Can mantis be rev'ed to 1.0.3 on FE4 and FE5? CVE which at least the current FE4 version appear to vulnerable to include: 2006-0664 2006-0665 2006-0840 2006-0841 2006-1577 1.0.3 is supposed to fix all these
See also bug 169220
Note that Debian has released an update to their stable distro which supposedly fixes 2006-0664, 2006-0665, 2006-0841 and 2006-1577. While the versions don't quite match up (they're at 0.19.2; FE4 has 0.19.4), there might be something which can be used. I'm not sure about 2006-0840. http://lists.debian.org/debian-security-announce/debian-security-announce-2006/msg00222.html
Reassign to current maintainer.
FC-5 and FC-6 was updated with 1.0.5. About FC-4, I do not feel confortable about supplying an update which is guaranteed to require some manual steps to complete. I applied some backported fixes already present in upstream CVS, but not yet released as 0.19.5. Look for 0.19.5 in http://www.mantisbugtracker.com/bugs/changelog_page.php for more details
Looking briefly into the patches applied to the FC-4 package, it seems to me that CVE-2006-0665 and CVE-2006-0840 are fixed, but the following may remain unaddressed or only partially fixed: CVE-2006-0665, CVE-2006-0841, CVE-2006-1577 For more info, see the Debian patchkit at http://security.debian.org/pool/updates/main/m/mantis/mantis_0.19.2-5sarge4.1.diff.gz Reopening for comments from someone more familiar with Mantis and PHP.
No more updates are going to FC4. Closing since it is not applicable to FC5 and newer