MantisBT 1.2.11 is a security update for the stable 1.2.x branch. CVE requests for 2 issues have been sent to oss-security@lists.openwall.com as follows: CVE REQUEST #1 Title: Reporters can edit arbitrary bugnotes via SOAP API Affected: MantisBT 1.2.10 and earlier versions Not affected: MantisBT 1.2.11 Description: Roland Becker and Damien Regad (MantisBT developers) found that any user able to report issues via the SOAP interface could also modify any bugnotes (comments) created by other users. In a default/typical MantisBT installation, SOAP API is enabled and any user can sign up to report new issues. This vulnerability therefore impacts upon many public facing MantisBT installations. References: [1] http://www.mantisbt.org/bugs/view.php?id=14340 CVE REQUEST #2 Title: delete_attachments_threshold not checked on attachment deletion Affected: MantisBT 1.2.10 and earlier versions Not affected: MantisBT 1.2.11 Description: Roland Becker (MantisBT developer) found that the delete_attachments_threshold permission was not being checked when a user attempted to delete an attachment from an issue. The more generic update_bug_threshold permission was being checked instead. MantisBT administrators may have been under the false impression that their configuration of the delete_attachments_threshold was successfully preventing unwanted users from deleting attachments. References: [1] http://www.mantisbt.org/bugs/view.php?id=14016 Reproducible: Always
Thanks for the report David.
CVE numbers were assigned as follows: CVE-2012-2691: Reporters can edit arbitrary bugnotes via SOAP API (#14340) CVE-2012-2692: delete_attachments_threshold not checked on attachment deletion (#14016)
CVE-2012-2692 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2692): MantisBT before 1.2.11 does not check the delete_attachments_threshold permission when form_security_validation is set to OFF, which allows remote authenticated users with certain privileges to bypass intended access restrictions and delete arbitrary attachments. CVE-2012-2691 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2691): The mc_issue_note_update function in the SOAP API in MantisBT before 1.2.11 does not properly check privileges, which allows remote attackers with bug reporting privileges to edit arbitrary bugnotes via a SOAP request.
*** Bug 423957 has been marked as a duplicate of this bug. ***
Peter, David, web-apps: may we stabilize 1.2.11?
(In reply to comment #5) > Peter, David, web-apps: may we stabilize 1.2.11? ping?
From a MantisBT developer point-of-view I don't see any reason for holding back on stabilisation. We're fairly strict about what goes into minor version bumps (security and small bug fixes).
Arches, please test and mark stable =www-apps/mantisbt-1.2.11
amd64 stable
x86 stable, last arch!
Thanks, everyone. Already on an existing GLSA request.
This issue was resolved and addressed in GLSA 201211-01 at http://security.gentoo.org/glsa/glsa-201211-01.xml by GLSA coordinator Tobias Heinlein (keytoaster).
