-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - ------------------------------------------------------------------------ Debian Security Advisory DSA-1467-1 security@debian.org http://www.debian.org/security/ Thijs Kinkhorst January 19, 2008 http://www.debian.org/security/faq - ------------------------------------------------------------------------ Package : mantis Vulnerability : several Problem type : remote Debian-specific: no CVE Id(s) : CVE-2006-6574 CVE-2007-6611 Debian Bug : 402802 458377 Several remote vulnerabilities have been discovered in Mantis, a web based bug tracking system. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2006-6574 Custom fields were not appropriately protected by per-item access control, allowing for sensitive data to be published. CVE-2007-6611 Multiple cross site scripting issues allowed a remote attacker to insert malicious HTML or web script into Mantis web pages. The stable distribution (etch) is not affected by these problems. For the old stable distribution (sarge), these problems have been fixed in version 0.19.2-5sarge5. For the unstable distribution (sid), these problems have been fixed in version 1.0.8-4. We recommend that you upgrade your mantis package. Upgrade instructions - -------------------- wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.1 alias sarge - -------------------------------- Source archives: http://security.debian.org/pool/updates/main/m/mantis/mantis_0.19.2-5sarge5.dsc Size/MD5 checksum: 874 176c95ad5f1142fcb9364540fd19eeea http://security.debian.org/pool/updates/main/m/mantis/mantis_0.19.2.orig.tar.gz Size/MD5 checksum: 1298615 042c42c6de3bc536181391c1e9b25db3 http://security.debian.org/pool/updates/main/m/mantis/mantis_0.19.2-5sarge5.diff.gz Size/MD5 checksum: 46292 b1c5f077e0046c5b33d77e99a2b4ffe5 Architecture independent packages: http://security.debian.org/pool/updates/main/m/mantis/mantis_0.19.2-5sarge5_all.deb Size/MD5 checksum: 898014 5708305cbd20cde4825b3adb7d72d3a1 These files will probably be moved into the stable distribution on its next update. - --------------------------------------------------------------------------------- For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce@lists.debian.org Package info: `apt-cache show ' and http://packages.debian.org/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iQEVAwUBR5Hs4mz0hbPcukPfAQKqVggAjAIIsz2BI6ol9YKV42xsmoflT9OcfHyY zjfPheB+HCRSELYFyV0hnWxIEBW/65KDE5O9wAjGCfmspbZgRgg9Fc7tw6U6I7AM zzMNp/M4PlK3PqCYMUrRyRqhW0zizXIiIKN4y6bFI0FcyVXw1BJDKdiSef1yZxUH FXUS7rRZwNZ/+tW+zQ5bvuMjnk2gJkOAxQvUZi7J4iHOJZMuoKrusv4BfW2wUFLK 57zSaIACPqTGHrRF8U0BHp0u+eP7uoarMpGFzYEG7UQ7mx3nIgbAF22k+k2xxFnr x+0TaqZaRoKt14KtQLos3U+TAc11rWvTUN2o/+bIfhL9b8GuTOHaNQ== =fvqR -----END PGP SIGNATURE-----