Your message dated Wed, 12 Oct 2016 17:11:18 +0300
with message-id <>
and subject line Closing Mantis bugs
has caused the Debian Bug report #780875,
regarding mantis: MantisBT <1.2.19 multiple vulnerabilities (Access control 
bypass/XSS/SQL injection/etc)
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact

Debian Bug Tracking System
Contact with problems
--- Begin Message ---
Package: mantis
Version: 1.2.18-1
Severity: grave
Tags: security upstream fixed-upstream
Justification: user security hole

Dear Maintainer,

There is an upstream security update that fixes the following security issues:
* CVE-2014-9571: XSS in install.php
* CVE-2014-9572: Improper Access Control in install.php
* CVE-2014-9573: SQL Injection in manage_user_page.php
* CVE-2014-9624: CAPTCHA bypass
* CVE-2014-9701: XSS vulnerability in permalink_page.php
* CVE-2015-1042: URL redirection issue

Also it fixes some regressions introduced in 1.2.18:
* #17993 prevents new users from signing up on systems using CAPTCHA.
* #17967 which causes a PHP error when reporting issues on systems with 
checkbox custom fields.

Especially the former is really annoying if the only choice is keeping people 
from signing up or having a lot of spammer accounts.

Changelog is here:

Thanks for taking care of this issue,

-- System Information:
Debian Release: 7.8
  APT prefers stable
  APT policy: (990, 'stable')
Architecture: i386 (x86_64)

Kernel: Linux 3.2.0-4-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages mantis depends on:
ii  apache2                      2.2.22-13+deb7u4
ii  apache2-mpm-prefork [httpd]  2.2.22-13+deb7u4
ii  apache2-utils                2.2.22-13+deb7u4
ii  debconf [debconf-2.0]        1.5.49
ii  libapache2-mod-php5          5.4.38-0+deb7u1
ii  libjs-prototype              1.7.0-2
ii  libjs-scriptaculous          1.9.0-2
ii  libnusoap-php                0.7.3-5
ii  libphp-adodb                 5.15-1
ii  libphp-phpmailer             5.1-1
ii  php5-cli                     5.4.38-0+deb7u1
ii  ucf                          3.0025+nmu3

Versions of packages mantis recommends:
ii  mysql-client                     5.5.41-0+wheezy1
ii  mysql-client-5.5 [mysql-client]  5.5.41-0+wheezy1
ii  php5-mysql                       5.4.38-0+deb7u1

Versions of packages mantis suggests:
ii  mysql-server  5.5.41-0+wheezy1
ii  php5-cli      5.4.38-0+deb7u1

-- debconf information excluded

--- End Message ---
--- Begin Message ---
Version: 1.2.18-1+deb7u1+rm

Dear submitter,

the package mantis has been removed from the Debian unstable some 
time ago, and since mantis is not covered by the LTS security support
for wheezy there is no release where it is still security supported.

I therefore close the open bug reports in mantis.

We are sorry that we couldn't deal with your issue properly.

For details on the removal, please see



       "Is there not promise of rain?" Ling Tan asked suddenly out
        of the darkness. There had been need of rain for many days.
       "Only a promise," Lao Er said.
                                       Pearl S. Buck - Dragon Seed

--- End Message ---

Reply via email to