Your message dated Mon, 05 Sep 2011 19:17:58 +0000
with message-id <e1r0ega-0004ee...@franck.debian.org>
and subject line Bug#640297: fixed in mantis 1.2.7-1
has caused the Debian Bug report #640297,
regarding MantisBT <1.2.8 multiple vulnerabilities (LFI/XSS/remote arbitrary
code execution)
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
640297: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=640297
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: mantis
Version: 1.2.6-1
Severity: critical
Tags: security patch upstream fixed-upstream
Hi Sils and others,
Thank you for the quick response to bug #638321 (search.php multiple XSS
vulnerabilities in <mantisbt-1.2.7). Unfortunately a number of other
vulnerabilities have been discovered which will work against all 1.2.x
releases of MantisBT:
1) XSS injection via PHP_SELF
2) LFI and XSS via bug_actiongroup_ext_page.php
3) XSS issues with unescaped os, os_build and platform parameters on
bug_report_page.php and bug_update_advanced_page.php
Details of these vulnerabilities are provided at [1], [2] and [3]. CVE
requests have been submitted to the oss-security mailing list as per
[1].
The LFI vulnerability in bug_actiongroup_ext_page.php has the potential
to allow malicious users to upload arbitrary PHP scripts via MantisBT
bug attachments and then execute these malicious scripts. See
oss-secur...@lists.openwall.com and mantisbt-...@lists.sourceforge.net
discussion threads for further information. Users would first need to
change the file upload method from storing attachments in the database
to storing them on the disk in order to be vulnerable to this extended
remote arbitrary code execution attack). However, if the same web server
uid/gid is used across multiple web applications, attachments stored on
the disk from another web application could be executed.
The minimum required patches to resolve these issues are available at
[4], [5], [6] and [7] and should apply cleanly to MantisBT 1.2.7
(probably 1.2.6 as well). The LFI patches ([4] and [5]) are a bit larger
than hoped for in a security fix. The do however aim to resolve the
issue in the most robust and future-proofed way possible.
Please advise if assistance is required in preparing alternative patches
for earlier versions of MantisBT. I'm able to help with resolving merge
conflicts, providing simpler bandaid patches, etc.
Thanks,
David Hicks
MantisBT Developer
[1] http://www.openwall.com/lists/oss-security/2011/09/04/1
[2] http://www.mantisbt.org/bugs/view.php?id=13191
[3] http://www.mantisbt.org/bugs/view.php?id=13281
[4]
https://github.com/mantisbt/mantisbt/commit/5b93161f3ece2f73410c296fed8522f6475d273d
[5]
https://github.com/mantisbt/mantisbt/commit/6ede60d3db9e202044f135001589cce941ff6f0f
[6]
https://github.com/mantisbt/mantisbt/commit/d00745f5e267eba4ca34286d125de685bc3a8034
[7]
https://github.com/mantisbt/mantisbt/commit/0a636b37d3425aea7b781e7f25eaeb164ac54a3d
signature.asc
Description: This is a digitally signed message part
--- End Message ---
--- Begin Message ---
Source: mantis
Source-Version: 1.2.7-1
We believe that the bug you reported is fixed in the latest version of
mantis, which is due to be installed in the Debian FTP archive:
mantis_1.2.7-1.debian.tar.gz
to main/m/mantis/mantis_1.2.7-1.debian.tar.gz
mantis_1.2.7-1.dsc
to main/m/mantis/mantis_1.2.7-1.dsc
mantis_1.2.7-1_all.deb
to main/m/mantis/mantis_1.2.7-1_all.deb
mantis_1.2.7.orig.tar.gz
to main/m/mantis/mantis_1.2.7.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 640...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Silvia Alvarez <s...@powered-by-linux.com> (supplier of updated mantis package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Mon, 05 Sep 2011 20:41:13 +0200
Source: mantis
Binary: mantis
Architecture: source all
Version: 1.2.7-1
Distribution: unstable
Urgency: high
Maintainer: Silvia Alvarez <s...@powered-by-linux.com>
Changed-By: Silvia Alvarez <s...@powered-by-linux.com>
Description:
mantis - web-based bug tracking system
Closes: 640061 640297
Changes:
mantis (1.2.7-1) unstable; urgency=high
.
