Hilko Bengen wrote:
> >> mantis 1.0.0-rc2 fixed these security problems, that seem to be missing in
> >> the latest DSA upload that fixed several others:
> >>
> >> - 0006097: [security] user ID is cached indefinately (thraxisp)
> >> - 0006189: [security] List of users (in filter) visible for unauthorized
> >> users. (thraxisp)
> >>
> >> Besides that there was a CVE assignment (CAN-2005-3091) for a
> >> Cross-Site-Scripting
> >> vulnerability that refers the Mantis bug 5751, for which I can't find a
> >> referenced
> >> fix in the 0.19.2-4 changelog as well.
> >
> > Three weeks later, there has been no response yet from the maintainer,
> > perhaps you are busy with other projects? Since I think it's important
> > that RC bugs get fixed in a timely manner, I am looking into preparing
> > an NMU for this within the next week. This is of course no offense but
> > an effort to help improve the quality of Debian.
>
> No offense taken. My impression was that those bugs had all been fixed
> in the last security update, as Joey suggested.
DSA-778 fixed
CVE-2005-2556, CVE-2005-2557, CVE-2005-3090 (this was added to the DSA text in
retrospect)
and has been pulled over to sid.
I haven't checked that with the sources yet, but the mantis bugs
0006097: [security] user ID is cached indefinately (thraxisp)
0006189: [security] List of users (in filter) visible for unauthorized users.
(thraxisp)
0005751: Non-descript Cross-Site-Scripting issue aka CVE-2005-3091
seem required for sid. Sarge might be affected as well.
Cheers,
Moritz
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
