Gentoo Archives: gentoo-announce

From: Tobias Heinlein <keytoaster@g.o>
To: gentoo-announce@g.o
Subject: [gentoo-announce] [ GLSA 201211-01 ] MantisBT: Multiple vulnerabilities
Date: Thu, 08 Nov 2012 18:11:10
Message-Id: 509B8C11.4010601@gentoo.org
1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2 Gentoo Linux Security Advisory GLSA 201211-01
3 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4 http://security.gentoo.org/
5 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7 Severity: Normal
8 Title: MantisBT: Multiple vulnerabilities
9 Date: November 08, 2012
10 Bugs: #348761, #381417, #386153, #407121, #420375
11 ID: 201211-01
12
13 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
14
15 Synopsis
16 ========
17
18 Multiple vulnerabilities have been found in MantisBT, the worst of
19 which allowing for local file inclusion.
20
21 Background
22 ==========
23
24 MantisBT is a PHP/MySQL/Web based bugtracking system.
25
26 Affected packages
27 =================
28
29 -------------------------------------------------------------------
30 Package / Vulnerable / Unaffected
31 -------------------------------------------------------------------
32 1 www-apps/mantisbt < 1.2.11 >= 1.2.11
33 Description
34 ===========
35
36 Multiple vulnerabilities have been discovered in MantisBT. Please
37 review the CVE identifiers referenced below for details.
38
39 Impact
40 ======
41
42 A remote attacker could exploit these vulnerabilities to conduct
43 directory traversal attacks, disclose the contents of local files,
44 inject arbitrary web scripts, obtain sensitive information, bypass
45 authentication and intended access restrictions, or manipulate bugs and
46 attachments.
47
48 Workaround
49 ==========
50
51 There is no known workaround at this time.
52
53 Resolution
54 ==========
55
56 All MantisBT users should upgrade to the latest version:
57
58 # emerge --sync
59 # emerge --ask --oneshot --verbose ">=www-apps/mantisbt-1.2.11"
60
61 References
62 ==========
63
64 [ 1 ] CVE-2010-3303
65 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3303
66 [ 2 ] CVE-2010-3763
67 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3763
68 [ 3 ] CVE-2010-4348
69 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4348
70 [ 4 ] CVE-2010-4349
71 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4349
72 [ 5 ] CVE-2010-4350
73 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4350
74 [ 6 ] CVE-2011-2938
75 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2938
76 [ 7 ] CVE-2011-3356
77 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3356
78 [ 8 ] CVE-2011-3357
79 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3357
80 [ 9 ] CVE-2011-3358
81 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3358
82 [ 10 ] CVE-2011-3578
83 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3578
84 [ 11 ] CVE-2011-3755
85 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3755
86 [ 12 ] CVE-2012-1118
87 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1118
88 [ 13 ] CVE-2012-1119
89 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1119
90 [ 14 ] CVE-2012-1120
91 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1120
92 [ 15 ] CVE-2012-1121
93 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1121
94 [ 16 ] CVE-2012-1122
95 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1122
96 [ 17 ] CVE-2012-1123
97 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1123
98 [ 18 ] CVE-2012-2691
99 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2691
100 [ 19 ] CVE-2012-2692
101 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2692
102
103 Availability
104 ============
105
106 This GLSA and any updates to it are available for viewing at
107 the Gentoo Security Website:
108
109 http://security.gentoo.org/glsa/glsa-201211-01.xml
110
111 Concerns?
112 =========
113
114 Security is a primary focus of Gentoo Linux and ensuring the
115 confidentiality and security of our users' machines is of utmost
116 importance to us. Any security concerns should be addressed to
117 security@g.o or alternatively, you may file a bug at
118 https://bugs.gentoo.org.
119
120 License
121 =======
122
123 Copyright 2012 Gentoo Foundation, Inc; referenced text
124 belongs to its owner(s).
125
126 The contents of this document are licensed under the
127 Creative Commons - Attribution / Share Alike license.
128
129 http://creativecommons.org/licenses/by-sa/2.5

Attachments

File name MIME type
signature.asc application/pgp-signature