Summary: | www-apps/mantisbt < 1.1.3: Logout functionality is broken (CVE-2008-4689) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Peter Volkov (RETIRED) <pva> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | ||
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | B4 [glsa] | ||
Package list: | Runtime testing required: | --- |
Description
Peter Volkov (RETIRED)
2008-10-14 11:59:33 UTC
For me this version not working.... i can`t add new problem to mantisbt. I see on webpage of mantis: "Sorry everyone: I broke the 1.1.3 build; it's fixed in SVN as of r5668; we'll see where we can go from here." (In reply to comment #1) > For me this version not working.... i can`t add new problem to mantisbt. Thank you for report, Marek. This should be fixed in mantisbt-1.1.3-r1. BTW, please, next time open new bug in bug report. :) Just had a quick conversation with pva on IRC. Besides the generic security improvements (which don't have any direct effect or at least it's not easily visible which those would be), the mentioned bug report describes an issue which apparently breaks the logout function. This will lead to information disclosure or unwanted manipulation of data, as another person (at the same machine) could hijack the session after a "successful" logout. So, arches, please test and stabilize: =www-apps/mantisbt-1.1.3-r1 Target keywords: amd64 ppc x86 ppc stable amd64/x86 stable, all arches done. Ready for vote, I vote YES. Yes too, request filed. Name: CVE-2008-4689 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4689 Reference: MLIST:[oss-security] 20081020 Re: CVE request: mantisbt < 1.1.4: RCE Reference: URL:http://www.openwall.com/lists/oss-security/2008/10/20/1 Reference: CONFIRM:http://www.mantisbt.org/bugs/changelog_page.php Reference: CONFIRM:http://www.mantisbt.org/bugs/file_download.php?file_id=1988&type=bug Reference: CONFIRM:http://www.mantisbt.org/bugs/view.php?id=9664 Mantis before 1.1.3 does not unset the session cookie during logout, which makes it easier for remote attackers to hijack sessions. CVE-2008-4689 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-4689): Mantis before 1.1.3 does not unset the session cookie during logout, which makes it easier for remote attackers to hijack sessions. Whoops. Sorry bugspam, check-todo-issues made me do it. :/ GLSA 200812-07 |