Debian Bug report logs - #402802
SA23258: mantis: Custom Field Information Disclosure

version graph

Package: mantis; Maintainer for mantis is Silvia Alvarez <>; Source for mantis is src:mantis.

Reported by: Alex de Oliveira Silva <>

Date: Tue, 12 Dec 2006 20:18:01 UTC

Severity: important

Tags: security

Found in version mantis/1.0.6+dfsg-2

Fixed in version mantis/1.0.6+dfsg-3

Done: Patrick Schoenfeld <>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to, Patrick Schoenfeld <>:
Bug#402802; Package mantis. Full text and rfc822 format available.

Acknowledgement sent to Alex de Oliveira Silva <>:
New Bug report received and forwarded. Copy sent to Patrick Schoenfeld <>. Full text and rfc822 format available.

Message #5 received at (full text, mbox):

From: Alex de Oliveira Silva <>
To: Debian Bug Tracking System <>
Subject: SA23258: mantis: Custom Field Information Disclosure
Date: Tue, 12 Dec 2006 16:59:20 -0300
Package: mantis
Version: 1.0.6+dfsg-2
Severity: important
Tags: security

A security issue has been reported in Mantis, which can be exploited by malicious people to disclose sensitive information.

The security issue is caused due to an unspecified error in the handling of custom fields, that are only visible for a project manager. This can be exploited to 
disclose the contents of custom fields via the history.

The vulnerability is reported in versions prior to 1.1.0a2.

-- System Information:
Debian Release: 4.0
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-3-486
Locale: LANG=pt_BR.UTF-8, LC_CTYPE=pt_BR.UTF-8 (charmap=UTF-8)

Tags added: pending Request was from "schönfeld /" <> to Full text and rfc822 format available.

Reply sent to Patrick Schoenfeld <>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Alex de Oliveira Silva <>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #12 received at (full text, mbox):

From: Patrick Schoenfeld <>
Subject: Bug#402802: fixed in mantis 1.0.6+dfsg-3
Date: Thu, 14 Dec 2006 18:02:03 +0000
Source: mantis
Source-Version: 1.0.6+dfsg-3

We believe that the bug you reported is fixed in the latest version of
mantis, which is due to be installed in the Debian FTP archive:

  to pool/main/m/mantis/mantis_1.0.6+dfsg-3.diff.gz
  to pool/main/m/mantis/mantis_1.0.6+dfsg-3.dsc
  to pool/main/m/mantis/mantis_1.0.6+dfsg-3_all.deb

A summary of the changes between this version and the previous one is

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
Patrick Schoenfeld <> (supplier of updated mantis package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing

Hash: SHA1

Format: 1.7
Date: Wed, 13 Dec 2006 18:07:19 +0100
Source: mantis
Binary: mantis
Architecture: source all
Version: 1.0.6+dfsg-3
Distribution: unstable
Urgency: low
Maintainer: Patrick Schoenfeld <>
Changed-By: Patrick Schoenfeld <>
 mantis     - web-based bug tracking system
Closes: 402283 402802
 mantis (1.0.6+dfsg-3) unstable; urgency=low
   * Fixed bug in debian/config that caused admin mail address pointing to default
     value in the further dialog instead of what the user entered.
   * Brought debconf translations back, thanks to Christian Perrier for the
     hint and the patch (Closes: #402283)
   * Added updated german translation of debconf texts
   * Fixed SA23258: mantis: Custom Field Information Disclosure by backporting
     core/history_api.php from 1.1.0a2 to this version
     (Closes: #402802)
 c0f6433b171ff8f49bd1111095079fb6 606 web optional mantis_1.0.6+dfsg-3.dsc
 ee52f1b9b28fd86983638907af1e4e8d 36115 web optional mantis_1.0.6+dfsg-3.diff.gz
 8e2e0333aa87e84de0db9a035ec09a8d 1273360 web optional mantis_1.0.6+dfsg-3_all.deb

Version: GnuPG v1.4.6 (GNU/Linux)


Bug archived. Request was from Debbugs Internal Request <> to (Sun, 24 Jun 2007 09:13:35 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.

Debian bug tracking system administrator <>. Last modified: Fri Apr 18 03:17:01 2014; Machine Name:

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.