Package: mantis Severity: grave Tags: security Justification: user security hole
mantis 1.0.0-rc2 fixed these security problems, that seem to be missing in the latest DSA upload that fixed several others: - 0006097: [security] user ID is cached indefinately (thraxisp) - 0006189: [security] List of users (in filter) visible for unauthorized users. (thraxisp) Besides that there was a CVE assignment (CAN-2005-3091) for a Cross-Site-Scripting vulnerability that refers the Mantis bug 5751, for which I can't find a referenced fix in the 0.19.2-4 changelog as well. Cheers, Moritz -- System Information: Debian Release: testing/unstable APT prefers unstable APT policy: (500, 'unstable') Architecture: i386 (i686) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.6.14-rc1 Locale: LANG=C, [EMAIL PROTECTED] (charmap=ISO-8859-15) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]