diff -u mantis-1.1.2+dfsg/debian/changelog mantis-1.1.2+dfsg/debian/changelog
--- mantis-1.1.2+dfsg/debian/changelog
+++ mantis-1.1.2+dfsg/debian/changelog
@@ -1,3 +1,16 @@
+mantis (1.1.2+dfsg-8ubuntu0.1) intrepid-security; urgency=low
+
+  * Backport security fixes from Debian. (LP: #291531)
+   - CVE-2008-4689: Mantis does not unset the session cookie
+     during the logout.
+   - CVE-2008-4688: Mantis does not check the privileges of the 
+     viewer before composing a link with issue data in the source 
+     anchor.
+  * Backport patch from Debian which fixes user registration (was 
+    broken by the patches for CVE-2008-4689)
+
+ -- Andrew Starr-Bochicchio <a.starr.b@gmail.com>  Thu, 11 Dec 2008 16:02:23 -0500
+
 mantis (1.1.2+dfsg-8) unstable; urgency=high
 
   * Urgency high because it is an update for a security issue
diff -u mantis-1.1.2+dfsg/debian/control mantis-1.1.2+dfsg/debian/control
--- mantis-1.1.2+dfsg/debian/control
+++ mantis-1.1.2+dfsg/debian/control
@@ -1,7 +1,8 @@
 Source: mantis
 Section: web
 Priority: optional
-Maintainer: Patrick Schoenfeld <schoenfeld@debian.org>
+Maintainer: Ubuntu MOTU Developers <ubuntu-motu@lists.ubuntu.com>
+XSBC-Original-Maintainer: Patrick Schoenfeld <schoenfeld@debian.org>
 Homepage: http://www.mantisbugtracker.com
 Vcs-Svn: svn://svn.debian.org/svn/collab-maint/ext-maint/mantis/trunk
 Vcs-Browser: http://svn.debian.org/wsvn/collab-maint/ext-maint/mantis
diff -u mantis-1.1.2+dfsg/debian/patches/series mantis-1.1.2+dfsg/debian/patches/series
--- mantis-1.1.2+dfsg/debian/patches/series
+++ mantis-1.1.2+dfsg/debian/patches/series
@@ -7,0 +8,3 @@
+08-fix-CVE-2008-4689.patch
+09-fix-CVE-2008-4688.patch
+10-fix-user-registration-confirmation.patch
only in patch2:
unchanged:
--- mantis-1.1.2+dfsg.orig/debian/patches/10-fix-user-registration-confirmation.patch
+++ mantis-1.1.2+dfsg/debian/patches/10-fix-user-registration-confirmation.patch
@@ -0,0 +1,102 @@
+#
+# Ubuntu: https://bugs.edge.launchpad.net/ubuntu/+source/mantis/+bug/291531
+# Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=503668
+# Upstream: http://www.mantisbt.org/bugs/view.php?id=9713
+# Patch: http://git.mantisbt.org/?p=mantisbt.git;a=commitdiff;h=be08bb894c95a5ab294600440ffc95943e668084
+# Description: Fixes user registration (was broken by the patches for CVE-2008-4689)
+#
+Index: mantis-1.1.2+dfsg/verify.php
+===================================================================
+--- mantis-1.1.2+dfsg.orig/verify.php	2008-05-22 00:24:30.000000000 +0200
++++ mantis-1.1.2+dfsg/verify.php	2008-10-28 16:13:53.000000000 +0100
+@@ -42,6 +42,11 @@
+ 		auth_logout();
+ 	}
+ 
++	# (Re)initialize session
++	session_regenerate_id();
++	session_init( session_id() );
++	$g_session_pass_id = ON;
++
+ 	$t_calculated_confirm_hash = auth_generate_confirm_hash( $f_user_id );
+ 
+ 	if ( $f_confirm_hash != $t_calculated_confirm_hash ) {
+@@ -49,7 +54,6 @@
+ 	}
+ 
+ 	# set a temporary cookie so the login information is passed between pages.
