FS#42920 : [mantisbt] SQL injection (CVE-2014-9089)

FS#42920 - [mantisbt] SQL injection (CVE-2014-9089)

Attached to Project: Community Packages
Opened by Remi Gacogne (rgacogne) - Thursday, 27 November 2014, 08:36 GMT
Last edited by Maxime Gauduin (Alucryd) - Monday, 01 December 2014, 09:09 GMT

Task Type	Bug Report
Category	Upstream Bugs
Status	Closed
Assigned To	Maxime Gauduin (Alucryd)
Architecture	All
Severity	High
Priority	Normal
Reported Version
Due in Version	Undecided
Due Date	Undecided
Percent Complete
Votes	0
Private	No

Details

A remote SQL injection has been found in mantisbt <= 1.2.17 [1]. If 1.2.18 is not released soon (no idea about that) we may want to backport the security fix [2].

[1]: https://www.mantisbt.org/bugs/view.php?id=17841
[2]: https://github.com/mantisbt/mantisbt/commit/b0021673ab23249244119bde3c7fcecd4daa4e7f

This task depends upon

Closed by Maxime Gauduin (Alucryd)
Monday, 01 December 2014, 09:09 GMT
Reason for closing: Fixed
Additional comments about closing: 1.2.17-5

Comment by Remi Gacogne (rgacogne) - Thursday, 27 November 2014, 09:01 GMT

Looks like a new security issue (CVE-2014-9117) has been found in the captcha: https://www.mantisbt.org/bugs/view.php?id=17811

Comment by Levente Polyak (anthraxx) - Thursday, 27 November 2014, 19:33 GMT

If you are doing another patch round, you may also consider those two fixes until 1.2.18 (XSS + flawed attachment download access check).

https://github.com/mantisbt/mantisbt/commit/49c3d089
https://github.com/mantisbt/mantisbt/commit/5f0b150b

Comment by Maxime Gauduin (Alucryd) - Monday, 01 December 2014, 09:08 GMT

Man, this thing is like a wack-a-mole game, I'm starting to regret wanting to package it. Thx as always guys.

	Tasks related to this task (0)

Duplicate tasks of this task (0)

Arch Linux

FS#42920 - [mantisbt] SQL injection (CVE-2014-9089)

Details

Loading...