Bug 219720 (CVE-2006-6515)

Summary: CVE-2006-6515: mantis bug reminder threshold issue
Product: [Fedora] Fedora Reporter: Ville Skyttä <ville.skytta>
Component: mantisAssignee: Gianluca Sforna <giallu>
Status: CLOSED WONTFIX QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: medium    
Version: 4CC: extras-qa, fedora-security-list
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-01-09 10:47:05 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Ville Skyttä 2006-12-14 22:02:04 UTC 
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-6515

"Mantis before 1.1.0a2 sets the default value of $g_bug_reminder_threshold to
"reporter" instead of a more privileged role, which has unknown impact and
attack vectors, possibly related to frequency of reminders."

The CVE entry says 1.0.6 is vulnerable, however it looks to me as if it's not,
see the change in revision 1.283.2.1.2.1.2.1.2.2.2.11 at
http://mantisbt.cvs.sourceforge.net/mantisbt/mantisbt/config_defaults_inc.php?view=log

FC-3 and FC-4 appear to be vulnerable.
Comment 1 Gianluca Sforna 2006-12-17 09:02:40 UTC 
AFAICT, 1.0.6 is definetely not affected:

http://www.mantisbugtracker.com/bugs/view.php?id=7543

I should ask on extras-list what I am supposed to do with legacy stuff, I
believe security is important but I can't afford to guarantee updates for 5
branches.

However, the situation could improve if:

http://www.mantisbugtracker.com/bugs/view.php?id=7663

will be done in time for 1.1.0
Comment 2 Gianluca Sforna 2007-01-09 10:47:05 UTC 
FC3/4 are not receiving updates anymore.

FC5 and newer are not affected. Closing