Red Hat Bugzilla – Bug 219720
CVE-2006-6515: mantis bug reminder threshold issue
Last modified: 2007-11-30 17:11:51 EST
"Mantis before 1.1.0a2 sets the default value of $g_bug_reminder_threshold to
"reporter" instead of a more privileged role, which has unknown impact and
attack vectors, possibly related to frequency of reminders."
The CVE entry says 1.0.6 is vulnerable, however it looks to me as if it's not,
see the change in revision 1.222.214.171.124.126.96.36.199.2.2.11 at
FC-3 and FC-4 appear to be vulnerable.
AFAICT, 1.0.6 is definetely not affected:
I should ask on extras-list what I am supposed to do with legacy stuff, I
believe security is important but I can't afford to guarantee updates for 5
However, the situation could improve if:
will be done in time for 1.1.0
FC3/4 are not receiving updates anymore.
FC5 and newer are not affected. Closing