Launchpad has imported 14 comments from the remote bug at https://bugs.gentoo.org/show_bug.cgi?id=348761.
If you reply to an imported comment from within Launchpad, your comment will be sent to the remote bug automatically. Read more about Launchpad's inter-bugtracker facilities at https://help.launchpad.net/InterBugTracking. ------------------------------------------------------------------------ On 2010-12-15T03:25:42+00:00 David Hicks wrote: The MantisBT project was notified by Gjoko Krstic of Zero Science Lab (gj...@zeroscience.mk) of multiple vulnerabilities affecting MantisBT <1.2.4. The two following advisories have been released explaining the vulnerabilities in greater detail: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2010-4983.php http://www.zeroscience.mk/en/vulnerabilities/ZSL-2010-4984.php As one of these vulnerabilities allows the reading of arbitrary files from the file system we are treating this issue with critical severity. Please note that this issue only affects users who have not removed the "admin" directory from their MantisBT installation. We recommend, instruct and warn users to remove this directory after installation however it is clear that many users ignore these warnings. I have requested CVE numbers via oss-sec (awaiting list moderation). We have released MantisBT 1.2.4 which resolves the issue for users of our stable 1.2.x branch. We do have a patch for MantisBT 1.1.x available in the repository as well, however this doesn't apply to Gentoo. The bug report tracking this issue upstream at MantisBT: http://www.mantisbt.org/bugs/view.php?id=12607 If there are any questions or concerns please feel free to contact me. Reproducible: Always Steps to Reproduce: Reply at: https://bugs.launchpad.net/ubuntu/+source/mantis/+bug/690482/comments/0 ------------------------------------------------------------------------ On 2010-12-15T03:29:31+00:00 David Hicks wrote: Apologies for the oversight, Gentoo does still ship mantisbt-1.1.8. The patch to apply to this version can be obtained through our repository at: http://git.mantisbt.org/?p=mantisbt.git;a=commitdiff_plain;h=2641fdc60d2032ae1586338d6416e1eadabd7590 Please note that MantisBT 1.1.x is not officially supported by the MantisBT project and is not recommended for use. We have made a significant number of security improvements in 1.2.x that aren't available in 1.1.x (not just bug fixes, but general architecture changes). Reply at: https://bugs.launchpad.net/ubuntu/+source/mantis/+bug/690482/comments/1 ------------------------------------------------------------------------ On 2010-12-15T06:07:10+00:00 Underling wrote: (In reply to comment #0) > > If there are any questions or concerns please feel free to contact me. > Thank you for the report, David. Reply at: https://bugs.launchpad.net/ubuntu/+source/mantis/+bug/690482/comments/4 ------------------------------------------------------------------------ On 2010-12-16T14:08:00+00:00 David Hicks wrote: CVE-2010-4348: Cross site scripting CVE-2010-4349: Path disclosure CVE-2010-4350: Local file inclusion Reply at: https://bugs.launchpad.net/ubuntu/+source/mantis/+bug/690482/comments/6 ------------------------------------------------------------------------ On 2010-12-19T15:58:29+00:00 pva wrote: Thank you David. New version was just added to the tree and I've dropped old, vulnerable versions. Arch teams, please, stabilize www- apps/mantisbt-1.2.4. Reply at: https://bugs.launchpad.net/ubuntu/+source/mantis/+bug/690482/comments/7 ------------------------------------------------------------------------ On 2010-12-19T16:04:23+00:00 Alex Legler wrote: Rerating B2. Reply at: https://bugs.launchpad.net/ubuntu/+source/mantis/+bug/690482/comments/8 ------------------------------------------------------------------------ On 2010-12-19T20:08:04+00:00 J-ago wrote: amd64 ok Reply at: https://bugs.launchpad.net/ubuntu/+source/mantis/+bug/690482/comments/9 ------------------------------------------------------------------------ On 2010-12-20T00:39:13+00:00 Hwoarang wrote: amd64 done. Thanks Agostino Reply at: https://bugs.launchpad.net/ubuntu/+source/mantis/+bug/690482/comments/10 ------------------------------------------------------------------------ On 2010-12-20T07:18:00+00:00 Phajdan-jr wrote: x86 stable Reply at: https://bugs.launchpad.net/ubuntu/+source/mantis/+bug/690482/comments/11 ------------------------------------------------------------------------ On 2011-01-11T17:35:08+00:00 Xarthisius wrote: ppc stable, last arch done Reply at: https://bugs.launchpad.net/ubuntu/+source/mantis/+bug/690482/comments/12 ------------------------------------------------------------------------ On 2011-01-11T17:48:00+00:00 Underling wrote: Thanks, folks. GLSA request filed. Reply at: https://bugs.launchpad.net/ubuntu/+source/mantis/+bug/690482/comments/13 ------------------------------------------------------------------------ On 2011-07-10T01:26:12+00:00 Glsamaker wrote: CVE-2010-4350 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4350): Directory traversal vulnerability in admin/upgrade_unattended.php in MantisBT before 1.2.4 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the db_type parameter, related to an unsafe call by MantisBT to a function in the ADOdb Library for PHP. CVE-2010-4349 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4349): admin/upgrade_unattended.php in MantisBT before 1.2.4 allows remote attackers to obtain sensitive information via an invalid db_type parameter, which reveals the installation path in an error message, related to an unsafe call by MantisBT to a function in the ADOdb Library for PHP. CVE-2010-4348 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4348): Cross-site scripting (XSS) vulnerability in admin/upgrade_unattended.php in MantisBT before 1.2.4 allows remote attackers to inject arbitrary web script or HTML via the db_type parameter, related to an unsafe call by MantisBT to a function in the ADOdb Library for PHP. Reply at: https://bugs.launchpad.net/ubuntu/+source/mantis/+bug/690482/comments/14 ------------------------------------------------------------------------ On 2011-07-10T01:26:26+00:00 Glsamaker wrote: CVE-2010-3763 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3763): Cross-site scripting (XSS) vulnerability in core/summary_api.php in MantisBT before 1.2.3 allows remote attackers to inject arbitrary web script or HTML via the Summary field, a different vector than CVE-2010-3303. CVE-2010-3303 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3303): Multiple cross-site scripting (XSS) vulnerabilities in MantisBT before 1.2.3 allow remote authenticated administrators to inject arbitrary web script or HTML via (1) a plugin name, related to manage_plugin_uninstall.php; (2) an enumeration value or (3) a String value of a custom field, related to core/cfdefs/cfdef_standard.php; or a (4) project or (5) category name to print_all_bug_page_word.php. Reply at: https://bugs.launchpad.net/ubuntu/+source/mantis/+bug/690482/comments/15 ------------------------------------------------------------------------ On 2012-11-08T10:42:53+00:00 Glsamaker wrote: This issue was resolved and addressed in GLSA 201211-01 at http://security.gentoo.org/glsa/glsa-201211-01.xml by GLSA coordinator Tobias Heinlein (keytoaster). Reply at: https://bugs.launchpad.net/ubuntu/+source/mantis/+bug/690482/comments/18 ** Changed in: gentoo Status: In Progress => Fix Released ** Bug watch added: Mantis Bug Tracker #12607 http://www.mantisbt.org/bugs/view.php?id=12607 ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2010-3303 ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2010-3763 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/690482 Title: MantisBT <1.2.4 multiple vulnerabilities (LFI, XSS and PD) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/mantis/+bug/690482/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs