Summary: | www-apps/mantisbt: SQL injection (CVE-2014-2238) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | chain, proxy-maint, pva, web-apps |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://www.openwall.com/lists/oss-security/2014/02/28/3 | ||
Whiteboard: | B3 [ebuild blocked] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 531896 | ||
Bug Blocks: |
Description
Agostino Sarubbo
![]() Fixed in Version 1.2.17 http://www.mantisbt.org/bugs/changelog_page.php?project=mantisbt&version=1.2.17 Maintainers, please advise when eBuild is ready for stabilization. CVE-2014-2238 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2238): SQL injection vulnerability in the manage configuration page (adm_config_report.php) in MantisBT 1.2.13 through 1.2.16 allows remote authenticated administrators to execute arbitrary SQL commands via the filter_config_id parameter. I am using 1.2.17 for ages now - it is needed for some plugins to work which I am using. So I don't know why this isn't stabilized yet. Version 1.2.17 Released from upstream (Released 2014-03-03), Which is a year ago. Maintainers, can we please create an ebuild so we can remove vulnerability. Setting dependency latest version: 1.2.19 which is the latest version. Released 2015-01-24 Multiple vulnerabilities spread across 9 different bugs. No movement from maintainers in over a year. Package removed |