Bug#638321: marked as done (MantisBT <1.2.7 search.php multiple XSS vulnerabilities)

[Debian Bug Tracking System]

Your message dated Fri, 19 Aug 2011 05:49:38 +0000
with message-id <e1quhxa-0008mc...@franck.debian.org>
and subject line Bug#638321: fixed in mantis 1.2.6-1
has caused the Debian Bug report #638321,
regarding MantisBT <1.2.7 search.php multiple XSS vulnerabilities
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
638321: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=638321
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: mantis
Version: 1.2.4-3
Severity: critical
Tags: security patch upstream fixed-upstream

Original vulnerability report by Net.Edit0r (net.edi...@att.net) from
BlACK Hat Group [http://black-hg.org] is available at:
http://packetstormsecurity.org/files/104149

MantisBT bug report for full details of the issue:
http://www.mantisbt.org/bugs/view.php?id=13245

Please note that the second SQL injection vulnerability identified by
Net.Edit0r is not reproducible (refer to the MantisBT bug report above
for reasons why).

A patch for 1.2.6 is available at:
https://github.com/mantisbt/mantisbt/commit/317f3db3a3c68775de3acf3b15f55b1e3c18f93b

(Note: should backport fairly easily to 1.2.4 as well)

A CVE request and notice has been sent to
oss-secur...@lists.openwall.com

signature.asc
Description: This is a digitally signed message part

--- End Message ---

--- Begin Message ---

Source: mantis
Source-Version: 1.2.6-1

We believe that the bug you reported is fixed in the latest version of
mantis, which is due to be installed in the Debian FTP archive:

mantis_1.2.6-1.debian.tar.gz
  to main/m/mantis/mantis_1.2.6-1.debian.tar.gz
mantis_1.2.6-1.dsc
  to main/m/mantis/mantis_1.2.6-1.dsc
mantis_1.2.6-1_all.deb
  to main/m/mantis/mantis_1.2.6-1_all.deb
mantis_1.2.6.orig.tar.gz
  to main/m/mantis/mantis_1.2.6.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 638...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Silvia Alvarez <s...@powered-by-linux.com> (supplier of updated mantis package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Fri, 19 Aug 2011 06:48:57 +0200
Source: mantis
Binary: mantis
Architecture: source all
Version: 1.2.6-1
Distribution: unstable
Urgency: medium
Maintainer: Silvia Alvarez <s...@powered-by-linux.com>
Changed-By: Silvia Alvarez <s...@powered-by-linux.com>
Description: 
 mantis     - web-based bug tracking system
Closes: 635932 637752 638321
Changes: 
 mantis (1.2.6-1) unstable; urgency=medium
 .
   [ Silvia Alvarez ]
   * New Upstream Release (1.2.6)
   * debian/NEWS: updated
   * debian/patches:
     + added: Fix security multiple XSS (Closes: #638321)
       000-fix-security-bug-bts-638321-filterapi-multiple-XSS.diff
   * debian/copyright: updated
   * debian/po debconf translations:
     + Added Russian translation, thanks to
        Yuri Kozlov (Closes: #637752)
     + Clean up ru.po obsoleted lines
   * debian/README.Debian: updated
   * debian/doc/README.VirtualHost: added information
     about custom config VirtualHost, mantis and javascript-common.
     Thanks to Wolfgang Schulze-Zacha (Closes: #635932)
Checksums-Sha1: 
 d11898f701d6707a84ed830084eb04b7a6d8195f 1829 mantis_1.2.6-1.dsc
 c41a4d93ad0492106eb70d0f47113cda218c9f17 3275786 mantis_1.2.6.orig.tar.gz
 6a3a45e420306c9cc6a63a965937b196a04d5a81 54492 mantis_1.2.6-1.debian.tar.gz
 5cddef45be2af7d64dcf34de070d08cee9d4eaa1 2070432 mantis_1.2.6-1_all.deb
Checksums-Sha256: 
 d646966cbc4769d5d1c36b47bb94fc21b4a90a43dccae9b525d3f30ea2953f49 1829 
mantis_1.2.6-1.dsc
 0ba29afb6d9017bf0001fb4c8f8a0de27ea91fbbe6f3f6a5462899212309bb23 3275786 
mantis_1.2.6.orig.tar.gz
 fa8f16ae24ce650dd781b627d51f62681c4886b7c6f290e70f2e3e43bd590200 54492 
mantis_1.2.6-1.debian.tar.gz
 915263ebd96c47e6f76172c35b0c317634a0b22604ddc778f213b7a89f2ca536 2070432 
mantis_1.2.6-1_all.deb
Files: 
 4ec8f9851de4a8846b1ffba46e436969 1829 web optional mantis_1.2.6-1.dsc
 8eb981a006a61789f1cc77b4ab9ad672 3275786 web optional mantis_1.2.6.orig.tar.gz
 a48107a528239e59c416ba3ac2017fb2 54492 web optional 
mantis_1.2.6-1.debian.tar.gz
 8450aa48aefd381ea5a1ae744dba6d36 2070432 web optional mantis_1.2.6-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iQIcBAEBCAAGBQJOTfVAAAoJEKgvu4Pz1XAz6QYQAL79km50QpVlbrqtz+toc+HN
+t42gjAFoU+Z4SQCmzp/jkxZpf047Gqj5+pgqJxI6WItw3fvDhrLbl5c5xT94J9T
jdRVLSo4Oq79EyxeMu3JwpUzzGbZOudXa6E3BbkWM8idTYf8ccjjAEjFJJJk3QCz
4PELy72vUMfjkV6JCsqEaeekDTN7C4e3ndwGegu4DP7cnrs3heQC4qHXCrLSLpVL
p53afuVDkUYkoZRfIR497EQAGTU59qvgxf8JYUON2Bjfv/28PNlmrlytTThjwmp5
rakg3Qb1vh/zGZR0VL6e8XIa5NWMXq8QdmdXCsCiAN+DzxuhOFQGQp5Eb1FULtF3
j5NMw5wH8Jk/ZMjM/BHJyMB7pvXDkylaUPYLl7Ud9eyT1XkNqrXNf6H2ZAp5z5Nv
4A2zPYxT1QdL0vPDCzzcXKjWlEiU/KQntE8m5Ss/MaK0p59vCR+1+5nTjodYRTr6
9GkdmAx3P+BPLpb/QFLqBa884+r3Ip9aYfmOX0gopIOzua0zei4k0jVq5rdq4B6x
BTH5TFhzVJCD9v4DlBqyFHq63hvOblZO0E2pDLRn5pNo0FPubYsMUf+5aiPkUnaC
QxQTJItj2FKyk0VgnmOvbCevacVQwn0xm2EFze1NalnDFZfUR0i74d8Q98S1Wfgo
cqWnMRBVmN7SWyI5PZee
=7yqY
-----END PGP SIGNATURE-----

--- End Message ---