Summary: | <www-apps/mantisbt-1.2.11: multiple vulnerabilities (CVE-2012-{2691,2692}) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | David Hicks <david> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | dirk.olmes, pva, web-apps |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://www.openwall.com/lists/oss-security/2012/06/09/1 | ||
Whiteboard: | B4 [glsa] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | |||
Bug Blocks: | 407121 |
Description
David Hicks
2012-06-09 09:15:18 UTC
Thanks for the report David. CVE numbers were assigned as follows: CVE-2012-2691: Reporters can edit arbitrary bugnotes via SOAP API (#14340) CVE-2012-2692: delete_attachments_threshold not checked on attachment deletion (#14016) CVE-2012-2692 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2692): MantisBT before 1.2.11 does not check the delete_attachments_threshold permission when form_security_validation is set to OFF, which allows remote authenticated users with certain privileges to bypass intended access restrictions and delete arbitrary attachments. CVE-2012-2691 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2691): The mc_issue_note_update function in the SOAP API in MantisBT before 1.2.11 does not properly check privileges, which allows remote attackers with bug reporting privileges to edit arbitrary bugnotes via a SOAP request. *** Bug 423957 has been marked as a duplicate of this bug. *** Peter, David, web-apps: may we stabilize 1.2.11? (In reply to comment #5) > Peter, David, web-apps: may we stabilize 1.2.11? ping? From a MantisBT developer point-of-view I don't see any reason for holding back on stabilisation. We're fairly strict about what goes into minor version bumps (security and small bug fixes). Arches, please test and mark stable =www-apps/mantisbt-1.2.11 amd64 stable x86 stable, last arch! Thanks, everyone. Already on an existing GLSA request. This issue was resolved and addressed in GLSA 201211-01 at http://security.gentoo.org/glsa/glsa-201211-01.xml by GLSA coordinator Tobias Heinlein (keytoaster). |