Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 238570 (CVE-2008-3102) - www-apps/mantisbt <1.1.2-r1 Insecure cookie session hijacking (CVE-2008-3102)
Summary: www-apps/mantisbt <1.1.2-r1 Insecure cookie session hijacking (CVE-2008-3102)
Alias: CVE-2008-3102
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
Whiteboard: B4 [glsa]
Depends on:
Reported: 2008-09-24 15:13 UTC by Robert Buchholz (RETIRED)
Modified: 2008-12-02 17:56 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Robert Buchholz (RETIRED) gentoo-dev 2008-09-24 15:13:58 UTC
CVE-2008-3102 (
  Mantis does not set the secure flag for the session cookie in an
  https session, which can cause the cookie to be sent in http requests
  and make it easier for remote attackers to capture this cookie.
Comment 1 Peter Volkov (RETIRED) gentoo-dev 2008-09-25 12:33:34 UTC
mantisbt-1.1.2-r1 should fix this issue. But please wait until monday (29.09) to ask for stabilization. It's possible that upstream will roll out new release that we'll better stabilize it...
Comment 2 Peter Volkov (RETIRED) gentoo-dev 2008-09-29 07:25:10 UTC
Eh, I forgot to commit it to the tree, but now I did that. Taking into account how long it sometime takes upstream to release new version, lest stabilize this one. Arch teams, please, do it.

Target keywords:
www-apps/mantisbt-1.1.2-r1: amd ppc x6
Comment 3 Tobias Scherbaum (RETIRED) gentoo-dev 2008-10-01 17:52:26 UTC
ppc stable
Comment 4 Markus Meier gentoo-dev 2008-10-01 20:50:45 UTC
amd64/x86 stable, all arches done.
Comment 5 Tobias Heinlein (RETIRED) gentoo-dev 2008-10-01 21:19:31 UTC
Ready for vote, I vote YES.
Comment 6 Christian Hoffmann (RETIRED) gentoo-dev 2008-10-15 18:15:08 UTC
Should be GLSAed together with bug 222649 and bug 241940.
GLSA request still to be filed.
Comment 7 Robert Buchholz (RETIRED) gentoo-dev 2008-11-26 19:41:02 UTC
Comment 8 Robert Buchholz (RETIRED) gentoo-dev 2008-12-02 17:56:02 UTC
GLSA 200812-07