Red Hat Bugzilla – Bug 191089
mantis multiple vulnerabilities
Last modified: 2007-11-30 17:11:32 EST
Can mantis be rev'ed to 1.0.3 on FE4 and FE5? CVE which at least the current FE4
version appear to vulnerable to include:
1.0.3 is supposed to fix all these
See also bug 169220
Note that Debian has released an update to their stable distro which supposedly
fixes 2006-0664, 2006-0665, 2006-0841 and 2006-1577. While the versions don't
quite match up (they're at 0.19.2; FE4 has 0.19.4), there might be something
which can be used.
I'm not sure about 2006-0840.
Reassign to current maintainer.
FC-5 and FC-6 was updated with 1.0.5.
About FC-4, I do not feel confortable about supplying an update which is
guaranteed to require some manual steps to complete.
I applied some backported fixes already present in upstream CVS, but not yet
released as 0.19.5.
Look for 0.19.5 in http://www.mantisbugtracker.com/bugs/changelog_page.php for
Looking briefly into the patches applied to the FC-4 package, it seems to me
that CVE-2006-0665 and CVE-2006-0840 are fixed, but the following may remain
unaddressed or only partially fixed: CVE-2006-0665, CVE-2006-0841,
For more info, see the Debian patchkit at
Reopening for comments from someone more familiar with Mantis and PHP.
No more updates are going to FC4.
Closing since it is not applicable to FC5 and newer