Hello. Since our previous version (mantisbt-1.1.2-r1) seems that small issue were fixied upstream: ------------------------------------------------------------------------ r5594 | nuclear_eclipse | 2008-09-27 18:28:01 +0400 (Сбт, 27 Сен 2008) | 1 line Fix #9664: PHP session cookies were not destroyed, and session_clean() was never called. ------------------------------------------------------------------------ r5624 | nuclear_eclipse | 2008-10-03 19:21:14 +0400 (Птн, 03 Окт 2008) | 1 line Fix form security validation to use separate purge() step to work around all the possible error states. ------------------------------------------------------------------------ r5625 | nuclear_eclipse | 2008-10-03 19:22:45 +0400 (Птн, 03 Окт 2008) | 1 line First step to implementing new form security purge(). ------------------------------------------------------------------------ r5626 | nuclear_eclipse | 2008-10-03 19:23:32 +0400 (Птн, 03 Окт 2008) | 1 line Second step of implementing form security purging. ------------------------------------------------------------------------ r5627 | nuclear_eclipse | 2008-10-03 19:23:41 +0400 (Птн, 03 Окт 2008) | 1 line Last move to using form security purging. ------------------------------------------------------------------------ r5629 | nuclear_eclipse | 2008-10-03 21:43:16 +0400 (Птн, 03 Окт 2008) | 1 line Move all form_security_validate() calls before any processing happens. ------------------------------------------------------------------------ For example not reported anywhere vulnerability was fixed: http://www.mantisbt.org/bugs/view.php?id=9664 also it's clear that commits r562* were done to improve security. This new release was already added to the tree and I think it's worth to start stabilization immediately. But what security team thinks?
For me this version not working.... i can`t add new problem to mantisbt. I see on webpage of mantis: "Sorry everyone: I broke the 1.1.3 build; it's fixed in SVN as of r5668; we'll see where we can go from here."
(In reply to comment #1) > For me this version not working.... i can`t add new problem to mantisbt. Thank you for report, Marek. This should be fixed in mantisbt-1.1.3-r1. BTW, please, next time open new bug in bug report. :)
Just had a quick conversation with pva on IRC. Besides the generic security improvements (which don't have any direct effect or at least it's not easily visible which those would be), the mentioned bug report describes an issue which apparently breaks the logout function. This will lead to information disclosure or unwanted manipulation of data, as another person (at the same machine) could hijack the session after a "successful" logout. So, arches, please test and stabilize: =www-apps/mantisbt-1.1.3-r1 Target keywords: amd64 ppc x86
ppc stable
amd64/x86 stable, all arches done.
Ready for vote, I vote YES.
Yes too, request filed.
Name: CVE-2008-4689 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4689 Reference: MLIST:[oss-security] 20081020 Re: CVE request: mantisbt < 1.1.4: RCE Reference: URL:http://www.openwall.com/lists/oss-security/2008/10/20/1 Reference: CONFIRM:http://www.mantisbt.org/bugs/changelog_page.php Reference: CONFIRM:http://www.mantisbt.org/bugs/file_download.php?file_id=1988&type=bug Reference: CONFIRM:http://www.mantisbt.org/bugs/view.php?id=9664 Mantis before 1.1.3 does not unset the session cookie during logout, which makes it easier for remote attackers to hijack sessions.
CVE-2008-4689 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-4689): Mantis before 1.1.3 does not unset the session cookie during logout, which makes it easier for remote attackers to hijack sessions.
Whoops. Sorry bugspam, check-todo-issues made me do it. :/
GLSA 200812-07
