From ${URL} : It was reported [1] that fix for CVE-2014-1609 for MantisBT is not complete. It was discovered that the patch did not fully address the original problem in the SOAP API. Research demonstrates that using a specially crafted 'project id' parameter when calling mc_project_get_attachments(), an attacker could still perform an SQL injection. [1]: http://seclists.org/oss-sec/2014/q4/478 @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Fixed in: mantisbt - 1.2.18 (Released 2014-12-05) Setting Dependency on Bug #531896 to stabilize version: 1.2.19
Multiple vulnerabilities spread across 9 different bugs. No movement from maintainers in over a year.
Package removed