1. Forum
  2. Usenet
  3. LINUX.DEBIAN.ANNOUNCE.SEC

  • [SECURITY] [DSA 2500-1] mantis security update

    From Florian Weimer@1:229/2 to All on Sun Jun 24 14:20:02 2012
    From: [email protected]

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    - ------------------------------------------------------------------------- Debian Security Advisory DSA-2500-1 [email protected] http://www.debian.org/security/ Florian Weimer
    June 24, 2012 http://www.debian.org/security/faq
    - -------------------------------------------------------------------------

    Package : mantis
    Vulnerability : several
    Problem type : remote
    Debian-specific: no
    CVE ID : CVE-2012-1118 CVE-2012-1119 CVE-2012-1120 CVE-2012-1122
    CVE-2012-1123 CVE-2012-2692

    Several vulnerabilities were discovered in Mantis, am issue tracking
    system.

    CVE-2012-1118
    Mantis installation in which the private_bug_view_threshold
    configuration option has been set to an array value do not
    properly enforce bug viewing restrictions.

    CVE-2012-1119
    Copy/clone bug report actions fail to leave an audit trail.

    CVE-2012-1120
    The delete_bug_threshold/bugnote_allow_user_edit_delete
    access check can be bypassed by users who have write
    access to the SOAP API.

    CVE-2012-1122
    Mantis performed access checks incorrectly when moving bugs
    between projects.

    CVE-2012-1123
    A SOAP client sending a null password field can authenticate
    as the Mantis administrator.

    CVE-2012-2692
    Mantis does not check the delete_attachments_threshold
    permission when a user attempts to delete an attachment from
    an issue.

    For the stable distribution (squeeze), these problems have been fixed
    in version 1.1.8+dfsg-10squeeze2.


    For the testing distribution (wheezy) and the unstable distribution
    (sid), these problems have been fixed in version 1.2.11-1.

    We recommend that you upgrade your mantis packages.

    Further information about Debian Security Advisories, how to apply
    these updates to your system and frequently asked questions can be
    found at: http://www.debian.org/security/

    Mailing list: [email protected]
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.10 (GNU/Linux)

    iQEcBAEBAgAGBQJP5wlDAAoJEL97/wQC1SS+3uUH/iSpSYaS0ZHHlvJVyTXUzs4S R6tC8HYpbtgrZo4BYJk4ynWh/jpY3TVcuy5ekH5BSmNKmP0NTZ5VWoEzIu3HmU+a 86DCwxdhRTlzw7NDltiK7Q3EDtvIqb5u1j6Us+V2CUfENKI3MA9CBzBCMLhuco4w noN/+OaZ0LG9YgDTKBxmWJYNGb0a7h+Me0/hsBg6+E9L345vGS3WLibnj1Balvld RWH3BClh2jj6TdGvQJboDVShnIDJEe8FINCavCSKWF+EjQBkxM8ffDDQaNGiAlNZ GsG8P4VGJ4KscB+Avr/XKfi/fCN7ZkhdQu3ymbgTOhfUeKFjJaRiR3WZbMfhIs4=
    =ghRd
    -----END PGP SIGNATURE-----


    --
    To UNSUBSCRIBE, email to [email protected]
    with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: http://lists.debian.org/[email protected]

    --- SoupGate-Win32 v1.05
    * Origin: you cannot sedate... all the things you hate (1:229/2)