*** This bug is a security vulnerability *** Public security bug reported:
Binary package hint: mantis The MantisBT project was notified by Gjoko Krstic of Zero Science Lab (gj...@zeroscience.mk) of multiple vulnerabilities affecting MantisBT <1.2.4. The two following advisories have been released explaining the vulnerabilities in greater detail: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2010-4983.php http://www.zeroscience.mk/en/vulnerabilities/ZSL-2010-4984.php As one of these vulnerabilities allows the reading of arbitrary files from the file system we are treating this issue with critical severity. Please note that this issue only affects users who have not removed the "admin" directory from their MantisBT installation. We recommend, instruct and warn users to remove this directory after installation however it is clear that many users ignore these warnings. I have requested CVE numbers via oss-sec (awaiting list moderation). A bug report for this issue already exists in the Debian bug tracking system at: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=607159 As Ubuntu is using MantisBT 1.1.x you will need to apply the following patch to resolve the issue in this older version of MantisBT: http://git.mantisbt.org/?p=mantisbt.git;a=commitdiff_plain;h=2641fdc60d2032ae1586338d6416e1eadabd7590 We have also released MantisBT 1.2.4 which resolves the issue for users of our stable 1.2.x branch. The bug report tracking this issue upstream at MantisBT: http://www.mantisbt.org/bugs/view.php?id=12607 If there are any questions or concerns please feel free to contact me. ** Affects: mantis (Ubuntu) Importance: Undecided Status: New ** Affects: mantis (Debian) Importance: Unknown Status: Unknown ** Affects: mantis (Fedora) Importance: Unknown Status: Unknown ** Affects: gentoo Importance: Unknown Status: Unknown ** Visibility changed to: Public ** Bug watch added: Debian Bug tracker #607159 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=607159 ** Also affects: mantis (Debian) via http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=607159 Importance: Unknown Status: Unknown ** Bug watch added: Gentoo Bugzilla #348761 http://bugs.gentoo.org/show_bug.cgi?id=348761 ** Also affects: gentoo via http://bugs.gentoo.org/show_bug.cgi?id=348761 Importance: Unknown Status: Unknown ** Bug watch added: Red Hat Bugzilla #663230 https://bugzilla.redhat.com/show_bug.cgi?id=663230 ** Also affects: mantis (Fedora) via https://bugzilla.redhat.com/show_bug.cgi?id=663230 Importance: Unknown Status: Unknown -- You received this bug notification because you are a member of Registry Administrators, which is the registrant for Debian. https://bugs.launchpad.net/bugs/690482 Title: MantisBT <1.2.4 multiple vulnerabilities (LFI, XSS and PD) _______________________________________________ Mailing list: https://launchpad.net/~registry Post to : registry@lists.launchpad.net Unsubscribe : https://launchpad.net/~registry More help : https://help.launchpad.net/ListHelp
