Bug#345288: mantis: Plethora of vulnerabilities
On Fri, January 6, 2006 06:48, Igor Genibel wrote: Please read the bugs filled against wnpp concerning mantis. It is already adopted and uploaded. Good to hear that. Especially with those vulnerabilities it's good when there's an active maintainer. BTW, are you considering of moving the database handling of the package to dbconfig-common? bye, Thijs
Bug#345288: mantis: Plethora of vulnerabilities
* Igor Genibel [EMAIL PROTECTED] [2006-01-04 14:40:19 +0100]: * Moritz Muehlenhoff [EMAIL PROTECTED] [2005-12-30 05:02:37 +0100]: Package: mantis Severity: grave Tags: security Justification: user security hole Hi all, I'm just taking over this package. I currently working on new upload. Please, be a little bit more patient :) Please read the bugs filled against wnpp concerning mantis. It is already adopted and uploaded. -- Igor Genibel «Non bene pro toto libertas venditur auro» Freedom is not sold for all the gold in the world. Dubrovnik motto pgp7A2EGyOuLa.pgp Description: PGP signature
Bug#345288: mantis: Plethora of vulnerabilities
* Moritz Muehlenhoff [EMAIL PROTECTED] [2005-12-30 05:02:37 +0100]: Package: mantis Severity: grave Tags: security Justification: user security hole Hi all, I'm just taking over this package. I currently working on new upload. Please, be a little bit more patient :) -- Igor Genibel «Non bene pro toto libertas venditur auro» Freedom is not sold for all the gold in the world. Dubrovnik motto pgppIkwsZtNsO.pgp Description: PGP signature
Bug#345288: mantis: Plethora of vulnerabilities
Hilko Bengen wrote: Thijs Kinkhorst [EMAIL PROTECTED] writes: If/when I'll upload to unstable I'll orphan the package, unless Hilko wants to keep on maintaining it for now. Have said vulnerabilities been fixed in 0.19.4? If yes, I suppose I could do a quick uploead for unstable. It's hard to tell because all the bugs that relate to the security problems are still private. However, the descriptions seem to match, so I assume they're all fixed in 0.19.4. Cheers, Moritz -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#345288: mantis: Plethora of vulnerabilities
Moritz Muehlenhoff [EMAIL PROTECTED] writes: Hilko Bengen wrote: Thijs Kinkhorst [EMAIL PROTECTED] writes: If/when I'll upload to unstable I'll orphan the package, unless Hilko wants to keep on maintaining it for now. Have said vulnerabilities been fixed in 0.19.4? If yes, I suppose I could do a quick uploead for unstable. It's hard to tell because all the bugs that relate to the security problems are still private. Security by obscurity, again. Just great. However, the descriptions seem to match, so I assume they're all fixed in 0.19.4. The CVS repository is still public, one can probably have a look at the diffs between 0.19.3 and 0.19.4. Cheers, -Hilko -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#345288: mantis: Plethora of vulnerabilities
On Fri, 2005-12-30 at 05:02 +0100, Moritz Muehlenhoff wrote: Lots of vulnerabilites have yet again been found in Mantis: Since I've taken care of the previous round of vulnerabilities, I'll take a look to see what I can do here, but provide no guarantees at this point. [Hilko, in another bug you said you're no longer interested in this piece of code. If this is still true, please orphan it] If/when I'll upload to unstable I'll orphan the package, unless Hilko wants to keep on maintaining it for now. Thijs signature.asc Description: This is a digitally signed message part
Bug#345288: mantis: Plethora of vulnerabilities
Thijs Kinkhorst [EMAIL PROTECTED] writes: If/when I'll upload to unstable I'll orphan the package, unless Hilko wants to keep on maintaining it for now. Have said vulnerabilities been fixed in 0.19.4? If yes, I suppose I could do a quick uploead for unstable. No, I do not want to keep maintaining Mantis. Cheers, -Hilko -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#345288: mantis: Plethora of vulnerabilities
Package: mantis Severity: grave Tags: security Justification: user security hole Lots of vulnerabilites have yet again been found in Mantis: CVE-2005-4524: Notes on private bugs may be leaked. CVE-2005-4523: Private bugs may be leaked through RSS feeds. CVE-2005-4522: XSS in view_filters_page.php. CVE-2005-4521: Two CRLF injection vulnerabilities. CVE-2005-4520: Unspecified port injection. CVE-2005-4519: Multiple SQL injection vulnerabilities. CVE-2005-4518: Bypass of file upload restrictions. CVE-2005-4238: XSS in view_filters_page.php. See here for more information: http://www.trapkit.de/advisories/TKADV2005-11-002.txt http://sourceforge.net/project/shownotes.php?release_id=377932group_id=14963 http://sourceforge.net/project/shownotes.php?release_id=377934group_id=14963 [Hilko, in another bug you said you're no longer interested in this piece of code. If this is still true, please orphan it] Cheers, Moritz -- System Information: Debian Release: testing/unstable APT prefers unstable APT policy: (500, 'unstable') Architecture: i386 (i686) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.6.14-1-686 Locale: LANG=C, [EMAIL PROTECTED] (charmap=ISO-8859-15) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]