© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
0e1f616
(Get the code!)
The MantisBT project was notified by Gjoko Krstic of Zero Science Lab
(<email address hidden>) of multiple vulnerabilities affecting MantisBT
<1.2.4.
The two following advisories have been released explaining the
vulnerabilities in greater detail:
http://
http://
As one of these vulnerabilities allows the reading of arbitrary files
from the file system we are treating this issue with critical severity.
Please note that this issue only affects users who have not removed the
"admin" directory from their MantisBT installation. We recommend,
instruct and warn users to remove this directory after installation
however it is clear that many users ignore these warnings.
I have requested CVE numbers via oss-sec (awaiting list moderation).
We have released MantisBT 1.2.4 which resolves the issue for users
of our stable 1.2.x branch. We do have a patch for MantisBT 1.1.x available in the repository as well, however this doesn't apply to Gentoo.
The bug report tracking this issue upstream at MantisBT:
http://
If there are any questions or concerns please feel free to contact me.
Reproducible: Always
Steps to Reproduce: