-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Fri, 15 Jun 2012 22:34:17 +0200 Source: mantis Binary: mantis Architecture: source all Version: 1.1.8+dfsg-10squeeze2 Distribution: stable-security Urgency: high Maintainer: Silvia Alvarez <sils@powered-by-linux.com> Changed-By: Dario Minnucci <midget@debian.org> Description: mantis - web-based bug tracking system Closes: 669924 669925 669926 669927 669928 669930 Changes: mantis (1.1.8+dfsg-10squeeze2) stable-security; urgency=high . * Urgency high: Fixes some CVE's - CVE-2011-3578: Added this note as history update. This issue was really fixed in '1.1.8+dfsg-10squeeze1' upload (via 12-Fix-640297-LFI-XSS-injection-bug-action-group-1.diff patch) but there were no CVE ID assigned in that moment, so there are no references to in the changelog. The issue on the Security Tracker was manually updated thanks to Thijs Kinkhorst <thijs@debian.org>. - CVE-2012-1118: Array value for $g_private_bug_threshold configuration option allows bypass of access. (Closes: #669924) - CVE-2012-1119: copy/clone bug report action failed to leave an audit trail. (Closes: #669928) - CVE-2012-1120: Delete_bug_threshold/bugnote_allow_user_edit_delete access check bypass. (Closes: #669925) - CVE-2012-1121: mantis 1.1.8 is not affected by this issue. (Closes: #669926) - CVE-2012-1122: Incorrect access checks performed when moving bugs between projects. (Closes: #669927) - CVE-2012-1123: SOAP API null password authentication bypass (Closes: #669930) - CVE-2012-2691: Reporters can update notes of other users by using SOAP API. This bug does not affect mantis package in squeeze. Affected function 'mc_issue_note_update' is not implemented in mantis 1.1.8 version. - CVE-2012-2692: delete_attachments_threshold not checked on attachment deletion. Thanks to David Hicks <d@hx.id.au> Checksums-Sha1: 1a781295d7fd3aa96b2df61fe57248301ecb5fc2 1786 mantis_1.1.8+dfsg-10squeeze2.dsc 57f71bee370ecc38318543e9312f648240d6f8e7 61166 mantis_1.1.8+dfsg-10squeeze2.debian.tar.gz a4a010b13b45c2ff9c8efbcd9b208b61336abe43 1786836 mantis_1.1.8+dfsg-10squeeze2_all.deb Checksums-Sha256: 4bb7b23cb8f6e7a4a607064f8faf514188cd7810b289735a11ef0270f135e2c4 1786 mantis_1.1.8+dfsg-10squeeze2.dsc 7138c0f5ce38dbcccb560e302371fb0bcb4abe75dc562c698a6cfdcf479c33a4 61166 mantis_1.1.8+dfsg-10squeeze2.debian.tar.gz 1e2021d9abac520ce1671443bd70a3a7bdbd0ed7263f1cd38006d7759b02b522 1786836 mantis_1.1.8+dfsg-10squeeze2_all.deb Files: 97de550ec12db62eb20c52b285d9dcec 1786 web optional mantis_1.1.8+dfsg-10squeeze2.dsc 0973f46131a418134415f5e0c4f08552 61166 web optional mantis_1.1.8+dfsg-10squeeze2.debian.tar.gz 80a067c6563aff1501316fd222ed4397 1786836 web optional mantis_1.1.8+dfsg-10squeeze2_all.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQIcBAEBCAAGBQJP3HolAAoJEKgvu4Pz1XAzglUP/12rax0p19Ak86XUKPerQpIF 5cUJWjs4VaCk8TIBNvjVPv7o1S8qZqZjeW2ms1eYNDmzT+agM4myocuk6k4+niKB jqRUj3nu9xLNojzycJ4vvI1b1E3/zuurVr47qzw5H61gatmb+hBTgddXL/2tcMLi Gq8ygEntcDir9ZZhWkCI/V2oaeuf5SpJ578g/EafSD+hGf+vBvtoWGj1oFm4oeQo wcUTbjJw+CXda1G0l4aQyB71hXzOfjrPD8rn70OXT6oMWDlRF1+OVNh3jUAXLoRM j01nfJn3IJT5WukTgXGZEotNoNFRhX7IAobrApiRa9/5oSf4Q0w/L5MMKqg+Frgr G2x5Z/i5J3mrSmah21aaWMd6D8vUqpAi5bbKrH3x0PrPVcswTPMr9RPiav5ZFZCE PbVOaVwFqIev23gXOavKqgYJrVj27mkAVevB4u8EwI8++G7nXyr7pMulQjbh1Jqq L1V5DC6OFIlnoY9JtuP2nUPivkm0lIw2GCe/gjZRif8zQvdNYuoNjQM4PYywAZYI Y9Uat1zyuIIwmCjRlWvDy9ALW+fOrqmJblmObfqRgHeLAC4O+Ql6T+UvufjidYFm 0xDePnQ+q1trnuLzIZ6w/XEfTLDaWFHsDz/odRI6/463in05F6hpUogqhcdkCF/a 6nzMGoyEMWc42JpXtRD2 =vcvi -----END PGP SIGNATURE----- Accepted: mantis_1.1.8+dfsg-10squeeze2.debian.tar.gz to main/m/mantis/mantis_1.1.8+dfsg-10squeeze2.debian.tar.gz mantis_1.1.8+dfsg-10squeeze2.dsc to main/m/mantis/mantis_1.1.8+dfsg-10squeeze2.dsc mantis_1.1.8+dfsg-10squeeze2_all.deb to main/m/mantis/mantis_1.1.8+dfsg-10squeeze2_all.deb