Mantis does not set the secure flag for the session cookie in an
https session, which can cause the cookie to be sent in http requests
and make it easier for remote attackers to capture this cookie.
mantisbt-1.1.2-r1 should fix this issue. But please wait until monday (29.09) to ask for stabilization. It's possible that upstream will roll out new release that we'll better stabilize it...
Eh, I forgot to commit it to the tree, but now I did that. Taking into account how long it sometime takes upstream to release new version, lest stabilize this one. Arch teams, please, do it.
www-apps/mantisbt-1.1.2-r1: amd ppc x6
amd64/x86 stable, all arches done.
Ready for vote, I vote YES.
Should be GLSAed together with bug 222649 and bug 241940.
GLSA request still to be filed.