Your message dated Wed, 12 Oct 2016 17:11:18 +0300
with message-id <20161012141118.yeuqmvqqrvemz...@bunk.spdns.de>
and subject line Closing Mantis bugs
has caused the Debian Bug report #780875,
regarding mantis: MantisBT <1.2.19 multiple vulnerabilities (Access control
bypass/XSS/SQL injection/etc)
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
780875: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=780875
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: mantis
Version: 1.2.18-1
Severity: grave
Tags: security upstream fixed-upstream
Justification: user security hole
Dear Maintainer,
There is an upstream security update that fixes the following security issues:
* CVE-2014-9571: XSS in install.php
* CVE-2014-9572: Improper Access Control in install.php
* CVE-2014-9573: SQL Injection in manage_user_page.php
* CVE-2014-9624: CAPTCHA bypass
* CVE-2014-9701: XSS vulnerability in permalink_page.php
* CVE-2015-1042: URL redirection issue
Also it fixes some regressions introduced in 1.2.18:
* #17993 prevents new users from signing up on systems using CAPTCHA.
* #17967 which causes a PHP error when reporting issues on systems with
checkbox custom fields.
Especially the former is really annoying if the only choice is keeping people
from signing up or having a lot of spammer accounts.
Changelog is here:
http://mantisbt.org/bugs/changelog_page.php?project=mantisbt&version=1.2.19
Thanks for taking care of this issue,
Michael
-- System Information:
Debian Release: 7.8
APT prefers stable
APT policy: (990, 'stable')
Architecture: i386 (x86_64)
Kernel: Linux 3.2.0-4-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages mantis depends on:
ii apache2 2.2.22-13+deb7u4
ii apache2-mpm-prefork [httpd] 2.2.22-13+deb7u4
ii apache2-utils 2.2.22-13+deb7u4
ii debconf [debconf-2.0] 1.5.49
ii libapache2-mod-php5 5.4.38-0+deb7u1
ii libjs-prototype 1.7.0-2
ii libjs-scriptaculous 1.9.0-2
ii libnusoap-php 0.7.3-5
ii libphp-adodb 5.15-1
ii libphp-phpmailer 5.1-1
ii php5-cli 5.4.38-0+deb7u1
ii ucf 3.0025+nmu3
Versions of packages mantis recommends:
ii mysql-client 5.5.41-0+wheezy1
ii mysql-client-5.5 [mysql-client] 5.5.41-0+wheezy1
ii php5-mysql 5.4.38-0+deb7u1
Versions of packages mantis suggests:
ii mysql-server 5.5.41-0+wheezy1
ii php5-cli 5.4.38-0+deb7u1
-- debconf information excluded
--- End Message ---
--- Begin Message ---
Version: 1.2.18-1+deb7u1+rm
Dear submitter,
the package mantis has been removed from the Debian unstable some
time ago, and since mantis is not covered by the LTS security support
for wheezy there is no release where it is still security supported.
I therefore close the open bug reports in mantis.
We are sorry that we couldn't deal with your issue properly.
For details on the removal, please see https://bugs.debian.org/730121
cu
Adrian
--
"Is there not promise of rain?" Ling Tan asked suddenly out
of the darkness. There had been need of rain for many days.
"Only a promise," Lao Er said.
Pearl S. Buck - Dragon Seed
--- End Message ---
