Bug#600115: unblock: mantis/1.1.8+dfsg-8

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#600115: unblock: mantis/1.1.8+dfsg-8
From: Dario Minnucci <midget@debian.org>
Date: Wed, 13 Oct 2010 21:07:18 +0200
Message-id: <[🔎] 20101013190718.27926.60822.reportbug@dharma.midworld-networks.com>
Reply-to: Dario Minnucci <midget@debian.org>, 600115@bugs.debian.org

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hi Team,

Please unblock mantis/1.1.8+dfsg-8


Closes bugs:

#599710 CVE-2010-3303
#599846 Updated Czech translation of mantis po-debconf messages


Here is the changelog:

mantis (1.1.8+dfsg-8) unstable; urgency=medium

  * debian/patches/09-CVE-2010-3303-04-and-05.diff:
    Fixes for CVE-2010-3303 (4) and (5) vulnerabilities.
    Note: Mantis debian packages (1.1.6 and 1.1.8) are not affected 
    for vulnerabilities described as 1, 2 and 3 at 
    http://security-tracker.debian.org/tracker/CVE-2010-3303
    (Closes: #599710)
  * debian/po/cs.po: Updated. (Closes: #599846)
    Thanks to Miroslav Kure <kurem@upcase.inf.upol.cz>

 -- Dario Minnucci <midget@debian.org>  Wed, 13 Oct 2010 17:42:04 +0200


Debdiff attached.

Thanks in advance.


- -- System Information:
Debian Release: squeeze/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (101, 'experimental')
Architecture: i386 (i686)

Kernel: Linux 2.6.35.7 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQIcBAEBCAAGBQJMtgNaAAoJEKgvu4Pz1XAzVOgP/RF5xxLw+9sRd0CZsfn/zCqP
vjiIcIGnBXV6WvAr2UgfyiCypxJgNgXfQC/8NFtIoavHkmSD5oTYGiuBx50k733w
MtStsL1uiMoM23VgZTbUjyywqKyNS3JH7s8Ud6u0pdYemLvXz9xfiI0kBTTJi9DC
FnCkd3ufLAQ0i3ZgZk6vZVhiQ8cjujJrPTc98QVv9WT4pSfXhL2e90MczRgTcfSR
FwC9Mb/AUG4juA0U8o3h8LgT8kOXf5dCR4D14R7SLIy0hF25zxN4QFjQrMaPdwid
7uCvehQaHulfphuGay7N7Hy8P/YL2a+5MK1i5qhLqCJSBWj2DPrE1VlIyU19H0HH
kKeXxYQ+mkqDpDDhKNzSsFTKqggahXbYP47X7bK02GGIOMBJOUQF2jqS/KbXniNl
UdrrK9NgfseHR83WaMqkUpyFbE3H7gHdNDuZ1mhHSL5yF1ig4NJZVyqhpFKGrUZz
QOKYAnOuxsFitaG8wUxvQbIHKXBZrWIEZhSS9E0j0+DBv3SRMQYUIzCVY+B0S5cU
1ov5LglRrF/IdkN+/Wm6w2vDqnsfUpZFzyVWBoBH3jgIH/sbbCXdqzXDs0RfzBnL
VzN2aIPaU4AFNXSZymTR2jYHSD5291hrmlJXT3wF62nJsHlXWA0GyZZj8MKGaysk
EBmlEI3Be7DgfUMHvZq8
=zG/S
-----END PGP SIGNATURE-----

diff -Nru mantis-1.1.8+dfsg/debian/changelog mantis-1.1.8+dfsg/debian/changelog
--- mantis-1.1.8+dfsg/debian/changelog	2010-10-04 12:53:38.000000000 +0200
+++ mantis-1.1.8+dfsg/debian/changelog	2010-10-13 17:49:49.000000000 +0200
@@ -1,3 +1,16 @@
+mantis (1.1.8+dfsg-8) unstable; urgency=medium
+
+  * debian/patches/09-CVE-2010-3303-04-and-05.diff:
+    Fixes for CVE-2010-3303 (4) and (5) vulnerabilities.
+    Note: Mantis debian packages (1.1.6 and 1.1.8) are not affected 
+    for vulnerabilities described as 1, 2 and 3 at 
+    http://security-tracker.debian.org/tracker/CVE-2010-3303
+    (Closes: #599710)
+  * debian/po/cs.po: Updated. (Closes: #599846)
+    Thanks to Miroslav Kure <kurem@upcase.inf.upol.cz>
+
+ -- Dario Minnucci <midget@debian.org>  Wed, 13 Oct 2010 17:42:04 +0200
+
 mantis (1.1.8+dfsg-7) unstable; urgency=low
 
