As per the email: Mantis 0.19.3 is a maintenance release that mainly contains security fixes. All 0.19.x users are advised to upgrade to this version. - 0006331: [security] Port #5247 to 0.19.3: Real email addresses are visible when using reminders (vboctor) - 0006332: [security] Port #5751 to 0.19.3: Javascript XSS vulnerability (vboctor) - 0006333: [security] Port #5959 to 0.19.3: Cross Site Scripting Vulnerabilty in the mantis/view_all_set.php Script (vboctor) - 0006335: [security] Port #6273 to 0.19.3: File Inclusion Vulnerability (vboctor) - 0006336: [security] Port #6275 to 0.19.3: SQL injection (vboctor) - 0006334: [security] Port #6097 to 0.19.3: user ID is cached indefinitely (vboctor) - 0006330: [bugtracker] System warning in login_page.php when no new installation (vboctor) Note that we still apply _one_ of the Debian patches for their bug 5956 that doesn't seem to be fixed. Patched 0.19.3 will be in CVS shortly.
In CVS
Thx Renat. ppc please test and mark 0.19.3 stable.
Stable on ppc.
Ready for GLSA vote
On the one hand, lots of things fixed. on the other hand, only one stable arch and the fixed things seem to be of a minor character. I tend to say no, but i'm out of training and not sure...
File Inclusion Vulnerability and SQL injection are nasties, so this should probably be rated B2/B1, so I vote yes.
Agree with Koon, file inclusion vulnerability and sql injection is enough for a glsa.
GLSa there will be
GLSA 200510-24
1.0.0rc3 addresses this I believe: http://sourceforge.net/project/shownotes.php?release_id=366796&group_id=14963