Red Hat Bugzilla – Bug 169220
File inclusion, upload, XSS, and SQL injection vulnerabilities
Last modified: 2007-11-30 17:11:14 EST
...and the newest one, rated highly critical:
There's more: 0.19.4 fixes:
- #0006419: [security] File Upload Vulnerability (TKADV2005-11-002) (thraxisp)
- #0006420: [security] Injection Vulnerabilities in Filters (TKADV2005-11-002)
- #0006457: [security] SQL Injection in manage user page (TKADV2005-11-002)
- #0006460: [security] HTTP Header CRLF Injection (TKADV2005-11-002) (vboctor)
- #0006486: [security] Port XSS Vulnerability in filters (TKADV2005-11-002)
Extras currently has mantis-0.19.4-1.fc4. So most of these are irrelevant.
This is only for < 0.19.2.
This is only for < 0.19.3.
Again, these are for < 0.19.4.
In this, it says that from the five vulnerabilities listed, three are fixed in
0.19.3. Ville, would you please investigate the other two (#3 and #4 in the
referred page) further?
(In reply to comment #4)
> Extras currently has mantis-0.19.4-1.fc4. So most of these are irrelevant.
They were not irrelevant at the time I reported them :)
> Ville, would you please investigate the other two (#3 and #4 in the
> referred page) further?
Sorry, I don't have time for that (I don't have any use for mantis myself); I'm
just reporting security bugs I happen to notice somewhere that don't seem to be
fixed in Extras.
Enrico can i please ask you to check on the last few remaining issues here
Please ensure that all issues are fixed.
If not I will request that mantis be removed from extras for FC-6
Reassign to current maintainer.
I had a look at the reports: what I understand is that all issues are addressed
in the currently distributed versions.
The only unsure reports are #3 and #4 in
but it looks like they are not detailed enough to understand how/if the app is