Bug 191089 (CVE-2006-1577)

Summary: mantis multiple vulnerabilities
Product: [Fedora] Fedora Reporter: Chris Ricker <chris.ricker>
Component: mantisAssignee: Gianluca Sforna <giallu>
Status: CLOSED NEXTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: medium    
Version: 4CC: extras-qa, fedora-security-list
Target Milestone: ---Keywords: Reopened, Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: 0.19.4-2 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-01-09 10:40:59 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Chris Ricker 2006-05-08 19:23:21 UTC 
Can mantis be rev'ed to 1.0.3 on FE4 and FE5? CVE which at least the current FE4
version appear to vulnerable to include:

2006-0664
2006-0665
2006-0840
2006-0841
2006-1577

1.0.3 is supposed to fix all these
Comment 1 Ville Skyttä 2006-05-13 08:25:57 UTC 
See also bug 169220
Comment 2 Jason Tibbitts 2006-08-02 14:23:51 UTC 
Note that Debian has released an update to their stable distro which supposedly
fixes 2006-0664, 2006-0665, 2006-0841 and 2006-1577.  While the versions don't
quite match up (they're at 0.19.2; FE4 has 0.19.4), there might be something
which can be used.

I'm not sure about 2006-0840.

http://lists.debian.org/debian-security-announce/debian-security-announce-2006/msg00222.html
Comment 3 Ville Skyttä 2006-10-10 17:48:35 UTC 
Reassign to current maintainer.
Comment 4 Gianluca Sforna 2006-10-21 00:07:35 UTC 
FC-5 and FC-6 was updated with 1.0.5.

About FC-4, I do not feel confortable about supplying an update which is
guaranteed to require some manual steps to complete.

I applied some backported fixes already present in upstream CVS, but not yet
released as 0.19.5. 

Look for 0.19.5 in http://www.mantisbugtracker.com/bugs/changelog_page.php for
more details
Comment 5 Ville Skyttä 2006-10-23 20:49:56 UTC 
Looking briefly into the patches applied to the FC-4 package, it seems to me 
that CVE-2006-0665 and CVE-2006-0840 are fixed, but the following may remain 
unaddressed or only partially fixed: CVE-2006-0665, CVE-2006-0841, 
CVE-2006-1577

For more info, see the Debian patchkit at 
http://security.debian.org/pool/updates/main/m/mantis/mantis_0.19.2-5sarge4.1.diff.gz

Reopening for comments from someone more familiar with Mantis and PHP.
Comment 6 Gianluca Sforna 2007-01-09 10:40:59 UTC 
No more updates are going to FC4.

Closing since it is not applicable to FC5 and newer