Your message dated Mon, 27 Oct 2008 11:17:04 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#503588: fixed in mantis 1.1.2+dfsg-9
has caused the Debian Bug report #503588,
regarding mantis: CVE-2008-4689, CVE-2008-4688 multiple security issues
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [EMAIL PROTECTED]
immediately.)
--
503588: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=503588
Debian Bug Tracking System
Contact [EMAIL PROTECTED] with problems
--- Begin Message ---
Package: mantis
Severity: grave
Tags: security patch
Hi,
the following CVE (Common Vulnerabilities & Exposures) ids were
published for mantis.
CVE-2008-4689[0]:
| Mantis before 1.1.3 does not unset the session cookie during logout,
| which makes it easier for remote attackers to hijack sessions.
CVE-2008-4688[1]:
| core/string_api.php in Mantis before 1.1.3 does not check the
| privileges of the viewer before composing a link with issue data in
| the source anchor, which allows remote attackers to discover an
| issue's title and status via a request with a modified issue number.
Patch for the first issue:
http://www.mantisbt.org/bugs/file_download.php?file_id=1988&type=bug
Looks like this does not cleanly apply but the version in
Debian leaks the same logic.
Patch for the second issue:
http://mantisbt.svn.sourceforge.net/viewvc/mantisbt/branches/BRANCH_1_1_0/mantisbt/core/string_api.php?r1=5285&r2=5384&pathrev=5384&diff_format=h
If you fix the vulnerabilities please also make sure to include the
CVE ids in your changelog entry.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4689
http://security-tracker.debian.net/tracker/CVE-2008-4689
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4688
http://security-tracker.debian.net/tracker/CVE-2008-4688
--
Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
pgpnEtsZALf3Q.pgp
Description: PGP signature
--- End Message ---
--- Begin Message ---
Source: mantis
Source-Version: 1.1.2+dfsg-9
We believe that the bug you reported is fixed in the latest version of
mantis, which is due to be installed in the Debian FTP archive:
mantis_1.1.2+dfsg-9.diff.gz
to pool/main/m/mantis/mantis_1.1.2+dfsg-9.diff.gz
mantis_1.1.2+dfsg-9.dsc
to pool/main/m/mantis/mantis_1.1.2+dfsg-9.dsc
mantis_1.1.2+dfsg-9_all.deb
to pool/main/m/mantis/mantis_1.1.2+dfsg-9_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Patrick Schoenfeld <[EMAIL PROTECTED]> (supplier of updated mantis package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Mon, 27 Oct 2008 11:53:54 +0100
Source: mantis
Binary: mantis
Architecture: source all
Version: 1.1.2+dfsg-9
Distribution: unstable
Urgency: high
Maintainer: Patrick Schoenfeld <[EMAIL PROTECTED]>
Changed-By: Patrick Schoenfeld <[EMAIL PROTECTED]>
Description:
mantis - web-based bug tracking system
Closes: 503588
Changes:
mantis (1.1.2+dfsg-9) unstable; urgency=high
.
* Urgency high because it fixes security issues.
* Fix security vulnerabilites by applying upstream patches:
+ CVE-2008-4689: Mantis does not unset the session cookie
during the logout.
+ CVE-2008-4688: Mantis does not check the privileges of the viewer
before
composing a link with issue data in the source anchor.
(Closes: #503588)
Checksums-Sha1:
b567c86dee579ff80e004fa5f927e26f87f7690b 1184 mantis_1.1.2+dfsg-9.dsc
77eecfc4f9e7f5067b2c3bd8e1a4d9ca21c5ba6b 46136 mantis_1.1.2+dfsg-9.diff.gz
0425ae0f3aca77976127b71510451963a1962561 1857684 mantis_1.1.2+dfsg-9_all.deb
Checksums-Sha256:
db4eb3789f7904907aefbe0af9b617de7f6c94a5af5e0206b42f01571cb6d2cb 1184
mantis_1.1.2+dfsg-9.dsc
4f390de0cbc15a081e59bddd4e95cb7edb2aa265d591b15c9dae1b8d647f3cfc 46136
mantis_1.1.2+dfsg-9.diff.gz
1fc22dbee88c825f23a8b2946fa1d040395ac9756058a93761dc8a7d4267e470 1857684
mantis_1.1.2+dfsg-9_all.deb
Files:
aef9b13d2a704140a25e995337fef054 1184 web optional mantis_1.1.2+dfsg-9.dsc
5e678ea6c55fa530fb02b07ccea82103 46136 web optional mantis_1.1.2+dfsg-9.diff.gz
971b47cfd6c22f76f43c44ba2bcfb6c7 1857684 web optional
mantis_1.1.2+dfsg-9_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkkFoiAACgkQbdB4RPTVesq0GwCcC6wg4z+0Owz9LTzImuGH0PMP
6CkAn2vvguWcGSVOGVFy5Q7bYX4fXVL2
=J77O
-----END PGP SIGNATURE-----
--- End Message ---
