Debian
mantis package

MantisBT <1.2.7 search.php multiple XSS vulnerabilities

Bug #828857 reported by David Hicks on 2011-08-18

258

This bug affects 1 person

	Status	Importance	Assigned to
Gentoo Linux	Fix Released	Low	gentoo-bugs #379739
mantis (Debian)	Fix Released	Unknown	debbugs #638321
mantis (Fedora)	Fix Released	Medium	redhat-bugs #731777
mantis (Ubuntu)	Fix Released	Undecided	Unassigned

Bug Description

Original vulnerability report by Net.Edit0r (<email address hidden>) from BlACK Hat Group [http://black-hg.org] is available at: http://packetstormsecurity.org/files/104149

MantisBT bug report for full details of the issue: http://www.mantisbt.org/bugs/view.php?id=13245

Please note that the second SQL injection vulnerability identified by Net.Edit0r is not reproducible (refer to the MantisBT bug report above for reasons why).

A patch for 1.2.6 is available at:
https://github.com/mantisbt/mantisbt/commit/317f3db3a3c68775de3acf3b15f55b1e3c18f93b

MantisBT 1.2.7 is currently being packaged and will be available shortly through usual channels.

A CVE request and notice has been sent to <email address hidden>

CVE References

2011-2938

Revision history for this message

In Gentoo Bugzilla #379739, David Hicks (dhx) wrote on 2011-08-18:

Original vulnerability report by Net.Edit0r (<email address hidden>) from BlACK Hat Group [http://black-hg.org] is available at:
http://packetstormsecurity.org/files/104149

MantisBT bug report for full details of the issue: http://www.mantisbt.org/bugs/view.php?id=13245

Please note that the second SQL injection vulnerability identified by Net.Edit0r is not reproducible (refer to the MantisBT bug report above for reasons why).

A patch for 1.2.6 is available at:
https://github.com/mantisbt/mantisbt/commit/317f3db3a3c68775de3acf3b15f55b1e3c18f93b

MantisBT 1.2.7 is currently being packaged and will be available shortly through usual channels for distributions and standalone users to pick up.

Reproducible: Always

Revision history for this message

In Red Hat Bugzilla #731777, David (david-redhat-bugs) wrote on 2011-08-18:

#11

Original vulnerability report by Net.Edit0r (<email address hidden>) from BlACK Hat
Group [http://black-hg.org] is available at:
http://packetstormsecurity.org/files/104149

MantisBT bug report for full details of the issue:
http://www.mantisbt.org/bugs/view.php?id=13245

Please note that the second SQL injection vulnerability identified by
Net.Edit0r is not reproducible (refer to the MantisBT bug report above for
reasons why).

A patch for 1.2.6 is available at:
https://github.com/mantisbt/mantisbt/commit/317f3db3a3c68775de3acf3b15f55b1e3c18f93b

MantisBT 1.2.7 is currently being packaged and will be available shortly
through usual channels.

A CVE request and notice has been sent to <email address hidden>

David Hicks (dhx) on 2011-08-18

visibility:

private → public

Bug Watch Updater (bug-watch-updater) on 2011-08-18

Changed in gentoo:
importance:	Unknown → Critical
status:	Unknown → New

Revision history for this message

In Gentoo Bugzilla #379739, Ago-3 (ago-3) wrote on 2011-08-18:

1.2.7 Is not still out, but the vulnerability is fixed in git repository.

@Peter, Please choise if you want add directly 1.2.7, or patch 1.2.6.

Bug Watch Updater (bug-watch-updater) on 2011-08-18

Changed in mantis (Debian):
status:	Unknown → Confirmed

Revision history for this message

In Red Hat Bugzilla #731777, Vincent (vincent-redhat-bugs) wrote on 2011-08-18:

#12

Thanks so much for the report, David!

Revision history for this message

In Red Hat Bugzilla #731777, Vincent (vincent-redhat-bugs) wrote on 2011-08-18:

#13

Created mantis tracking bugs for this issue

Affects: fedora-all [bug 731854]
Affects: epel-5 [bug 731855]

Bug Watch Updater (bug-watch-updater) on 2011-08-19

Changed in mantis (Debian):
status:	Confirmed → Fix Released

Revision history for this message

In Red Hat Bugzilla #731777, Vincent (vincent-redhat-bugs) wrote on 2011-08-19:

#14

This was assigned the name CVE-2011-2938.

