Debian (and by extension Ubuntu) use the same Apache configuration to help protect the /admin/ directory. As a result they have decided that the severity of the bug is not as high as first anticipated by upstream.
I guess it comes down to whether a typical user of this package will keep the /admin/ directory permissions in a locked down state.
This issue is more of a concern for Gentoo (and MantisBT users using the upstream package) where the /admin/ directory permissions are not in place.
Thanks Jan & Gianluca.
Debian (and by extension Ubuntu) use the same Apache configuration to help protect the /admin/ directory. As a result they have decided that the severity of the bug is not as high as first anticipated by upstream.
I guess it comes down to whether a typical user of this package will keep the /admin/ directory permissions in a locked down state.
This issue is more of a concern for Gentoo (and MantisBT users using the upstream package) where the /admin/ directory permissions are not in place.