15 18:15:08 UTC

Should be GLSAed together with bug 222649 and bug 241940.
GLSA request still to be filed.

Comment 7 Robert Buchholz (RETIRED) gentoo-dev

2008-11-26 19:41:02 UTC

YES

Comment 8 Robert Buchholz (RETIRED) gentoo-dev

2008-12-02 17:56:02 UTC

GLSA 200812-07