Debian Bug report logs - #330682
mantis: Several vulnerabilities in Mantis

version graph

Package: mantis; Maintainer for mantis is Silvia Alvarez <sils@powered-by-linux.com>; Source for mantis is src:mantis.

Reported by: Moritz Muehlenhoff <jmm@inutil.org>

Date: Thu, 29 Sep 2005 09:48:02 UTC

Severity: grave

Tags: fixed, security

Fixed in version mantis/0.19.4-1

Done: Igor Genibel <igenibel@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>, Hilko Bengen <bengen@debian.org>:
Bug#330682; Package mantis. Full text and rfc822 format available.

Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>, Hilko Bengen <bengen@debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Moritz Muehlenhoff <jmm@inutil.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: mantis: Several vulnerabilities in Mantis
Date: Thu, 29 Sep 2005 11:33:05 +0200
Package: mantis
Severity: grave
Tags: security
Justification: user security hole

mantis 1.0.0-rc2 fixed these security problems, that seem to be missing in
the latest DSA upload that fixed several others:

- 0006097: [security] user ID is cached indefinately (thraxisp)
- 0006189: [security] List of users (in filter) visible for unauthorized users. (thraxisp)

Besides that there was a CVE assignment (CAN-2005-3091) for a Cross-Site-Scripting
vulnerability that refers the Mantis bug 5751, for which I can't find a referenced
fix in the 0.19.2-4 changelog as well.

Cheers,
        Moritz

-- System Information:
Debian Release: testing/unstable
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.14-rc1
Locale: LANG=C, LC_CTYPE=de_DE.ISO-8859-15@euro (charmap=ISO-8859-15)



Information forwarded to debian-bugs-dist@lists.debian.org, Hilko Bengen <bengen@debian.org>:
Bug#330682; Package mantis. Full text and rfc822 format available.

Acknowledgement sent to Thijs Kinkhorst <kink@squirrelmail.org>:
Extra info received and forwarded to list. Copy sent to Hilko Bengen <bengen@debian.org>. Full text and rfc822 format available.

Message #10 received at 330682@bugs.debian.org (full text, mbox):

From: Thijs Kinkhorst <kink@squirrelmail.org>
To: 330682@bugs.debian.org
Cc: luk@debian.org, Moritz Muehlenhoff <jmm@inutil.org>
Subject: Re: mantis: Several vulnerabilities in Mantis
Date: Wed, 19 Oct 2005 14:19:53 +0200
[Message part 1 (text/plain, inline)]
Hello,

On Thu, 29 Sep 2005, Moritz Muehlenhoff <jmm@inutil.org> wrote:
> mantis 1.0.0-rc2 fixed these security problems, that seem to be missing in
> the latest DSA upload that fixed several others:
> 
> - 0006097: [security] user ID is cached indefinately (thraxisp)
> - 0006189: [security] List of users (in filter) visible for unauthorized users. (thraxisp)
> 
> Besides that there was a CVE assignment (CAN-2005-3091) for a Cross-Site-Scripting
> vulnerability that refers the Mantis bug 5751, for which I can't find a referenced
> fix in the 0.19.2-4 changelog as well.

Three weeks later, there has been no response yet from the maintainer,
perhaps you are busy with other projects? Since I think it's important
that RC bugs get fixed in a timely manner, I am looking into preparing
an NMU for this within the next week. This is of course no offense but
an effort to help improve the quality of Debian.

Please let me know if you oppose to an NMU. I will post a patch as soon
as I have one.


regards,
Thijs
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#330682; Package mantis. Full text and rfc822 format available.

Acknowledgement sent to Hilko Bengen <bengen@debian.org>:
Extra info received and forwarded to list. Full text and rfc822 format available.

Message #15 received at 330682@bugs.debian.org (full text, mbox):

From: Hilko Bengen <bengen@debian.org>
To: Thijs Kinkhorst <kink@squirrelmail.org>
Cc: 330682@bugs.debian.org, luk@debian.org, Moritz Muehlenhoff <jmm@inutil.org>
Subject: Re: Bug#330682: mantis: Several vulnerabilities in Mantis
Date: Wed, 19 Oct 2005 17:47:41 +0200
Thijs Kinkhorst <kink@squirrelmail.org> writes:

> Hello,
>
> On Thu, 29 Sep 2005, Moritz Muehlenhoff <jmm@inutil.org> wrote:
>> mantis 1.0.0-rc2 fixed these security problems, that seem to be missing in
>> the latest DSA upload that fixed several others:
>> 
>> - 0006097: [security] user ID is cached indefinately (thraxisp)
>> - 0006189: [security] List of users (in filter) visible for unauthorized users. (thraxisp)
>> 
>> Besides that there was a CVE assignment (CAN-2005-3091) for a Cross-Site-Scripting
>> vulnerability that refers the Mantis bug 5751, for which I can't find a referenced
>> fix in the 0.19.2-4 changelog as well.
>
> Three weeks later, there has been no response yet from the maintainer,
> perhaps you are busy with other projects? Since I think it's important
> that RC bugs get fixed in a timely manner, I am looking into preparing
> an NMU for this within the next week. This is of course no offense but
> an effort to help improve the quality of Debian.

