Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 238570 (CVE-2008-3102) - www-apps/mantisbt <1.1.2-r1 Insecure cookie session hijacking (CVE-2008-3102)
Summary: www-apps/mantisbt <1.1.2-r1 Insecure cookie session hijacking (CVE-2008-3102)
Status: RESOLVED FIXED
Alias: CVE-2008-3102
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
URL: http://int21.de/cve/CVE-2008-3102-man...
Whiteboard: B4 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2008-09-24 15:13 UTC by Robert Buchholz (RETIRED)
Modified: 2008-12-02 17:56 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Buchholz (RETIRED) gentoo-dev 2008-09-24 15:13:58 UTC 
CVE-2008-3102 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-3102):
  Mantis does not set the secure flag for the session cookie in an
  https session, which can cause the cookie to be sent in http requests
  and make it easier for remote attackers to capture this cookie.
Comment 1 Peter Volkov (RETIRED) gentoo-dev 2008-09-25 12:33:34 UTC 
mantisbt-1.1.2-r1 should fix this issue. But please wait until monday (29.09) to ask for stabilization. It's possible that upstream will roll out new release that we'll better stabilize it...
Comment 2 Peter Volkov (RETIRED) gentoo-dev 2008-09-29 07:25:10 UTC 
Eh, I forgot to commit it to the tree, but now I did that. Taking into account how long it sometime takes upstream to release new version, lest stabilize this one. Arch teams, please, do it.

Target keywords:
www-apps/mantisbt-1.1.2-r1: amd ppc x6
Comment 3 Tobias Scherbaum (RETIRED) gentoo-dev 2008-10-01 17:52:26 UTC 
ppc stable
Comment 4 Markus Meier gentoo-dev 2008-10-01 20:50:45 UTC 
amd64/x86 stable, all arches done.
Comment 5 Tobias Heinlein (RETIRED) gentoo-dev 2008-10-01 21:19:31 UTC 
Ready for vote, I vote YES.
Comment 6 Christian Hoffmann (RETIRED) gentoo-dev 2008-10-15 18:15:08 UTC 
Should be GLSAed together with bug 222649 and bug 241940.
GLSA request still to be filed.
Comment 7 Robert Buchholz (RETIRED) gentoo-dev 2008-11-26 19:41:02 UTC 
YES
Comment 8 Robert Buchholz (RETIRED) gentoo-dev 2008-12-02 17:56:02 UTC 
GLSA 200812-07