Your message dated Mon, 05 Sep 2011 19:17:58 +0000 with message-id <e1r0ega-0004ee...@franck.debian.org> and subject line Bug#640297: fixed in mantis 1.2.7-1 has caused the Debian Bug report #640297, regarding MantisBT <1.2.8 multiple vulnerabilities (LFI/XSS/remote arbitrary code execution) to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 640297: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=640297 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: mantis Version: 1.2.6-1 Severity: critical Tags: security patch upstream fixed-upstream Hi Sils and others, Thank you for the quick response to bug #638321 (search.php multiple XSS vulnerabilities in <mantisbt-1.2.7). Unfortunately a number of other vulnerabilities have been discovered which will work against all 1.2.x releases of MantisBT: 1) XSS injection via PHP_SELF 2) LFI and XSS via bug_actiongroup_ext_page.php 3) XSS issues with unescaped os, os_build and platform parameters on bug_report_page.php and bug_update_advanced_page.php Details of these vulnerabilities are provided at [1], [2] and [3]. CVE requests have been submitted to the oss-security mailing list as per [1]. The LFI vulnerability in bug_actiongroup_ext_page.php has the potential to allow malicious users to upload arbitrary PHP scripts via MantisBT bug attachments and then execute these malicious scripts. See oss-secur...@lists.openwall.com and mantisbt-...@lists.sourceforge.net discussion threads for further information. Users would first need to change the file upload method from storing attachments in the database to storing them on the disk in order to be vulnerable to this extended remote arbitrary code execution attack). However, if the same web server uid/gid is used across multiple web applications, attachments stored on the disk from another web application could be executed. The minimum required patches to resolve these issues are available at [4], [5], [6] and [7] and should apply cleanly to MantisBT 1.2.7 (probably 1.2.6 as well). The LFI patches ([4] and [5]) are a bit larger than hoped for in a security fix. The do however aim to resolve the issue in the most robust and future-proofed way possible. Please advise if assistance is required in preparing alternative patches for earlier versions of MantisBT. I'm able to help with resolving merge conflicts, providing simpler bandaid patches, etc. Thanks, David Hicks MantisBT Developer [1] http://www.openwall.com/lists/oss-security/2011/09/04/1 [2] http://www.mantisbt.org/bugs/view.php?id=13191 [3] http://www.mantisbt.org/bugs/view.php?id=13281 [4] https://github.com/mantisbt/mantisbt/commit/5b93161f3ece2f73410c296fed8522f6475d273d [5] https://github.com/mantisbt/mantisbt/commit/6ede60d3db9e202044f135001589cce941ff6f0f [6] https://github.com/mantisbt/mantisbt/commit/d00745f5e267eba4ca34286d125de685bc3a8034 [7] https://github.com/mantisbt/mantisbt/commit/0a636b37d3425aea7b781e7f25eaeb164ac54a3dsignature.asc
Description: This is a digitally signed message part
--- End Message ---
