Bug#600115: unblock: mantis/1.1.8+dfsg-8
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Hi Team,
Please unblock mantis/1.1.8+dfsg-8
Closes bugs:
#599710 CVE-2010-3303
#599846 Updated Czech translation of mantis po-debconf messages
Here is the changelog:
mantis (1.1.8+dfsg-8) unstable; urgency=medium
* debian/patches/09-CVE-2010-3303-04-and-05.diff:
Fixes for CVE-2010-3303 (4) and (5) vulnerabilities.
Note: Mantis debian packages (1.1.6 and 1.1.8) are not affected
for vulnerabilities described as 1, 2 and 3 at
http://security-tracker.debian.org/tracker/CVE-2010-3303
(Closes: #599710)
* debian/po/cs.po: Updated. (Closes: #599846)
Thanks to Miroslav Kure <kurem@upcase.inf.upol.cz>
-- Dario Minnucci <midget@debian.org> Wed, 13 Oct 2010 17:42:04 +0200
Debdiff attached.
Thanks in advance.
- -- System Information:
Debian Release: squeeze/sid
APT prefers unstable
APT policy: (500, 'unstable'), (101, 'experimental')
Architecture: i386 (i686)
Kernel: Linux 2.6.35.7 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iQIcBAEBCAAGBQJMtgNaAAoJEKgvu4Pz1XAzVOgP/RF5xxLw+9sRd0CZsfn/zCqP
vjiIcIGnBXV6WvAr2UgfyiCypxJgNgXfQC/8NFtIoavHkmSD5oTYGiuBx50k733w
MtStsL1uiMoM23VgZTbUjyywqKyNS3JH7s8Ud6u0pdYemLvXz9xfiI0kBTTJi9DC
FnCkd3ufLAQ0i3ZgZk6vZVhiQ8cjujJrPTc98QVv9WT4pSfXhL2e90MczRgTcfSR
FwC9Mb/AUG4juA0U8o3h8LgT8kOXf5dCR4D14R7SLIy0hF25zxN4QFjQrMaPdwid
7uCvehQaHulfphuGay7N7Hy8P/YL2a+5MK1i5qhLqCJSBWj2DPrE1VlIyU19H0HH
kKeXxYQ+mkqDpDDhKNzSsFTKqggahXbYP47X7bK02GGIOMBJOUQF2jqS/KbXniNl
UdrrK9NgfseHR83WaMqkUpyFbE3H7gHdNDuZ1mhHSL5yF1ig4NJZVyqhpFKGrUZz
QOKYAnOuxsFitaG8wUxvQbIHKXBZrWIEZhSS9E0j0+DBv3SRMQYUIzCVY+B0S5cU
1ov5LglRrF/IdkN+/Wm6w2vDqnsfUpZFzyVWBoBH3jgIH/sbbCXdqzXDs0RfzBnL
VzN2aIPaU4AFNXSZymTR2jYHSD5291hrmlJXT3wF62nJsHlXWA0GyZZj8MKGaysk
EBmlEI3Be7DgfUMHvZq8
=zG/S
-----END PGP SIGNATURE-----
diff -Nru mantis-1.1.8+dfsg/debian/changelog mantis-1.1.8+dfsg/debian/changelog
--- mantis-1.1.8+dfsg/debian/changelog 2010-10-04 12:53:38.000000000 +0200
+++ mantis-1.1.8+dfsg/debian/changelog 2010-10-13 17:49:49.000000000 +0200
@@ -1,3 +1,16 @@
+mantis (1.1.8+dfsg-8) unstable; urgency=medium
+
+ * debian/patches/09-CVE-2010-3303-04-and-05.diff:
+ Fixes for CVE-2010-3303 (4) and (5) vulnerabilities.
