[Bug 219720] New: CVE-2006-6515: mantis bug reminder threshold issue
bugzilla at redhat.com
bugzilla at redhat.com
Thu Dec 14 22:02:05 UTC 2006
Please do not reply directly to this email. All additional
comments should be made in the comments box of this bug report.
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=219720
Summary: CVE-2006-6515: mantis bug reminder threshold issue
Product: Fedora Extras
Version: fc4
Platform: All
OS/Version: Linux
Status: NEW
Severity: normal
Priority: normal
Component: mantis
AssignedTo: giallu at gmail.com
ReportedBy: ville.skytta at iki.fi
QAContact: extras-qa at fedoraproject.org
CC: extras-qa at fedoraproject.org,fedora-security-
list at redhat.com
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-6515
"Mantis before 1.1.0a2 sets the default value of $g_bug_reminder_threshold to
"reporter" instead of a more privileged role, which has unknown impact and
attack vectors, possibly related to frequency of reminders."
The CVE entry says 1.0.6 is vulnerable, however it looks to me as if it's not,
see the change in revision 1.283.2.1.2.1.2.1.2.2.2.11 at
http://mantisbt.cvs.sourceforge.net/mantisbt/mantisbt/config_defaults_inc.php?view=log
FC-3 and FC-4 appear to be vulnerable.
--
Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.
More information about the security
mailing list