--- Begin Message ---Source: mantis Source-Version: 1.2.7-1 We believe that the bug you reported is fixed in the latest version of mantis, which is due to be installed in the Debian FTP archive: mantis_1.2.7-1.debian.tar.gz to main/m/mantis/mantis_1.2.7-1.debian.tar.gz mantis_1.2.7-1.dsc to main/m/mantis/mantis_1.2.7-1.dsc mantis_1.2.7-1_all.deb to main/m/mantis/mantis_1.2.7-1_all.deb mantis_1.2.7.orig.tar.gz to main/m/mantis/mantis_1.2.7.orig.tar.gz A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 640...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Silvia Alvarez <s...@powered-by-linux.com> (supplier of updated mantis package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Mon, 05 Sep 2011 20:41:13 +0200 Source: mantis Binary: mantis Architecture: source all Version: 1.2.7-1 Distribution: unstable Urgency: high Maintainer: Silvia Alvarez <s...@powered-by-linux.com> Changed-By: Silvia Alvarez <s...@powered-by-linux.com> Description: mantis - web-based bug tracking system Closes: 640061 640297 Changes: mantis (1.2.7-1) unstable; urgency=high . * Security Upstream Release (1.2.7) * Urgency high: Fixes critical LFI/XSS vulnerabilites * debian/NEWS: updated * debian/README.Debian: updated * debian/doc/README.LDAP: updated * debian/po debconf translations: + Added Swedish translation, thanks to Martin Bagge (Closes: #640061) + Fixed Language Field: sv * debian/patches: + dropped: 000-fix-security-bug-bts-638321-filterapi-multiple-XSS.diff Bug fixed in new upstream release. + updated: 000-cleanup-gitignore-file-from-orignal-tarball.diff + added: Multiple vulnerabilities (LFI/XSS/Projax/PHPSELF) Thanks to David Hicks, MantisBT developer. (Closes: #640297) 000-Fix-640297-LFI-XSS-injection-bug-action-group-0.diff 000-Fix-640297-LFI-XSS-injection-bug-action-group-1.diff 000-Fix-640297-LFI-XSS-injection-via-PHPSELF.diff 000-Fix-640297-Projax-XSS-injection.diff Checksums-Sha1: 2dc4fa1aa4036bc8a44ee6e93bb09ecff9d4013c 1829 mantis_1.2.7-1.dsc c28e11e32e1b8b1ea631f056c32d05c7e51aa927 3280933 mantis_1.2.7.orig.tar.gz 7abe1796b17898cf6cce741ad1643e2257df702f 58763 mantis_1.2.7-1.debian.tar.gz 60da7c4ce63fd23bc3c123f3c0210fc70424e1c9 2074010 mantis_1.2.7-1_all.deb Checksums-Sha256: 462971bfffb999c18f424f0aad568683371a03ac3423b54784b4353b3dd8d08d 1829 mantis_1.2.7-1.dsc 8a0ba6e3b7310743c5a52bf9b771f29988d11497e21336eef833fd7e73c9a717 3280933 mantis_1.2.7.orig.tar.gz 143b561da266daaf78159bed7438371bc56b00f7fb414eb1069ced9d15d05054 58763 mantis_1.2.7-1.debian.tar.gz e3cea06ab6064aaec1c6832d01aa775e5f2aa9a5b99c0264bdbd334cc6ff7438 2074010 mantis_1.2.7-1_all.deb Files: 3f4413889462fb3d7a6c98fc26fb0396 1829 web optional mantis_1.2.7-1.dsc b78a10db186db2ad815007aee3d0ae86 3280933 web optional mantis_1.2.7.orig.tar.gz 55fafb0eaf209ecdd86f7e61e6290785 58763 web optional mantis_1.2.7-1.debian.tar.gz 17b549732afca26dec84f042b5435773 2074010 web optional mantis_1.2.7-1_all.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) iQIcBAEBCAAGBQJOZR61AAoJEKgvu4Pz1XAzoW4P/R3aYgj9qjABKNWFwfOZcPBH ogqlTXHDAikAMNZr7mYbUttFto02u+Sv9Bki/slSOC28R1BKES9tlhNj8NuGL2oB Im3TuuetfP/oeLKfkbiHr84W0pgN9/VtO+mbHyHcTeleAsHQsUxXszK4ZeEdxbuQ UBWAAwCwxLGvjI3xi9N/Z3tRO1lHNyAWgj0lbhEcA/OpYbxnIMNmTcmpeUY4IqjP 55//bnaj0zM5MrbiPaWHLZ1DhImMp72xc91+6zWXTnNp72gVaVIyhXAhInrnO1Uo Wi9ABEq8OhFmrnKDu0WRhbetIAxb7QZ/SGQp5dXZQ7YFu61plhGOiITFISZekJXd BpImvb8KlbtC4HCaq5Yhn9CUNs5hQw8/Rgtp1v4SVOK3uDZjnYlT5Lxdc9Oh4zZc VyZj9arP4n0k4ElusVIgSd7e7u56suZAcEbZurzbff4SYJ/WNFm/QCutwndlb7hB 4YJw2VEQDBXbILQ9BvnsnoHCDasC+gClS0VqRH+EWgtbodF+Jzq5dC0noZRVtjym crNwGWrP3ZKIJjId2505jzcyTG5vBEeDJU3SSFLbdBMJy0qtl8x7+bJHK0ZYmIe1 0HRQtN1LQHwPhJCDqDV4f/CvPC0mjV4YCJy7LrWNWni55wEUHomRNhWgDI+xkO4h fYVp6hzx19y+cpcjPnsR =p/9x -----END PGP SIGNATURE-----
--- End Message ---