* Security Upstream Release (1.2.7)
* Urgency high: Fixes critical LFI/XSS vulnerabilites
* debian/NEWS: updated
* debian/README.Debian: updated
* debian/doc/README.LDAP: updated
* debian/po debconf translations:
+ Added Swedish translation, thanks to
Martin Bagge (Closes: #640061)
+ Fixed Language Field: sv
* debian/patches:
+ dropped:
000-fix-security-bug-bts-638321-filterapi-multiple-XSS.diff
Bug fixed in new upstream release.
+ updated:
000-cleanup-gitignore-file-from-orignal-tarball.diff
+ added: Multiple vulnerabilities (LFI/XSS/Projax/PHPSELF)
Thanks to David Hicks, MantisBT developer. (Closes: #640297)
000-Fix-640297-LFI-XSS-injection-bug-action-group-0.diff
000-Fix-640297-LFI-XSS-injection-bug-action-group-1.diff
000-Fix-640297-LFI-XSS-injection-via-PHPSELF.diff
000-Fix-640297-Projax-XSS-injection.diff
Checksums-Sha1:
2dc4fa1aa4036bc8a44ee6e93bb09ecff9d4013c 1829 mantis_1.2.7-1.dsc
c28e11e32e1b8b1ea631f056c32d05c7e51aa927 3280933 mantis_1.2.7.orig.tar.gz
7abe1796b17898cf6cce741ad1643e2257df702f 58763 mantis_1.2.7-1.debian.tar.gz
60da7c4ce63fd23bc3c123f3c0210fc70424e1c9 2074010 mantis_1.2.7-1_all.deb
Checksums-Sha256:
462971bfffb999c18f424f0aad568683371a03ac3423b54784b4353b3dd8d08d 1829
mantis_1.2.7-1.dsc
8a0ba6e3b7310743c5a52bf9b771f29988d11497e21336eef833fd7e73c9a717 3280933
mantis_1.2.7.orig.tar.gz
143b561da266daaf78159bed7438371bc56b00f7fb414eb1069ced9d15d05054 58763
mantis_1.2.7-1.debian.tar.gz
e3cea06ab6064aaec1c6832d01aa775e5f2aa9a5b99c0264bdbd334cc6ff7438 2074010
mantis_1.2.7-1_all.deb
Files:
3f4413889462fb3d7a6c98fc26fb0396 1829 web optional mantis_1.2.7-1.dsc
b78a10db186db2ad815007aee3d0ae86 3280933 web optional mantis_1.2.7.orig.tar.gz
55fafb0eaf209ecdd86f7e61e6290785 58763 web optional
mantis_1.2.7-1.debian.tar.gz
17b549732afca26dec84f042b5435773 2074010 web optional mantis_1.2.7-1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iQIcBAEBCAAGBQJOZR61AAoJEKgvu4Pz1XAzoW4P/R3aYgj9qjABKNWFwfOZcPBH
ogqlTXHDAikAMNZr7mYbUttFto02u+Sv9Bki/slSOC28R1BKES9tlhNj8NuGL2oB
Im3TuuetfP/oeLKfkbiHr84W0pgN9/VtO+mbHyHcTeleAsHQsUxXszK4ZeEdxbuQ
UBWAAwCwxLGvjI3xi9N/Z3tRO1lHNyAWgj0lbhEcA/OpYbxnIMNmTcmpeUY4IqjP
55//bnaj0zM5MrbiPaWHLZ1DhImMp72xc91+6zWXTnNp72gVaVIyhXAhInrnO1Uo
Wi9ABEq8OhFmrnKDu0WRhbetIAxb7QZ/SGQp5dXZQ7YFu61plhGOiITFISZekJXd
BpImvb8KlbtC4HCaq5Yhn9CUNs5hQw8/Rgtp1v4SVOK3uDZjnYlT5Lxdc9Oh4zZc
VyZj9arP4n0k4ElusVIgSd7e7u56suZAcEbZurzbff4SYJ/WNFm/QCutwndlb7hB
4YJw2VEQDBXbILQ9BvnsnoHCDasC+gClS0VqRH+EWgtbodF+Jzq5dC0noZRVtjym
crNwGWrP3ZKIJjId2505jzcyTG5vBEeDJU3SSFLbdBMJy0qtl8x7+bJHK0ZYmIe1
0HRQtN1LQHwPhJCDqDV4f/CvPC0mjV4YCJy7LrWNWni55wEUHomRNhWgDI+xkO4h
fYVp6hzx19y+cpcjPnsR
=p/9x
-----END PGP SIGNATURE-----
--- End Message ---