No offense taken. My impression was that those bugs had all been fixed
in the last security update, as Joey suggested.

> Please let me know if you oppose to an NMU. I will post a patch as
> soon as I have one.

Please go ahead. 

I am no longer a user of Mantis. If you are interested, you can take
over the package, too.

Cheers,
-Hilko



Information forwarded to debian-bugs-dist@lists.debian.org, Hilko Bengen <bengen@debian.org>:
Bug#330682; Package mantis. Full text and rfc822 format available.

Acknowledgement sent to Luk Claes <luk@debian.org>:
Extra info received and forwarded to list. Copy sent to Hilko Bengen <bengen@debian.org>. Full text and rfc822 format available.

Message #20 received at 330682@bugs.debian.org (full text, mbox):

From: Luk Claes <luk@debian.org>
To: Thijs Kinkhorst <kink@squirrelmail.org>
Cc: 330682@bugs.debian.org
Subject: Re: mantis: Several vulnerabilities in Mantis
Date: Wed, 19 Oct 2005 19:43:21 +0200
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Thijs Kinkhorst wrote:
> Hello,

Hi Thijs

> On Thu, 29 Sep 2005, Moritz Muehlenhoff <jmm@inutil.org> wrote:
> 
>>mantis 1.0.0-rc2 fixed these security problems, that seem to be missing in
>>the latest DSA upload that fixed several others:
>>
>>- 0006097: [security] user ID is cached indefinately (thraxisp)
>>- 0006189: [security] List of users (in filter) visible for unauthorized users. (thraxisp)
>>
>>Besides that there was a CVE assignment (CAN-2005-3091) for a Cross-Site-Scripting
>>vulnerability that refers the Mantis bug 5751, for which I can't find a referenced
>>fix in the 0.19.2-4 changelog as well.
> 
> 
> Three weeks later, there has been no response yet from the maintainer,
> perhaps you are busy with other projects? Since I think it's important
> that RC bugs get fixed in a timely manner, I am looking into preparing
> an NMU for this within the next week. This is of course no offense but
> an effort to help improve the quality of Debian.
> 
> Please let me know if you oppose to an NMU. I will post a patch as soon
> as I have one.

Note that this is part of the NM process of Thijs, so I'll probably be
the one doing the NMU as his AM.

- --
Luk Claes - http://people.debian.org/~luk - GPG key 1024D/9B7C328D
Fingerprint:   D5AF 25FB 316B 53BB 08E7   F999 E544 DE07 9B7C 328D
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)

iD8DBQFDVoW55UTeB5t8Mo0RAnqiAJ9OHWWZYh5T+62/q77jfE6FDkF1OACffQSh
WWfN3yh39IYm2sXFpkr+y5w=
=KZJM
-----END PGP SIGNATURE-----



Information forwarded to debian-bugs-dist@lists.debian.org, Hilko Bengen <bengen@debian.org>:
Bug#330682; Package mantis. Full text and rfc822 format available.

Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Hilko Bengen <bengen@debian.org>. Full text and rfc822 format available.

Message #25 received at 330682@bugs.debian.org (full text, mbox):

From: Moritz Muehlenhoff <jmm@inutil.org>
To: Hilko Bengen <bengen@debian.org>
Cc: Thijs Kinkhorst <kink@squirrelmail.org>, 330682@bugs.debian.org, luk@debian.org, security@debian.org
Subject: Re: Bug#330682: mantis: Several vulnerabilities in Mantis
Date: Thu, 20 Oct 2005 18:23:17 +0200
Hilko Bengen wrote:
> >> mantis 1.0.0-rc2 fixed these security problems, that seem to be missing in
> >> the latest DSA upload that fixed several others:
> >> 
> >> - 0006097: [security] user ID is cached indefinately (thraxisp)
> >> - 0006189: [security] List of users (in filter) visible for unauthorized users. (thraxisp)
> >> 
> >> Besides that there was a CVE assignment (CAN-2005-3091) for a Cross-Site-Scripting
> >> vulnerability that refers the Mantis bug 5751, for which I can't find a referenced
> >> fix in the 0.19.2-4 changelog as well.
> >
> > Three weeks later, there has been no response yet from the maintainer,
> > perhaps you are busy with other projects? Since I think it's important
> > that RC bugs get fixed in a timely manner, I am looking into preparing
> > an NMU for this within the next week. This is of course no offense but
> > an effort to help improve the quality of Debian.
> 
> No offense taken. My impression was that those bugs had all been fixed
> in the last security update, as Joey suggested.

