Original vulnerability report by Net.Edit0r (Net.Edit0r@Att.net) from BlACK Hat
Group [http://black-hg.org] is available at:
MantisBT bug report for full details of the issue:
Please note that the second SQL injection vulnerability identified by
Net.Edit0r is not reproducible (refer to the MantisBT bug report above for
A patch for 1.2.6 is available at:
MantisBT 1.2.7 is currently being packaged and will be available shortly
through usual channels.
A CVE request and notice has been sent to firstname.lastname@example.org
Thanks so much for the report, David!
Created mantis tracking bugs for this issue
Affects: fedora-all [bug 731854]
Affects: epel-5 [bug 731855]
This was assigned the name CVE-2011-2938.
Currently supported versions of Fedora have 1.2.8, which correct this flaw. EPEL's 1.1.8 may still be affected.
EPEL5 hasn't been touched since Dec 2010, and the package is technically orphaned. As a result I'm closing this bug as this issue is fixed in Fedora. The EPEL5 tracking bug #800667 will remain open until either mantis is dropped from EPEL or it is fixed.