Launchpad has imported 6 comments from the remote bug at https://bugs.gentoo.org/show_bug.cgi?id=420375.
If you reply to an imported comment from within Launchpad, your comment will be sent to the remote bug automatically. Read more about Launchpad's inter-bugtracker facilities at https://help.launchpad.net/InterBugTracking. ------------------------------------------------------------------------ On 2012-06-09T09:15:18+00:00 David Hicks wrote: MantisBT 1.2.11 is a security update for the stable 1.2.x branch. CVE requests for 2 issues have been sent to oss- [email protected] as follows: CVE REQUEST #1 Title: Reporters can edit arbitrary bugnotes via SOAP API Affected: MantisBT 1.2.10 and earlier versions Not affected: MantisBT 1.2.11 Description: Roland Becker and Damien Regad (MantisBT developers) found that any user able to report issues via the SOAP interface could also modify any bugnotes (comments) created by other users. In a default/typical MantisBT installation, SOAP API is enabled and any user can sign up to report new issues. This vulnerability therefore impacts upon many public facing MantisBT installations. References: [1] http://www.mantisbt.org/bugs/view.php?id=14340 CVE REQUEST #2 Title: delete_attachments_threshold not checked on attachment deletion Affected: MantisBT 1.2.10 and earlier versions Not affected: MantisBT 1.2.11 Description: Roland Becker (MantisBT developer) found that the delete_attachments_threshold permission was not being checked when a user attempted to delete an attachment from an issue. The more generic update_bug_threshold permission was being checked instead. MantisBT administrators may have been under the false impression that their configuration of the delete_attachments_threshold was successfully preventing unwanted users from deleting attachments. References: [1] http://www.mantisbt.org/bugs/view.php?id=14016 Reproducible: Always Reply at: https://bugs.launchpad.net/ubuntu/+source/mantis/+bug/1011823/comments/0 ------------------------------------------------------------------------ On 2012-06-09T15:19:44+00:00 J-ago wrote: Thanks for the report David. Reply at: https://bugs.launchpad.net/ubuntu/+source/mantis/+bug/1011823/comments/1 ------------------------------------------------------------------------ On 2012-06-12T08:49:10+00:00 David Hicks wrote: CVE numbers were assigned as follows: CVE-2012-2691: Reporters can edit arbitrary bugnotes via SOAP API (#14340) CVE-2012-2692: delete_attachments_threshold not checked on attachment deletion (#14016) Reply at: https://bugs.launchpad.net/ubuntu/+source/mantis/+bug/1011823/comments/3 ------------------------------------------------------------------------ On 2012-06-27T23:15:56+00:00 Glsamaker wrote: CVE-2012-2692 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2692): MantisBT before 1.2.11 does not check the delete_attachments_threshold permission when form_security_validation is set to OFF, which allows remote authenticated users with certain privileges to bypass intended access restrictions and delete arbitrary attachments. CVE-2012-2691 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2691): The mc_issue_note_update function in the SOAP API in MantisBT before 1.2.11 does not properly check privileges, which allows remote attackers with bug reporting privileges to edit arbitrary bugnotes via a SOAP request. Reply at: https://bugs.launchpad.net/ubuntu/+source/mantis/+bug/1011823/comments/5 ------------------------------------------------------------------------ On 2012-06-28T11:11:51+00:00 J-ago wrote: *** Bug 423957 has been marked as a duplicate of this bug. *** Reply at: https://bugs.launchpad.net/ubuntu/+source/mantis/+bug/1011823/comments/6 ------------------------------------------------------------------------ On 2012-09-20T00:23:53+00:00 Ackle wrote: Peter, David, web-apps: may we stabilize 1.2.11? Reply at: https://bugs.launchpad.net/ubuntu/+source/mantis/+bug/1011823/comments/7 ** Changed in: gentoo Importance: Unknown => Low ** Bug watch added: Mantis Bug Tracker #14340 http://www.mantisbt.org/bugs/view.php?id=14340 ** Bug watch added: Mantis Bug Tracker #14016 http://www.mantisbt.org/bugs/view.php?id=14016 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1011823 Title: mantisbt : multiple vulnerabilities To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/mantis/+bug/1011823/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