DSA-778 fixed 
CVE-2005-2556, CVE-2005-2557, CVE-2005-3090 (this was added to the DSA text in retrospect)
and has been pulled over to sid.

I haven't checked that with the sources yet, but the mantis bugs
0006097: [security] user ID is cached indefinately (thraxisp)
0006189: [security] List of users (in filter) visible for unauthorized users. (thraxisp)
0005751: Non-descript Cross-Site-Scripting issue aka CVE-2005-3091
seem required for sid. Sarge might be affected as well.

Cheers,
        Moritz



Tags added: pending Request was from "Thijs Kinkhorst" <kink@squirrelmail.org> to control@bugs.debian.org. Full text and rfc822 format available.

Tags added: fixed Request was from Thijs Kinkhorst <kink@squirrelmail.org> to control@bugs.debian.org. Full text and rfc822 format available.

Tags added: fixed Request was from Thijs Kinkhorst <kink@squirrelmail.org> to control@bugs.debian.org. Full text and rfc822 format available.

Tags added: fixed Request was from Thijs Kinkhorst <kink@squirrelmail.org> to control@bugs.debian.org. Full text and rfc822 format available.

Reply sent to Igor Genibel <igenibel@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Moritz Muehlenhoff <jmm@inutil.org>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #38 received at 330682-close@bugs.debian.org (full text, mbox):

From: Igor Genibel <igenibel@debian.org>
To: 330682-close@bugs.debian.org
Subject: Bug#330682: fixed in mantis 0.19.4-1
Date: Wed, 04 Jan 2006 07:32:06 -0800
Source: mantis
Source-Version: 0.19.4-1

We believe that the bug you reported is fixed in the latest version of
mantis, which is due to be installed in the Debian FTP archive:

mantis_0.19.4-1.diff.gz
  to pool/main/m/mantis/mantis_0.19.4-1.diff.gz
mantis_0.19.4-1.dsc
  to pool/main/m/mantis/mantis_0.19.4-1.dsc
mantis_0.19.4-1_all.deb
  to pool/main/m/mantis/mantis_0.19.4-1_all.deb
mantis_0.19.4.orig.tar.gz
  to pool/main/m/mantis/mantis_0.19.4.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 330682@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Igor Genibel <igenibel@debian.org> (supplier of updated mantis package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Wed,  4 Jan 2006 15:45:57 +0100
Source: mantis
Binary: mantis
Architecture: source all
Version: 0.19.4-1
Distribution: unstable
Urgency: high
Maintainer: Igor Genibel <igenibel@debian.org>
Changed-By: Igor Genibel <igenibel@debian.org>
Description: 
 mantis     - web-based bug tracking system
Closes: 312749 319625 323914 328959 330682 332021 334523 335938 335992 336516 340484 345288 345353
Changes: 
 mantis (0.19.4-1) unstable; urgency=high
 .
   * New upstream release
   * New Maintainer (Closes: #335992,#345353)
   * Added Swedish translation
       (Thanks to Daniel Nylander <yeager@lidkoping.net>)
       (Closes: #340484)
   * Fix several security issues:
     - CVE-2005-4524, CVE-2005-4523, CVE-2005-4522, CVE-2005-4521,
       CVE-2005-4520, CVE-2005-4519, CVE-2005-4518, CVE-2005-4238
       (Closes: #345288)
   * Acknowledge Security Fixes NMUs (Closes: #330682,#335938)
   * Acknowledge Important Fixes NMUs (Closes: #323914)
   * Acknowledge Normal Fixes NMUs (Closes: #328959,#332021,#334523)
   * Acknowledge Minor and Wishlist Fixes NMUs (Closes: #319625,#312749)
   * Ack Thijs Kinkhorst <kink@squirrelmail.org> NMUs patch (Closes: 336516)
Files: 
 f03a602dc4b4f8da292aeeaa28e7feed 570 web optional mantis_0.19.4-1.dsc
 368b98bd737ea7b1a86631aac064074e 1301470 web optional mantis_0.19.4.orig.tar.gz
 e52a3e7ec9249d2e44406de4a85a4501 36174 web optional mantis_0.19.4-1.diff.gz
 36b6301ec54c1f4c7e84b986fe77ecd2 903224 web optional mantis_0.19.4-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)

iD8DBQFDu+Zc+xgdMBZI9sgRAjXtAKCQGO78rtewHoySUdZiKLUWjv+NiwCdFzQE
mGU4VNwllVnUMmskSeCjG2Q=
=++y6
-----END PGP SIGNATURE-----




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Tue, 26 Jun 2007 18:56:50 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Fri Apr 18 20:52:55 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.