Bug 191089 - (CVE-2006-1577) mantis multiple vulnerabilities
mantis multiple vulnerabilities
Status: CLOSED NEXTRELEASE
Product: Fedora
Classification: Fedora
Component: mantis (Show other bugs)
4
All Linux
medium Severity medium
: ---
: ---
Assigned To: Gianluca Sforna
Fedora Extras Quality Assurance
: Reopened, Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2006-05-08 15:23 EDT by Chris Ricker
Modified: 2007-11-30 17:11 EST (History)
2 users (show)

See Also:
Fixed In Version: 0.19.4-2
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-01-09 05:40:59 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Chris Ricker 2006-05-08 15:23:21 EDT
Can mantis be rev'ed to 1.0.3 on FE4 and FE5? CVE which at least the current FE4
version appear to vulnerable to include:

2006-0664
2006-0665
2006-0840
2006-0841
2006-1577

1.0.3 is supposed to fix all these
Comment 1 Ville Skyttä 2006-05-13 04:25:57 EDT
See also bug 169220
Comment 2 Jason Tibbitts 2006-08-02 10:23:51 EDT
Note that Debian has released an update to their stable distro which supposedly
fixes 2006-0664, 2006-0665, 2006-0841 and 2006-1577.  While the versions don't
quite match up (they're at 0.19.2; FE4 has 0.19.4), there might be something
which can be used.

I'm not sure about 2006-0840.

http://lists.debian.org/debian-security-announce/debian-security-announce-2006/msg00222.html
Comment 3 Ville Skyttä 2006-10-10 13:48:35 EDT
Reassign to current maintainer.
Comment 4 Gianluca Sforna 2006-10-20 20:07:35 EDT
FC-5 and FC-6 was updated with 1.0.5.

About FC-4, I do not feel confortable about supplying an update which is
guaranteed to require some manual steps to complete.

I applied some backported fixes already present in upstream CVS, but not yet
released as 0.19.5. 

Look for 0.19.5 in http://www.mantisbugtracker.com/bugs/changelog_page.php for
more details
Comment 5 Ville Skyttä 2006-10-23 16:49:56 EDT
Looking briefly into the patches applied to the FC-4 package, it seems to me 
that CVE-2006-0665 and CVE-2006-0840 are fixed, but the following may remain 
unaddressed or only partially fixed: CVE-2006-0665, CVE-2006-0841, 
CVE-2006-1577

For more info, see the Debian patchkit at 
http://security.debian.org/pool/updates/main/m/mantis/mantis_0.19.2-5sarge4.1.diff.gz

Reopening for comments from someone more familiar with Mantis and PHP.
Comment 6 Gianluca Sforna 2007-01-09 05:40:59 EST
No more updates are going to FC4.

Closing since it is not applicable to FC5 and newer

Note You need to log in before you can comment on or make changes to this bug.