Thijs Kinkhorst <[EMAIL PROTECTED]> writes: > Hello, > > On Thu, 29 Sep 2005, Moritz Muehlenhoff <[EMAIL PROTECTED]> wrote: >> mantis 1.0.0-rc2 fixed these security problems, that seem to be missing in >> the latest DSA upload that fixed several others: >> >> - 0006097: [security] user ID is cached indefinately (thraxisp) >> - 0006189: [security] List of users (in filter) visible for unauthorized >> users. (thraxisp) >> >> Besides that there was a CVE assignment (CAN-2005-3091) for a >> Cross-Site-Scripting >> vulnerability that refers the Mantis bug 5751, for which I can't find a >> referenced >> fix in the 0.19.2-4 changelog as well. > > Three weeks later, there has been no response yet from the maintainer, > perhaps you are busy with other projects? Since I think it's important > that RC bugs get fixed in a timely manner, I am looking into preparing > an NMU for this within the next week. This is of course no offense but > an effort to help improve the quality of Debian.
No offense taken. My impression was that those bugs had all been fixed in the last security update, as Joey suggested. > Please let me know if you oppose to an NMU. I will post a patch as > soon as I have one. Please go ahead. I am no longer a user of Mantis. If you are interested, you can take over the package, too. Cheers, -Hilko -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
