severity 607159 minor thanks
Hi all, Thanks for the report and follow up. Thanks Olivier for advancing my answer (xmas 5 cents ;-) Thanks David for responing. Hereby I'm going to downgrade this bug to minor, I will apply the upstream's patch ASAP, but really is not urgent|critical because mantis package it is not affected because the "admin" dir is protected by the Apache config (as Olivier explains). The admin directory is just used by users who install or update mantis from upstream source package (manually installed), mantis debian package doesn't use it, at all. That's another reason because it's not accessible|blocked from our distributed version. The application of the patch made sence because we distribute the upstream source code, but it is useless for mantis package installed in debian. Thanks all of you, again. Best Regards, Sils On 12/15/2010 09:42 AM, David Hicks wrote: > Hi Olivier, > > Thank you for the response. > > On Wed, 2010-12-15 at 09:13 +0100, Olivier Berger wrote: >> AFAICT, Debian installations may not be vulnerable as the admin/ dir is >> protected in principle by the Apache configuration of the package : > > This is good/recommended practice so this bug will probably not affect > the Debian MantisBT package. > > I also heard the same news from Micah Gersten (Ubuntu MantisBT > maintainer) regarding the disablement of the admin/ directory. > >> Maybe the security/severity should be downgraded ? > > Agreed. > > Regards, > > David -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
