[CVE-2008-4688] [CVE-2008-4689] multiple security vulnerabilites

Bug #291531 reported by Patrick Schoenfeld
264
Affects Status Importance Assigned to Milestone
Debian
Fix Released
Unknown
mantis (Ubuntu)
Fix Released
High
Unassigned
Intrepid
Fix Released
High
Unassigned

Bug Description

Binary package hint: mantis

The version of mantis in intrepid has several security issues, that are fixed in mantis 1.1.2+dfsg-10 in Debian sid.
See bug #503588 in the Debian bug tracker for details.

[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=503588

CVE References

Revision history for this message
Patrick Schoenfeld (schoenfeld-debian) wrote :

Sorry, is nobody interested in fixing this?

Revision history for this message
Andrew Starr-Bochicchio (andrewsomething) wrote :

These are fixed in Jaunty so marking "Fix Released." Opening an Intrepid task, to backport the fixes there.

mantis (1.1.2+dfsg-10) unstable; urgency=high

  * Urgency high because it fixes a severity important problem
    introduced by a security fix.
  * Add upstream patch which fixes user registration (was broken by the
    patches for CVE-2008-4689)
    (Closes: #503668)

Changed in mantis:
status: New → Fix Released
Revision history for this message
Andrew Starr-Bochicchio (andrewsomething) wrote :
Revision history for this message
Andrew Starr-Bochicchio (andrewsomething) wrote :

Fix for intrepid attached, motu-sru subscribed

mantis (1.1.2+dfsg-8ubuntu0.1) intrepid-proposed; urgency=low

  * Backport security fixes from Debian. (LP: #291531)
   - CVE-2008-4689: Mantis does not unset the session cookie
     during the logout.
   - CVE-2008-4688: Mantis does not check the privileges of the
     viewer before composing a link with issue data in the source
     anchor.
  * Backport patch from Debian which fixes user registration (was
    broken by the patches for CVE-2008-4689)

Changed in mantis:
importance: Undecided → High
Revision history for this message
Andrew Starr-Bochicchio (andrewsomething) wrote :

Subscribing motu-swat as well.

(Off topic: Shouldn't they be subscribed automatically to security bugs in universe as opposed to ubuntu-security who as I understand focus on main?)

Changed in mantis:
importance: Undecided → High
status: New → Confirmed
Changed in mantis:
status: Confirmed → In Progress
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Thanks for the debdiff!

I'm reviewing the debdiff you included for Intrepid. Could you please change the following so I can release it:
- Change the pocket to "intrepid-security"
- Tag the patches including a URL so I can see where the patch came from

(see https://wiki.ubuntu.com/UbuntuDevelopment/PatchTaggingGuidelines)

Thank you!

Changed in mantis:
status: In Progress → Confirmed
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Also, after you submit the revised debdiff, could you please change the status of this bug back to "In Progress" so we'll get a notification. Thanks.

Revision history for this message
Andrew Starr-Bochicchio (andrewsomething) wrote :
Changed in mantis:
status: Confirmed → In Progress
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Thanks!

Package is building for Intrepid.

Is Dapper, Gutsy or Hardy affected by these issues?

Changed in mantis:
status: In Progress → Fix Committed
Revision history for this message
Andrew Starr-Bochicchio (andrewsomething) wrote :

I'm not sure how these things are handled in *-backports, but 1.1.2+dfsg-8~hardy1 in hardy-backports is definitely affected.

1.0.8-4 in hardy, 1.0.7+dfsg-1 in gutsy, and 0.19.4-2 in dapper may very well be affected as well. The CVE describes the issue as affecting "Mantis before 1.1.3 " I have not attempted to see if these patches will apply cleanly there.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package mantis - 1.1.2+dfsg-8ubuntu0.1

---------------
mantis (1.1.2+dfsg-8ubuntu0.1) intrepid-security; urgency=low

  * Backport security fixes from Debian. (LP: #291531)
   - CVE-2008-4689: Mantis does not unset the session cookie
     during the logout.
   - CVE-2008-4688: Mantis does not check the privileges of the
     viewer before composing a link with issue data in the source
     anchor.
  * Backport patch from Debian which fixes user registration (was
    broken by the patches for CVE-2008-4689)

 -- Andrew Starr-Bochicchio <email address hidden> Thu, 11 Dec 2008 16:02:23 -0500

Changed in mantis:
status: Fix Committed → Fix Released
Changed in debian:
status: Unknown → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.