Bug 191089 (CVE-2006-1577) - mantis multiple vulnerabilities
Summary: mantis multiple vulnerabilities
Status: CLOSED NEXTRELEASE
Alias: CVE-2006-1577
Product: Fedora
Classification: Fedora
Component: mantis (Show other bugs)
(Show other bugs)
Version: 4
Hardware: All Linux
medium
medium
Target Milestone: ---
Assignee: Gianluca Sforna
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Keywords: Reopened, Security
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2006-05-08 19:23 UTC by Chris Ricker
Modified: 2007-11-30 22:11 UTC (History)
2 users (show)

Fixed In Version: 0.19.4-2
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-01-09 10:40:59 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

Description Chris Ricker 2006-05-08 19:23:21 UTC
Can mantis be rev'ed to 1.0.3 on FE4 and FE5? CVE which at least the current FE4
version appear to vulnerable to include:

2006-0664
2006-0665
2006-0840
2006-0841
2006-1577

1.0.3 is supposed to fix all these

Comment 1 Ville Skyttä 2006-05-13 08:25:57 UTC
See also bug 169220

Comment 2 Jason Tibbitts 2006-08-02 14:23:51 UTC
Note that Debian has released an update to their stable distro which supposedly
fixes 2006-0664, 2006-0665, 2006-0841 and 2006-1577.  While the versions don't
quite match up (they're at 0.19.2; FE4 has 0.19.4), there might be something
which can be used.

I'm not sure about 2006-0840.

http://lists.debian.org/debian-security-announce/debian-security-announce-2006/msg00222.html

Comment 3 Ville Skyttä 2006-10-10 17:48:35 UTC
Reassign to current maintainer.

Comment 4 Gianluca Sforna 2006-10-21 00:07:35 UTC
FC-5 and FC-6 was updated with 1.0.5.

About FC-4, I do not feel confortable about supplying an update which is
guaranteed to require some manual steps to complete.

I applied some backported fixes already present in upstream CVS, but not yet
released as 0.19.5. 

Look for 0.19.5 in http://www.mantisbugtracker.com/bugs/changelog_page.php for
more details

Comment 5 Ville Skyttä 2006-10-23 20:49:56 UTC
Looking briefly into the patches applied to the FC-4 package, it seems to me 
that CVE-2006-0665 and CVE-2006-0840 are fixed, but the following may remain 
unaddressed or only partially fixed: CVE-2006-0665, CVE-2006-0841, 
CVE-2006-1577

For more info, see the Debian patchkit at 
http://security.debian.org/pool/updates/main/m/mantis/mantis_0.19.2-5sarge4.1.diff.gz

Reopening for comments from someone more familiar with Mantis and PHP.

Comment 6 Gianluca Sforna 2007-01-09 10:40:59 UTC
No more updates are going to FC4.

Closing since it is not applicable to FC5 and newer


Note You need to log in before you can comment on or make changes to this bug.