Package: mantis Version: 1.2.18-1 Severity: grave Tags: security upstream fixed-upstream Justification: user security hole
Dear Maintainer, There is an upstream security update that fixes the following security issues: * CVE-2014-9571: XSS in install.php * CVE-2014-9572: Improper Access Control in install.php * CVE-2014-9573: SQL Injection in manage_user_page.php * CVE-2014-9624: CAPTCHA bypass * CVE-2014-9701: XSS vulnerability in permalink_page.php * CVE-2015-1042: URL redirection issue Also it fixes some regressions introduced in 1.2.18: * #17993 prevents new users from signing up on systems using CAPTCHA. * #17967 which causes a PHP error when reporting issues on systems with checkbox custom fields. Especially the former is really annoying if the only choice is keeping people from signing up or having a lot of spammer accounts. Changelog is here: http://mantisbt.org/bugs/changelog_page.php?project=mantisbt&version=1.2.19 Thanks for taking care of this issue, Michael -- System Information: Debian Release: 7.8 APT prefers stable APT policy: (990, 'stable') Architecture: i386 (x86_64) Kernel: Linux 3.2.0-4-amd64 (SMP w/8 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages mantis depends on: ii apache2 2.2.22-13+deb7u4 ii apache2-mpm-prefork [httpd] 2.2.22-13+deb7u4 ii apache2-utils 2.2.22-13+deb7u4 ii debconf [debconf-2.0] 1.5.49 ii libapache2-mod-php5 5.4.38-0+deb7u1 ii libjs-prototype 1.7.0-2 ii libjs-scriptaculous 1.9.0-2 ii libnusoap-php 0.7.3-5 ii libphp-adodb 5.15-1 ii libphp-phpmailer 5.1-1 ii php5-cli 5.4.38-0+deb7u1 ii ucf 3.0025+nmu3 Versions of packages mantis recommends: ii mysql-client 5.5.41-0+wheezy1 ii mysql-client-5.5 [mysql-client] 5.5.41-0+wheezy1 ii php5-mysql 5.4.38-0+deb7u1 Versions of packages mantis suggests: ii mysql-server 5.5.41-0+wheezy1 ii php5-cli 5.4.38-0+deb7u1 -- debconf information excluded -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org