From ${URL} : Jakub Galczyk (HauntIT blog http://hauntit.blogspot.com/) discovered an SQL injection vulnerability issue affecting MantisBT >= 1.2.13. admin_config_report.php relied on unsanitized, inlined query parameters, enabling a malicious user to perform an SQL injection attack. The criticality of this issue is compounded by the fact that typically a high-privilege account (i.e. having an access level >= $g_view_configuration_threshold, which is set to ADMINISTRATOR by default) is required to access this page. Patches: http://www.mantisbt.org/bugs/view.php?id=17055 @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Fixed in Version 1.2.17 http://www.mantisbt.org/bugs/changelog_page.php?project=mantisbt&version=1.2.17 Maintainers, please advise when eBuild is ready for stabilization.
CVE-2014-2238 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2238): SQL injection vulnerability in the manage configuration page (adm_config_report.php) in MantisBT 1.2.13 through 1.2.16 allows remote authenticated administrators to execute arbitrary SQL commands via the filter_config_id parameter.
I am using 1.2.17 for ages now - it is needed for some plugins to work which I am using. So I don't know why this isn't stabilized yet.
Version 1.2.17 Released from upstream (Released 2014-03-03), Which is a year ago. Maintainers, can we please create an ebuild so we can remove vulnerability.
Setting dependency latest version: 1.2.19 which is the latest version. Released 2015-01-24
Multiple vulnerabilities spread across 9 different bugs. No movement from maintainers in over a year.
Package removed