Fedora alert FEDORA-2008-6657 (mantis)
| From: | updates@fedoraproject.org | |
| To: | fedora-package-announce@redhat.com | |
| Subject: | [SECURITY] Fedora 8 Update: mantis-1.1.2-1.fc8 | |
| Date: | Wed, 23 Jul 2008 07:21:54 +0000 | |
| Message-ID: | <20080723072154.5EA681AD0DC@bastion.fedora.phx.redhat.com> |
-------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2008-6657 2008-07-23 03:29:03 -------------------------------------------------------------------------------- Name : mantis Product : Fedora 8 Version : 1.1.2 Release : 1.fc8 URL : http://www.mantisbt.org/ Summary : Web-based bugtracking system Description : Mantis is a web-based bugtracking system. It is written in the PHP scripting language and requires the MySQL database and a webserver. Mantis has been installed on Windows, MacOS, OS/2, and a variety of Unix operating systems. Any web browser should be able to function as a client. Documentation can be found in: /usr/share/doc/mantis-1.1.2 When the package has finished installing, you will need to perform some additional configuration steps; these are described in: /usr/share/doc/mantis-1.1.2/README.Fedora -------------------------------------------------------------------------------- Update Information: Update to upstream version 1.1.2, fixing following security issues: - 0008974: XSS Vulnerability in filters - 0008975: CSRF Vulnerabilities in user_create (CVE-2008-2276) - 0008976: Remote Code Execution in adm_config - 0009154: arbitrary file inclusion through user preferences page See upstream changelog for details on all bugs fixed in new upstream version: http://www.mantisbt.org/bugs/changelog_page.php -------------------------------------------------------------------------------- ChangeLog: * Sat Jul 19 2008 Gianluca Sforna <giallu gmail com> - 1.1.2-1 - new upstream release - add patch for bugnotes notification * Sat Jan 19 2008 Gianluca Sforna <giallu gmail com> - 1.1.1-1 - new upstream release - Add more info in README.Fedora about configuration, upgrades and SELinux * Sat Jan 5 2008 Gianluca Sforna <giallu gmail com> - 1.1.0-1 - new upstream release - rediffed patches - allow local usage out of the box - remove .htaccess files - revert using embedded adodb see http://www.mantisbt.org/bugs/view.php?id=8256 for details - improve description and README.Fedora - Remove unneeded diffutils BR - Updated License field -------------------------------------------------------------------------------- References: [ 1 ] Bug #446926 - CVE-2008-2276 mantis: multiple CSRF issues https://bugzilla.redhat.com/show_bug.cgi?id=446926 [ 2 ] Bug #448410 - mantis: code execution by users with administrative privileges https://bugzilla.redhat.com/show_bug.cgi?id=448410 [ 3 ] Bug #448404 - mantis: XSS in return_dynamic_filters.php https://bugzilla.redhat.com/show_bug.cgi?id=448404 [ 4 ] Bug #456044 - mantis: arbitrary file inclusion through user preferences page https://bugzilla.redhat.com/show_bug.cgi?id=456044 -------------------------------------------------------------------------------- This update can be installed with the "yum" update program. Use su -c 'yum update mantis' at the command line. For more information, refer to "Managing Software with yum", available at http://docs.fedoraproject.org/yum/. All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at http://fedoraproject.org/keys -------------------------------------------------------------------------------- _______________________________________________ Fedora-package-announce mailing list Fedora-package-announce@redhat.com http://www.redhat.com/mailman/listinfo/fedora-package-ann...