+-	auth_logout();
+ 	auth_set_cookies( $f_user_id, false );
+ 
+ 	user_reset_failed_login_count_to_zero( $f_user_id );
+@@ -61,4 +65,4 @@
+ 	user_increment_failed_login_count( $f_user_id );
+ 
+ 	include ( dirname( __FILE__ ) . DIRECTORY_SEPARATOR . 'account_page.php' );
+-?>
++
+Index: mantis-1.1.2+dfsg/account_page.php
+===================================================================
+--- mantis-1.1.2+dfsg.orig/account_page.php	2008-06-11 00:43:51.000000000 +0200
++++ mantis-1.1.2+dfsg/account_page.php	2008-10-28 16:13:29.000000000 +0100
+@@ -94,6 +94,9 @@
+ <div align="center">
+ <form method="post" action="account_update.php">
+ <?php  echo form_security_field( 'account_update' )?>
++<?php if ( isset( $g_session_pass_id ) ) { ?>
++<input type="hidden" name="session_id" value="<?php echo session_id() ?>"/>
++<?php } ?>
+ <table class="width75" cellspacing="1">
+ 
+ 	<!-- Headings -->
+Index: mantis-1.1.2+dfsg/core/session_api.php
+===================================================================
+--- mantis-1.1.2+dfsg.orig/core/session_api.php	2008-10-28 16:13:29.000000000 +0100
++++ mantis-1.1.2+dfsg/core/session_api.php	2008-10-28 16:13:29.000000000 +0100
+@@ -48,12 +48,17 @@
+  * to PHP's session.* settings in 'php.ini'.
+  */
+ class MantisPHPSession extends MantisSession {
+-	function __construct() {
++	function __construct( $p_session_id=null ) {
+ 		if ( isset( $_SERVER['HTTPS'] ) && ( strtolower( $_SERVER['HTTPS'] ) != 'off' ) ) {
+ 			session_set_cookie_params( 0, config_get( 'cookie_path' ), config_get( 'cookie_domain' ), true, true );
+ 		} else {
+ 			session_set_cookie_params( 0, config_get( 'cookie_path' ), config_get( 'cookie_domain' ), false, true );
+ 		}
++
++		if ( !is_null( $p_session_id ) ) {
++			session_id( $p_session_id );
++		}
++
+ 		session_start();
+ 		$this->id = session_id();
+ 	}
+@@ -97,12 +102,12 @@
+ /**
+  * Initialize the appropriate session handler.
+  */
+-function session_init() {
++function session_init( $p_session_id=null ) {
+ 	global $g_session, $g_session_handler;
+ 
+ 	switch( strtolower( $g_session_handler ) ) {
+ 		case 'php':
+-			$g_session = new MantisPHPSession();
++			$g_session = new MantisPHPSession( $p_session_id );
+ 			break;
+ 
+ 		case 'adodb':
+@@ -184,4 +189,11 @@
+ 
+ 
+ ##### Initialize the session
+-session_init();
++$t_session_id = gpc_get_string( 'session_id', '' );
++
++if ( empty( $t_session_id ) ) {
++	session_init();
++} else {
++	session_init( $t_session_id );
++}
++
only in patch2:
unchanged:
--- mantis-1.1.2+dfsg.orig/debian/patches/09-fix-CVE-2008-4688.patch
+++ mantis-1.1.2+dfsg/debian/patches/09-fix-CVE-2008-4688.patch
@@ -0,0 +1,21 @@
+#
+# Ubuntu: https://bugs.edge.launchpad.net/ubuntu/+source/mantis/+bug/291531
+# Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=503588
+# Upstream: http://www.mantisbt.org/bugs/view.php?id=9665
+# Patch: http://mantisbt.svn.sourceforge.net/viewvc/mantisbt/branches/BRANCH_1_1_0/mantisbt/core/string_api.php?r1=5285&r2=5384&pathrev=5384&diff_format=h
+# CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4688
+# Description: CVE-2008-4688: Mantis does not check the privileges of the viewer before composing a link with issue data in the source anchor.
+#
+Index: mantis-1.1.2+dfsg/core/string_api.php
+===================================================================
+--- mantis-1.1.2+dfsg.orig/core/string_api.php	2008-10-27 11:52:57.000000000 +0100
++++ mantis-1.1.2+dfsg/core/string_api.php	2008-10-27 11:53:08.000000000 +0100
+@@ -306,7 +306,7 @@
+ 		if ( !isset( $string_process_bug_link_callback[$p_include_anchor][$p_detail_info][$p_fqdn] ) ) {
+ 			if ($p_include_anchor) {
+ 				$string_process_bug_link_callback[$p_include_anchor][$p_detail_info][$p_fqdn] = create_function('$p_array','
+-										if (bug_exists( (int)$p_array[2] ) ) { 
++										if ( bug_exists( (int)$p_array[2] ) && access_has_bug_level( VIEWER, (int)$p_array[2] ) ) {
+ 											return $p_array[1] . string_get_bug_view_link( (int)$p_array[2], null, ' . ($p_detail_info ? 'true' : 'false') . ', ' . ($p_fqdn ? 'true' : 'false') . ');
+ 										} else {    	
+ 											return $p_array[0];
only in patch2:
unchanged:
--- mantis-1.1.2+dfsg.orig/debian/patches/08-fix-CVE-2008-4689.patch
+++ mantis-1.1.2+dfsg/debian/patches/08-fix-CVE-2008-4689.patch
@@ -0,0 +1,46 @@
+#
+# Ubuntu: https://bugs.edge.launchpad.net/ubuntu/+source/mantis/+bug/291531
+# Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=503588
+# Upstream: http://www.mantisbt.org/bugs/view.php?id=9664
+# Patch: http://www.mantisbt.org/bugs/file_download.php?file_id=1988&type=bug
+# CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4689
+# Description: CVE-2008-4689: Mantis does not unset the session cookie during the logout.
+#
+Index: mantis-1.1.2+dfsg/core/authentication_api.php
+===================================================================
+--- mantis-1.1.2+dfsg.orig/core/authentication_api.php	2008-10-27 11:49:38.000000000 +0100
++++ mantis-1.1.2+dfsg/core/authentication_api.php	2008-10-27 11:50:45.000000000 +0100
+@@ -194,6 +194,9 @@
+         if (auth_clear_cookies()) {
+             helper_clear_pref_cookies();
+         }
++
++		session_clean();
++
+ 		return true;
+ 	}
+ 
+Index: mantis-1.1.2+dfsg/core/session_api.php
+===================================================================
+--- mantis-1.1.2+dfsg.orig/core/session_api.php	2008-10-27 11:49:06.000000000 +0100
++++ mantis-1.1.2+dfsg/core/session_api.php	2008-10-27 11:50:45.000000000 +0100
+@@ -51,6 +51,8 @@
+ 	function __construct() {
+ 		if ( isset( $_SERVER['HTTPS'] ) && ( strtolower( $_SERVER['HTTPS'] ) != 'off' ) ) {
+ 			session_set_cookie_params( 0, config_get( 'cookie_path' ), config_get( 'cookie_domain' ), true, true );
++		} else {
++			session_set_cookie_params( 0, config_get( 'cookie_path' ), config_get( 'cookie_domain' ), false, true );
+ 		}
+ 		session_start();
+ 		$this->id = session_id();
+@@ -83,6 +85,10 @@
+ 	}
+ 
+ 	function destroy() {
++		if ( isset( $_COOKIE[ session_name() ] ) && !headers_sent() ) {
++			gpc_set_cookie( session_name(), '', time() - 42000 );
++		}
++
+ 		unset( $_SESSION );
+ 		session_destroy();
+ 	}