http://secunia.com/advisories/16506/ http://www.gentoo.org/security/en/glsa/glsa-200509-16.xml
ping
...and the newest one, rated highly critical: http://secunia.com/advisories/16818/
There's more: 0.19.4 fixes: - #0006419: [security] File Upload Vulnerability (TKADV2005-11-002) (thraxisp) - #0006420: [security] Injection Vulnerabilities in Filters (TKADV2005-11-002) (thraxisp) - #0006457: [security] SQL Injection in manage user page (TKADV2005-11-002) (vboctor) - #0006460: [security] HTTP Header CRLF Injection (TKADV2005-11-002) (vboctor) - #0006486: [security] Port XSS Vulnerability in filters (TKADV2005-11-002) (thraxisp) http://seclists.org/lists/fulldisclosure/2005/Dec/1214.html
Extras currently has mantis-0.19.4-1.fc4. So most of these are irrelevant. > http://www.gentoo.org/security/en/glsa/glsa-200509-16.xml This is only for < 0.19.2. > http://secunia.com/advisories/16818/ This is only for < 0.19.3. > http://seclists.org/lists/fulldisclosure/2005/Dec/1214.html Again, these are for < 0.19.4. > http://secunia.com/advisories/16506/ In this, it says that from the five vulnerabilities listed, three are fixed in 0.19.3. Ville, would you please investigate the other two (#3 and #4 in the referred page) further?
(In reply to comment #4) > Extras currently has mantis-0.19.4-1.fc4. So most of these are irrelevant. They were not irrelevant at the time I reported them :) > Ville, would you please investigate the other two (#3 and #4 in the > referred page) further? Sorry, I don't have time for that (I don't have any use for mantis myself); I'm just reporting security bugs I happen to notice somewhere that don't seem to be fixed in Extras.
Enrico can i please ask you to check on the last few remaining issues here please?
Enrico, Please ensure that all issues are fixed. If not I will request that mantis be removed from extras for FC-6
Reassign to current maintainer.
I had a look at the reports: what I understand is that all issues are addressed in the currently distributed versions. The only unsure reports are #3 and #4 in http://secunia.com/advisories/16506/ but it looks like they are not detailed enough to understand how/if the app is vulnerable. closing CURRENTRELEASE