Package: mantis Version: 1.0.6-4.1 Severity: important Tags: security pending
The current version of mantis in the repository is affectable to CVE-2006-6574. The description for this security impact reads as following: Mantis before 1.1.0a2 does not implement per-item access control for Issue History (Bug History), which allows remote attackers to obtain sensitive information by reading the Change column, as demonstrated by the Change column of a custom field. Informations about impact (according to NVD at NIST): CVSS Severity: 2.3 (Low) Range: Remotely exploitable Authentication: Not required to exploit Impact Type: Allows unauthorized disclosure of information I'm adding this note for information, as I am working on fixing this issue. The packager of the Fedora Core Packages of mantis has issued an patch backporting the changes made to 1.1.0a2 which is not vulnerable. I will check if this patch can be incorporated into this package and upload it with the next upload, which is to held only by this security issues. Greets Patrick
signature.asc
Description: OpenPGP digital signature