Bug Watch Updater (bug-watch-updater) on 2011-08-20

Changed in gentoo:
importance:	Critical → Low

Revision history for this message

In Gentoo Bugzilla #379739, pva (pva) wrote on 2011-08-25:

1.2.7 that fixes this issue is in the tree. Arch teams, please, stabilize.

Revision history for this message

In Gentoo Bugzilla #379739, Ago-3 (ago-3) wrote on 2011-08-25:

amd64 ok

Revision history for this message

In Gentoo Bugzilla #379739, Xarthisius (xarthisius) wrote on 2011-08-25:

ppc keywords dropped

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2011-08-25:

Per Debian, 1.1 is not affected. Oneiric is affected.

Since the package referred to in this bug is in universe or multiverse, it is community maintained. If you are able, I suggest posting a debdiff for this issue. When a debdiff is available, a member of Ubuntu will review it and publish the package.

Thanks!

Revision history for this message

In Gentoo Bugzilla #379739, Tomka-w (tomka-w) wrote on 2011-08-26:

x86 stable. Thanks

Revision history for this message

In Gentoo Bugzilla #379739, Chainsaw (chainsaw) wrote on 2011-08-26:

+ 26 Aug 2011; Tony Vroon <email address hidden> mantisbt-1.2.7.ebuild:
+ Marked stable on AMD64 based on arch testing by Agostino "ago" Sarubbo in
+ security bug #379739 filed by David Hicks.

Arches done, ready for GLSA voting.

Revision history for this message

In Gentoo Bugzilla #379739, Alex Legler (a3li) wrote on 2011-08-26:

#10

Closing noglsa.

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2011-08-26:

[Updating] mantis (1.2.4-3 [Ubuntu] < 1.2.6-1 [Debian])
* Trying to add mantis...
2011-08-26 19:29:18 INFO - <mantis_1.2.6-1.dsc: downloading from http://ftp.debian.org/debian/>
2011-08-26 19:29:18 INFO - <mantis_1.2.6-1.debian.tar.gz: downloading from http://ftp.debian.org/debian/>
2011-08-26 19:29:18 INFO - <mantis_1.2.6.orig.tar.gz: downloading from http://ftp.debian.org/debian/>
I: mantis [universe] -> mantis_1.2.4-3 [universe].

Changed in mantis (Ubuntu):
status:	New → Fix Released

Bug Watch Updater (bug-watch-updater) on 2011-08-29

Changed in gentoo:
status:	New → Fix Released

Revision history for this message

In Red Hat Bugzilla #731777, Vincent (vincent-redhat-bugs) wrote on 2012-08-10:

#15

Currently supported versions of Fedora have 1.2.8, which correct this flaw. EPEL's 1.1.8 may still be affected.

Revision history for this message

In Red Hat Bugzilla #731777, Vincent (vincent-redhat-bugs) wrote on 2013-03-15:

#16

EPEL5 hasn't been touched since Dec 2010, and the package is technically orphaned. As a result I'm closing this bug as this issue is fixed in Fedora. The EPEL5 tracking bug #800667 will remain open until either mantis is dropped from EPEL or it is fixed.

Bug Watch Updater (bug-watch-updater) on 2017-10-28

Changed in mantis (Fedora):
importance:	Unknown → Medium
status:	Unknown → Fix Released

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

debbugs #638321
[done critical upstream security fixed-upstream patch] Edit
gentoo-bugs #379739
[RESOLVED FIXED] Edit
redhat-bugs #731777
[CLOSED CURRENTRELEASE] Edit
mantis-bt #13245
[closed: fixed] Edit

Bug watches keep track of this bug in other bug trackers.

Debianmantis package

MantisBT <1.2.7 search.php multiple XSS vulnerabilities

Bug Description

CVE References

Other bug subscribers

Remote bug watches

Debian
mantis package