Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 110326 - www-apps/mantisbt: security release
Summary: www-apps/mantisbt: security release
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
Whiteboard: B2? [glsa]
Depends on:
Reported: 2005-10-24 07:41 UTC by Renat Lumpau (RETIRED)
Modified: 2005-11-29 06:27 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Renat Lumpau (RETIRED) gentoo-dev 2005-10-24 07:41:11 UTC
As per the email:

Mantis 0.19.3 is a maintenance release that mainly contains security fixes.
All 0.19.x users are advised to upgrade to this version.

- 0006331: [security] Port #5247 to 0.19.3: Real email addresses are visible
when using reminders (vboctor)
- 0006332: [security] Port #5751 to 0.19.3: Javascript XSS vulnerability
- 0006333: [security] Port #5959 to 0.19.3: Cross Site Scripting
Vulnerabilty in the mantis/view_all_set.php Script (vboctor)
- 0006335: [security] Port #6273 to 0.19.3: File Inclusion Vulnerability
- 0006336: [security] Port #6275 to 0.19.3: SQL injection (vboctor)
- 0006334: [security] Port #6097 to 0.19.3: user ID is cached indefinitely
- 0006330: [bugtracker] System warning in login_page.php when no new
installation (vboctor)

Note that we still apply _one_ of the Debian patches for their bug 5956 that
doesn't seem to be fixed. Patched 0.19.3 will be in CVS shortly.
Comment 1 Renat Lumpau (RETIRED) gentoo-dev 2005-10-24 07:43:24 UTC
Comment 2 Thierry Carrez (RETIRED) gentoo-dev 2005-10-24 07:47:37 UTC
Thx Renat.
ppc please test and mark 0.19.3 stable.
Comment 3 Michael Hanselmann (hansmi) (RETIRED) gentoo-dev 2005-10-24 12:55:34 UTC
Stable on ppc.
Comment 4 Thierry Carrez (RETIRED) gentoo-dev 2005-10-24 14:07:57 UTC
Ready for GLSA vote
Comment 5 Stefan Cornelius (RETIRED) gentoo-dev 2005-10-24 23:33:10 UTC
On the one hand, lots of things fixed. on the other hand, only one stable arch
and the fixed things seem to be of a minor character. I tend to say no, but i'm
out of training and not sure...
Comment 6 Thierry Carrez (RETIRED) gentoo-dev 2005-10-25 00:56:59 UTC
File Inclusion Vulnerability and SQL injection are nasties, so this should
probably be rated B2/B1, so I vote yes.
Comment 7 Tavis Ormandy (RETIRED) gentoo-dev 2005-10-25 06:05:53 UTC
Agree with Koon, file inclusion vulnerability and sql injection is enough for a 
Comment 8 Thierry Carrez (RETIRED) gentoo-dev 2005-10-25 06:14:22 UTC
GLSa there will be
Comment 9 Thierry Carrez (RETIRED) gentoo-dev 2005-10-28 05:17:10 UTC
GLSA 200510-24
Comment 10 Philippe Chaintreuil 2005-11-29 06:27:43 UTC
1.0.0rc3 addresses this I believe: