A flaw was found in Mantis that allow users to get bug title and status for the bugs that are otherwise not accessible to the user. Upstream bug report: http://www.mantisbt.org/bugs/view.php?id=9321 Fixed upstream in 1.1.3: http://www.mantisbt.org/bugs/changelog_page.php http://mantisbt.svn.sourceforge.net/mantisbt/?rev=5384&view=rev
Other references: http://www.openwall.com/lists/oss-security/2008/10/20/1
This issue was addressed in: Fedora: https://admin.fedoraproject.org/updates/F8/FEDORA-2008-9015 https://admin.fedoraproject.org/updates/F9/FEDORA-2008-8925