Package: mantis
Version: 0.19.2-4
Severity: grave
Tags: security
Justification: user security hole
Another security problem has been found in mantis. Insufficient
input sanitising of the t_core_path parameter may be exploited
to perform arbitrary file inclusion. Please see
http://secunia.com/secu
On Wed, October 26, 2005 23:30, Moritz Muehlenhoff wrote:
> Another security problem has been found in mantis. Insufficient
> input sanitising of the t_core_path parameter may be exploited to perform
> arbitrary file inclusion. Please see
> http://secunia.com/secunia_research/2005-46/advisory/ for
Thijs Kinkhorst wrote:
> > Another security problem has been found in mantis. Insufficient
> > input sanitising of the t_core_path parameter may be exploited to perform
> > arbitrary file inclusion. Please see
> > http://secunia.com/secunia_research/2005-46/advisory/ for details.
>
> Hello Moritz,
On Thu, October 27, 2005 11:26, Moritz Muehlenhoff wrote:
> I assume you've prepared packages of 0.19.3?
> This would address the SQL injection issue and the other XSS in
> view_all_set as well, which are both not yet in the BTS.
Yes, I have.
Thijs
Moritz Muehlenhoff wrote:
> Thijs Kinkhorst wrote:
> > > Another security problem has been found in mantis. Insufficient
> > > input sanitising of the t_core_path parameter may be exploited to perform
> > > arbitrary file inclusion. Please see
> > > http://secunia.com/secunia_research/2005-46/advis
On Thu, October 27, 2005 14:56, Martin Schulze wrote:
>> I assume you've prepared packages of 0.19.3?
>> This would address the SQL injection issue and the other XSS in
>> view_all_set as well, which are both not yet in the BTS.
>>
>> The latest issues have been assigned CVE-2005-333[6789], BTW.
>>
Martin Schulze wrote:
> > Thijs Kinkhorst wrote:
> > > > Another security problem has been found in mantis. Insufficient
> > > > input sanitising of the t_core_path parameter may be exploited to
> > > > perform
> > > > arbitrary file inclusion. Please see
> > > > http://secunia.com/secunia_researc
Hello All,
On Thu, 2005-10-27 at 15:49 +0200, Moritz Muehlenhoff wrote:
> All affect Sarge.
I've prepared updated packages for sarge. My updated package for sid is
still pending with my sponsor Luk Claes. The updated packages for sarge
are available here:
http://www.a-eskwadraat.nl/~kink/mantis_
Thijs Kinkhorst wrote:
> > All affect Sarge.
>
> I've prepared updated packages for sarge. My updated package for sid is
> still pending with my sponsor Luk Claes. The updated packages for sarge
> are available here:
> http://www.a-eskwadraat.nl/~kink/mantis_sec/
>
> They are not signed since I'
On Mon, October 31, 2005 16:07, Moritz Muehlenhoff wrote:
> The included patches look fine and correlate to what I extracted from the
> interdiff. But where's the fix for CVE-2005-3337 aka mantis bug 5959?
>
> The mantis bug is non-public, but according to the description it's
> a cross-site-scrip
Thijs Kinkhorst wrote:
> On Mon, October 31, 2005 16:07, Moritz Muehlenhoff wrote:
> > The included patches look fine and correlate to what I extracted from the
> > interdiff. But where's the fix for CVE-2005-3337 aka mantis bug 5959?
> >
> > The mantis bug is non-public, but according to the desc
On Mon, 2005-10-31 at 17:22 +0100, Moritz Muehlenhoff wrote:
> It's hard to tell, whether it's the same issue as #5959 is non-public, but at
> least there are two different CVE mappings. (CVE-2005-2557 and CVE-2005-3337).
> But it might very well be that the CVE description is wrong, as all these
Thijs Kinkhorst wrote:
> On Thu, 2005-10-27 at 15:49 +0200, Moritz Muehlenhoff wrote:
> > All affect Sarge.
>
> I've prepared updated packages for sarge. My updated package for sid is
> still pending with my sponsor Luk Claes. The updated packages for sarge
> are available here:
> http://www.a-es
13 matches
Mail list logo
