As per the email:
Mantis 0.19.3 is a maintenance release that mainly contains security fixes.
All 0.19.x users are advised to upgrade to this version.
- 0006331: [security] Port #5247 to 0.19.3: Real email addresses are visible
when using reminders (vboctor)
- 0006333: [security] Port #5959 to 0.19.3: Cross Site Scripting
Vulnerabilty in the mantis/view_all_set.php Script (vboctor)
- 0006335: [security] Port #6273 to 0.19.3: File Inclusion Vulnerability
- 0006336: [security] Port #6275 to 0.19.3: SQL injection (vboctor)
- 0006334: [security] Port #6097 to 0.19.3: user ID is cached indefinitely
- 0006330: [bugtracker] System warning in login_page.php when no new
Note that we still apply _one_ of the Debian patches for their bug 5956 that
doesn't seem to be fixed. Patched 0.19.3 will be in CVS shortly.
ppc please test and mark 0.19.3 stable.
Stable on ppc.
Ready for GLSA vote
On the one hand, lots of things fixed. on the other hand, only one stable arch
and the fixed things seem to be of a minor character. I tend to say no, but i'm
out of training and not sure...
File Inclusion Vulnerability and SQL injection are nasties, so this should
probably be rated B2/B1, so I vote yes.
Agree with Koon, file inclusion vulnerability and sql injection is enough for a
GLSa there will be
1.0.0rc3 addresses this I believe: