Launchpad has imported 9 comments from the remote bug at https://bugzilla.redhat.com/show_bug.cgi?id=830735.
If you reply to an imported comment from within Launchpad, your comment will be sent to the remote bug automatically. Read more about Launchpad's inter-bugtracker facilities at https://help.launchpad.net/InterBugTracking. ------------------------------------------------------------------------ On 2012-06-11T10:18:08+00:00 Jan wrote: >From the CVE request [2]: Roland Becker and Damien Regad (MantisBT developers) found that any user able to report issues via the SOAP interface could also modify any bugnotes (comments) created by other users. In a default/typical MantisBT installation, SOAP API is enabled and any user can sign up to report new issues. This vulnerability therefore impacts upon many public facing MantisBT installations. References: [1] http://www.mantisbt.org/bugs/view.php?id=14340 [2] http://www.openwall.com/lists/oss-security/2012/06/09/1 [3] https://bugs.gentoo.org/show_bug.cgi?id=420375 Upstream patches (against the v1.2.x branch) seems to be the following two: [4] https://github.com/mantisbt/mantisbt/commit/edc8142bb8ac0ac0df1a3824d78c15f4015d959e [5] https://github.com/mantisbt/mantisbt/commit/175d973105fe9f03a37ced537b742611631067e0 Reply at: https://bugs.launchpad.net/ubuntu/+source/mantis/+bug/1011823/comments/2 ------------------------------------------------------------------------ On 2012-06-11T10:19:33+00:00 Jan wrote: This issue affects the versions of the mantis package, as shipped with Fedora release of 15, 16, and 17. Please schedule an update. Reply at: https://bugs.launchpad.net/ubuntu/+source/mantis/+bug/1011823/comments/3 ------------------------------------------------------------------------ On 2012-06-11T10:24:42+00:00 Jan wrote: Gianluca, I am not completely sure, the version of mantis package, as shipped with Fedora EPEL 5 is affected by this issue. From the upstream patches, relevant changes are touching mc_issue_note_update() routine, while that one doesn't seem to be available yet in mantis-1.1.8 version, as shipped with Fedora EPEL 5 (there are only mc_issue_note_add(), mc_issue_note_delete(), and mc_issue_update() ones [but 'note' is missing in the last one]). But to be sure, could you please have a double-checking look at the proposed patch and situation in EPEL 5 version, and schedule a fix if necessary for EPEL 5 too (I am going to create a bug for this version too, since it's affected by the second bug 830737), so we would not miss something? Thank you, Jan. Reply at: https://bugs.launchpad.net/ubuntu/+source/mantis/+bug/1011823/comments/4 ------------------------------------------------------------------------ On 2012-06-11T10:27:55+00:00 Jan wrote: Created mantis tracking bugs for this issue Affects: fedora-all [bug 830741] Affects: epel-5 [bug 830742] Reply at: https://bugs.launchpad.net/ubuntu/+source/mantis/+bug/1011823/comments/5 ------------------------------------------------------------------------ On 2012-06-12T07:59:14+00:00 Jan wrote: The CVE identifier of CVE-2012-2691 has been assigned to this issue: http://www.openwall.com/lists/oss-security/2012/06/11/6 Reply at: https://bugs.launchpad.net/ubuntu/+source/mantis/+bug/1011823/comments/7 ------------------------------------------------------------------------ On 2012-11-23T07:55:50+00:00 Fedora wrote: mantis-1.2.12-1.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report. Reply at: https://bugs.launchpad.net/ubuntu/+source/mantis/+bug/1011823/comments/20 ------------------------------------------------------------------------ On 2012-11-24T03:24:08+00:00 Fedora wrote: mantis-1.2.12-1.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report. Reply at: https://bugs.launchpad.net/ubuntu/+source/mantis/+bug/1011823/comments/21 ------------------------------------------------------------------------ On 2012-11-24T03:25:12+00:00 Fedora wrote: mantis-1.2.12-1.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report. Reply at: https://bugs.launchpad.net/ubuntu/+source/mantis/+bug/1011823/comments/22 ------------------------------------------------------------------------ On 2013-03-15T04:19:22+00:00 Vincent wrote: EPEL5 hasn't been touched since Dec 2010, and the package is technically orphaned. As a result I'm closing this bug as this issue is fixed in Fedora. The EPEL5 tracking bug #800667 will remain open until either mantis is dropped from EPEL or it is fixed. Reply at: https://bugs.launchpad.net/ubuntu/+source/mantis/+bug/1011823/comments/23 ** Changed in: fedora Status: Unknown => Fix Released ** Changed in: fedora Importance: Unknown => Low -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1011823 Title: mantisbt : multiple vulnerabilities To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/mantis/+bug/1011823/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs