Your message dated Sun, 05 Sep 2010 19:49:18 +0000
with message-id <e1osldk-0008h4...@franck.debian.org>
and subject line Bug#595510: fixed in mantis 1.1.8+dfsg-6
has caused the Debian Bug report #595510,
regarding mantis: CVE-2010-2574 xss vulnerability
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
595510: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=595510
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: mantis
Version: 1.1.8+dfsg-5
Severity: serious
Tags: security
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for mantis. After a quick search, I couldn't find enough info
to be able to check whether this affects older versions. Please check.
CVE-2010-2574[0]:
| Cross-site scripting (XSS) vulnerability in manage_proj_cat_add.php in
| MantisBT 1.2.2 allows remote authenticated administrators to inject
| arbitrary web script or HTML via the name parameter in an Add Category
| action.
If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2574
http://security-tracker.debian.org/tracker/CVE-2010-2574
--- End Message ---
--- Begin Message ---
Source: mantis
Source-Version: 1.1.8+dfsg-6
We believe that the bug you reported is fixed in the latest version of
mantis, which is due to be installed in the Debian FTP archive:
mantis_1.1.8+dfsg-6.debian.tar.gz
to main/m/mantis/mantis_1.1.8+dfsg-6.debian.tar.gz
mantis_1.1.8+dfsg-6.dsc
to main/m/mantis/mantis_1.1.8+dfsg-6.dsc
mantis_1.1.8+dfsg-6_all.deb
to main/m/mantis/mantis_1.1.8+dfsg-6_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 595...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Silvia Alvarez <s...@powered-by-linux.com> (supplier of updated mantis package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sun, 05 Sep 2010 01:58:01 +0200
Source: mantis
Binary: mantis
Architecture: source all
Version: 1.1.8+dfsg-6
Distribution: unstable
Urgency: high
Maintainer: Silvia Alvarez <s...@powered-by-linux.com>
Changed-By: Silvia Alvarez <s...@powered-by-linux.com>
Description:
mantis - web-based bug tracking system
Closes: 595510
Changes:
mantis (1.1.8+dfsg-6) unstable; urgency=high
.
* debian/patches:
+ Added 08-CVE-2010-2574.diff: Fix for CVE-2010-2574 XSS
vulnerability when deleting categories that have been
maliciously named.(Closes: #595510)
Checksums-Sha1:
375151de1eaf7c6f0f076cfe4c2c2922c78dd727 1750 mantis_1.1.8+dfsg-6.dsc
b7c2ef083d94148be9bf836728d75b4999f30775 51640
mantis_1.1.8+dfsg-6.debian.tar.gz
c564ef4cbd125723d9a0f2d5c9491ecbe4fabe41 1742088 mantis_1.1.8+dfsg-6_all.deb
Checksums-Sha256:
1d19b430f6338deeb67ae49692c4e4170de061cb6d08612618a5b8bfff4a1da1 1750
mantis_1.1.8+dfsg-6.dsc
9c759d7f95208b25ece10f4cbceed9042848c3a0b915eb6e9de10ecff248a247 51640
mantis_1.1.8+dfsg-6.debian.tar.gz
73c2919913eaf178f59f35ca1bb240a199793a2676d311fcceeb1464a1a93412 1742088
mantis_1.1.8+dfsg-6_all.deb
Files:
a19136a784ba019a1a6b129d1ce9c580 1750 web optional mantis_1.1.8+dfsg-6.dsc
eb069bf287c48b2b4e1a94bf5d8b8fac 51640 web optional
mantis_1.1.8+dfsg-6.debian.tar.gz
7d8a549734641e3c9340b0552fc00964 1742088 web optional
mantis_1.1.8+dfsg-6_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iQIcBAEBCAAGBQJMg+v0AAoJEKgvu4Pz1XAz1CcP/jTLiNmlEoh+j0fwBMGHzlnT
zuEMyGgxB/YqDkB/5uMl4zajjLNA5MkuwkzVeV05dckIrG2vlpUMJ5AyIfeE9Spy
uZQ+GXnz0n/kTOZuQ1sd5iX/4UiDfZSqKFYoSMHVfH/OvW0/95yZBQUmWUAilgDr
+JHJqHkRp2LgTGJW8xPsnybMYrqiJ1x1sz4NPZJZ+eO1qx6cpyhPFI2BC19kv4H7
Mu1PMOwSs/EV/fp/pA5sVP3vq4wybvZrCicE0zsM2F+VC4Xmwizngvj0dtR2yVyp
c07i98n1kBp5bgpSU8w+u+N00DuH/0t2EeDSwXH46VzPqWdck79nZ7vUXBLsdjim
R++rhO7pGBuhLaRLQ0ZsWRAPtHOet9oWv/nbi9UEgZzoXXfRYl8IeoARpXRi3jdx
vPMEItyJSC76lT7+huASbtScLbk3gktspMijUB0PLZ7Jo7o8sT59Cs/znVDIf4Yk
eTUa1tnn8YfO4e2LdmdX/cEq40rKpG5S4u5FP5kkJzriS76hVlnTmF8qZcJNl0W9
ccl3kZev0DK5/CxAWJ+nROvMCMUQlN1VM3Q4jeq2telXyICGBQyr3WdW7tPY0OyV
BP7l0L/7V97bRse8NQFb0KRqHR/7fIX6gBHa6nhyQd/NbexGu0qGDof0LsozE8Cw
RF8aJ6lcaZrDVYY4nyVs
=/WlR
-----END PGP SIGNATURE-----
--- End Message ---
