Original vulnerability report by Net.Edit0r (Net.Edit0r@Att.net) from BlACK Hat Group [http://black-hg.org] is available at: http://packetstormsecurity.org/files/104149 MantisBT bug report for full details of the issue: http://www.mantisbt.org/bugs/view.php?id=13245 Please note that the second SQL injection vulnerability identified by Net.Edit0r is not reproducible (refer to the MantisBT bug report above for reasons why). A patch for 1.2.6 is available at: https://github.com/mantisbt/mantisbt/commit/317f3db3a3c68775de3acf3b15f55b1e3c18f93b MantisBT 1.2.7 is currently being packaged and will be available shortly through usual channels for distributions and standalone users to pick up. Reproducible: Always
1.2.7 Is not still out, but the vulnerability is fixed in git repository. @Peter, Please choise if you want add directly 1.2.7, or patch 1.2.6.
1.2.7 that fixes this issue is in the tree. Arch teams, please, stabilize.
amd64 ok
ppc keywords dropped
x86 stable. Thanks
+ 26 Aug 2011; Tony Vroon <chainsaw@gentoo.org> mantisbt-1.2.7.ebuild: + Marked stable on AMD64 based on arch testing by Agostino "ago" Sarubbo in + security bug #379739 filed by David Hicks. Arches done, ready for GLSA voting.
Closing noglsa.