   * debian/po/da.po: Updated.
diff -Nru mantis-1.1.8+dfsg/debian/patches/09-CVE-2010-3303-04-and-05.diff mantis-1.1.8+dfsg/debian/patches/09-CVE-2010-3303-04-and-05.diff
--- mantis-1.1.8+dfsg/debian/patches/09-CVE-2010-3303-04-and-05.diff	1970-01-01 01:00:00.000000000 +0100
+++ mantis-1.1.8+dfsg/debian/patches/09-CVE-2010-3303-04-and-05.diff	2010-10-13 17:42:01.000000000 +0200
@@ -0,0 +1,33 @@
+#
+# Description: Fix for CVE-2010-3303 (4) and (5) vulnerabilities.
+#
+#   Patch based on upstream repository commit:
+#   http://git.mantisbt.org/?p=mantisbt.git;a=commitdiff;h=3bc117fc87003af07d8871f7ad81b5c999215efd#patch1
+#
+#   CVE-2010-3303 : Multiple cross-site scripting (XSS) vulnerabilities 
+#   in MantisBT before 1.2.3 allow remote authenticated administrators to 
+#   inject arbitrary web script or HTML via (1) a plugin name, related to 
+#   manage_plugin_uninstall.php; (2) an enumeration value or (3) a String 
+#   value of a custom field, related to core/cfdefs/cfdef_standard.php; or 
+#   a (4) project or (5) category name to print_all_bug_page_word.php.
+#
+# Author: Dario Minnucci <midget@debian.org>
+# Bug: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3303
+# Bug: http://security-tracker.debian.org/tracker/CVE-2010-3303
+# Bug: http://www.mantisbt.org/bugs/view.php?id=12371
+# Bug-Debian: http://bugs.debian.org/599710
+# Last-Update: 2010-10-13
+#
+Index: mantis-1.1.8+dfsg/print_all_bug_page_word.php
+===================================================================
+--- mantis-1.1.8+dfsg.orig/print_all_bug_page_word.php	2010-10-13 17:17:36.767106519 +0200
++++ mantis-1.1.8+dfsg/print_all_bug_page_word.php	2010-10-13 17:17:55.062831594 +0200
+@@ -160,7 +160,7 @@
+ 		<?php echo $v_id ?>
+ 	</td>
+ 	<td class="print">
+-		<?php echo "[$t_project_name] $v_category" ?>
++		<?php echo '[' . string_display_line( $t_project_name ) . '] ' . string_display_line( $v_category ) ?>
+ 	</td>
+ 	<td class="print">
+ 		<?php echo get_enum_element( 'severity', $v_severity ) ?>
diff -Nru mantis-1.1.8+dfsg/debian/patches/series mantis-1.1.8+dfsg/debian/patches/series
--- mantis-1.1.8+dfsg/debian/patches/series	2010-09-05 00:53:04.000000000 +0200
+++ mantis-1.1.8+dfsg/debian/patches/series	2010-10-13 17:18:43.000000000 +0200
@@ -6,3 +6,4 @@
 05-fix-phpmailer.patch
 06-use-libnusoap-php.patch
 08-CVE-2010-2574.diff
+09-CVE-2010-3303-04-and-05.diff
diff -Nru mantis-1.1.8+dfsg/debian/po/cs.po mantis-1.1.8+dfsg/debian/po/cs.po
--- mantis-1.1.8+dfsg/debian/po/cs.po	2010-09-05 21:13:29.000000000 +0200
+++ mantis-1.1.8+dfsg/debian/po/cs.po	2010-10-13 16:13:05.000000000 +0200
@@ -16,7 +16,7 @@
 "Project-Id-Version: mantis\n"
 "Report-Msgid-Bugs-To: mantis@packages.debian.org\n"
 "POT-Creation-Date: 2009-06-27 14:43+0200\n"
-"PO-Revision-Date: 2007-07-01 13:05+0200\n"
+"PO-Revision-Date: 2010-10-11 17:49+0200\n"
 "Last-Translator: Miroslav Kure <kurem@debian.cz>\n"
 "Language-Team: Czech <debian-l10n-czech@lists.debian.org>\n"
 "Language: cs\n"
@@ -115,15 +115,12 @@
 #. Type: note
 #. Description
 #: ../templates:6001
-#, fuzzy
-#| msgid ""
-#| "By default, the mantis package creates an administrator account. The "
-#| "password for this account is 'root'."
 msgid ""
 "By default, the mantis package creates an 'administrator' account. The "
 "password for this account is 'root'."
 msgstr ""
-"Balík mantis standardně vytváří správcovský účet s výchozím heslem „root“."
+"Balík mantis standardně vytváří účet „administrator“ s výchozím heslem "
+"„root“."
 
 #. Type: note
 #. Description

Reply to:

Follow-Ups:
- Bug#600115: marked as done (unblock: mantis/1.1.8+dfsg-8)
  - From: owner@bugs.debian.org (Debian Bug Tracking System)

Prev by Date: Bug#600111: unblock: nodm/0.7-1
Next by Date: Bug#600111: marked as done (unblock: nodm/0.7-1)
Previous by thread: Bug#600111: marked as done (unblock: nodm/0.7-1)
Next by thread: Bug#600115: marked as done (unblock: mantis/1.1.8+dfsg-8)
Index(es):
- Date
- Thread