Accepted mantis 1.1.8+dfsg-10squeeze2 (source all)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Fri, 15 Jun 2012 22:34:17 +0200
Source: mantis
Binary: mantis
Architecture: source all
Version: 1.1.8+dfsg-10squeeze2
Distribution: stable-security
Urgency: high
Maintainer: Silvia Alvarez <sils@powered-by-linux.com>
Changed-By: Dario Minnucci <midget@debian.org>
Description:
mantis - web-based bug tracking system
Closes: 669924 669925 669926 669927 669928 669930
Changes:
mantis (1.1.8+dfsg-10squeeze2) stable-security; urgency=high
.
* Urgency high: Fixes some CVE's
- CVE-2011-3578: Added this note as history update.
This issue was really fixed in '1.1.8+dfsg-10squeeze1' upload
(via 12-Fix-640297-LFI-XSS-injection-bug-action-group-1.diff patch)
but there were no CVE ID assigned in that moment, so there are no
references to in the changelog. The issue on the Security Tracker
was manually updated thanks to Thijs Kinkhorst <thijs@debian.org>.
- CVE-2012-1118: Array value for $g_private_bug_threshold
configuration option allows bypass of access. (Closes: #669924)
- CVE-2012-1119: copy/clone bug report action failed to leave an
audit trail. (Closes: #669928)
- CVE-2012-1120: Delete_bug_threshold/bugnote_allow_user_edit_delete
access check bypass. (Closes: #669925)
- CVE-2012-1121: mantis 1.1.8 is not affected by this issue.
(Closes: #669926)
- CVE-2012-1122: Incorrect access checks performed when moving
bugs between projects. (Closes: #669927)
- CVE-2012-1123: SOAP API null password authentication bypass
(Closes: #669930)
- CVE-2012-2691: Reporters can update notes of other users by using
SOAP API. This bug does not affect mantis package in squeeze.
Affected function 'mc_issue_note_update' is not implemented in
mantis 1.1.8 version.
- CVE-2012-2692: delete_attachments_threshold not checked on
attachment deletion. Thanks to David Hicks <d@hx.id.au>
Checksums-Sha1:
1a781295d7fd3aa96b2df61fe57248301ecb5fc2 1786 mantis_1.1.8+dfsg-10squeeze2.dsc
57f71bee370ecc38318543e9312f648240d6f8e7 61166 mantis_1.1.8+dfsg-10squeeze2.debian.tar.gz
a4a010b13b45c2ff9c8efbcd9b208b61336abe43 1786836 mantis_1.1.8+dfsg-10squeeze2_all.deb
Checksums-Sha256:
4bb7b23cb8f6e7a4a607064f8faf514188cd7810b289735a11ef0270f135e2c4 1786 mantis_1.1.8+dfsg-10squeeze2.dsc
7138c0f5ce38dbcccb560e302371fb0bcb4abe75dc562c698a6cfdcf479c33a4 61166 mantis_1.1.8+dfsg-10squeeze2.debian.tar.gz
1e2021d9abac520ce1671443bd70a3a7bdbd0ed7263f1cd38006d7759b02b522 1786836 mantis_1.1.8+dfsg-10squeeze2_all.deb
Files:
97de550ec12db62eb20c52b285d9dcec 1786 web optional mantis_1.1.8+dfsg-10squeeze2.dsc
0973f46131a418134415f5e0c4f08552 61166 web optional mantis_1.1.8+dfsg-10squeeze2.debian.tar.gz
80a067c6563aff1501316fd222ed4397 1786836 web optional mantis_1.1.8+dfsg-10squeeze2_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iQIcBAEBCAAGBQJP3HolAAoJEKgvu4Pz1XAzglUP/12rax0p19Ak86XUKPerQpIF
5cUJWjs4VaCk8TIBNvjVPv7o1S8qZqZjeW2ms1eYNDmzT+agM4myocuk6k4+niKB
jqRUj3nu9xLNojzycJ4vvI1b1E3/zuurVr47qzw5H61gatmb+hBTgddXL/2tcMLi
Gq8ygEntcDir9ZZhWkCI/V2oaeuf5SpJ578g/EafSD+hGf+vBvtoWGj1oFm4oeQo
wcUTbjJw+CXda1G0l4aQyB71hXzOfjrPD8rn70OXT6oMWDlRF1+OVNh3jUAXLoRM
j01nfJn3IJT5WukTgXGZEotNoNFRhX7IAobrApiRa9/5oSf4Q0w/L5MMKqg+Frgr
G2x5Z/i5J3mrSmah21aaWMd6D8vUqpAi5bbKrH3x0PrPVcswTPMr9RPiav5ZFZCE
PbVOaVwFqIev23gXOavKqgYJrVj27mkAVevB4u8EwI8++G7nXyr7pMulQjbh1Jqq
L1V5DC6OFIlnoY9JtuP2nUPivkm0lIw2GCe/gjZRif8zQvdNYuoNjQM4PYywAZYI
Y9Uat1zyuIIwmCjRlWvDy9ALW+fOrqmJblmObfqRgHeLAC4O+Ql6T+UvufjidYFm
0xDePnQ+q1trnuLzIZ6w/XEfTLDaWFHsDz/odRI6/463in05F6hpUogqhcdkCF/a
6nzMGoyEMWc42JpXtRD2
=vcvi
-----END PGP SIGNATURE-----
Accepted:
mantis_1.1.8+dfsg-10squeeze2.debian.tar.gz
to main/m/mantis/mantis_1.1.8+dfsg-10squeeze2.debian.tar.gz
mantis_1.1.8+dfsg-10squeeze2.dsc
to main/m/mantis/mantis_1.1.8+dfsg-10squeeze2.dsc
mantis_1.1.8+dfsg-10squeeze2_all.deb
to main/m/mantis/mantis_1.1.8+dfsg-10squeeze2_all.deb