+ Note: Mantis debian packages (1.1.6 and 1.1.8) are not affected
+ for vulnerabilities described as 1, 2 and 3 at
+ http://security-tracker.debian.org/tracker/CVE-2010-3303
+ (Closes: #599710)
+ * debian/po/cs.po: Updated. (Closes: #599846)
+ Thanks to Miroslav Kure <kurem@upcase.inf.upol.cz>
+
+ -- Dario Minnucci <midget@debian.org> Wed, 13 Oct 2010 17:42:04 +0200
+
mantis (1.1.8+dfsg-7) unstable; urgency=low
* debian/po/da.po: Updated.
diff -Nru mantis-1.1.8+dfsg/debian/patches/09-CVE-2010-3303-04-and-05.diff mantis-1.1.8+dfsg/debian/patches/09-CVE-2010-3303-04-and-05.diff
--- mantis-1.1.8+dfsg/debian/patches/09-CVE-2010-3303-04-and-05.diff 1970-01-01 01:00:00.000000000 +0100
+++ mantis-1.1.8+dfsg/debian/patches/09-CVE-2010-3303-04-and-05.diff 2010-10-13 17:42:01.000000000 +0200
@@ -0,0 +1,33 @@
+#
+# Description: Fix for CVE-2010-3303 (4) and (5) vulnerabilities.
+#
+# Patch based on upstream repository commit:
+# http://git.mantisbt.org/?p=mantisbt.git;a=commitdiff;h=3bc117fc87003af07d8871f7ad81b5c999215efd#patch1
+#
+# CVE-2010-3303 : Multiple cross-site scripting (XSS) vulnerabilities
+# in MantisBT before 1.2.3 allow remote authenticated administrators to
+# inject arbitrary web script or HTML via (1) a plugin name, related to
+# manage_plugin_uninstall.php; (2) an enumeration value or (3) a String
+# value of a custom field, related to core/cfdefs/cfdef_standard.php; or
+# a (4) project or (5) category name to print_all_bug_page_word.php.
+#
+# Author: Dario Minnucci <midget@debian.org>
+# Bug: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3303
+# Bug: http://security-tracker.debian.org/tracker/CVE-2010-3303
+# Bug: http://www.mantisbt.org/bugs/view.php?id=12371
+# Bug-Debian: http://bugs.debian.org/599710
+# Last-Update: 2010-10-13
+#
+Index: mantis-1.1.8+dfsg/print_all_bug_page_word.php
+===================================================================
+--- mantis-1.1.8+dfsg.orig/print_all_bug_page_word.php 2010-10-13 17:17:36.767106519 +0200
++++ mantis-1.1.8+dfsg/print_all_bug_page_word.php 2010-10-13 17:17:55.062831594 +0200
+@@ -160,7 +160,7 @@
+ <?php echo $v_id ?>
+ </td>
+ <td class="print">
+- <?php echo "[$t_project_name] $v_category" ?>
++ <?php echo '[' . string_display_line( $t_project_name ) . '] ' . string_display_line( $v_category ) ?>
+ </td>
+ <td class="print">
+ <?php echo get_enum_element( 'severity', $v_severity ) ?>
diff -Nru mantis-1.1.8+dfsg/debian/patches/series mantis-1.1.8+dfsg/debian/patches/series
--- mantis-1.1.8+dfsg/debian/patches/series 2010-09-05 00:53:04.000000000 +0200
+++ mantis-1.1.8+dfsg/debian/patches/series 2010-10-13 17:18:43.000000000 +0200
@@ -6,3 +6,4 @@
05-fix-phpmailer.patch
06-use-libnusoap-php.patch
08-CVE-2010-2574.diff
+09-CVE-2010-3303-04-and-05.diff
diff -Nru mantis-1.1.8+dfsg/debian/po/cs.po mantis-1.1.8+dfsg/debian/po/cs.po
--- mantis-1.1.8+dfsg/debian/po/cs.po 2010-09-05 21:13:29.000000000 +0200
+++ mantis-1.1.8+dfsg/debian/po/cs.po 2010-10-13 16:13:05.000000000 +0200
@@ -16,7 +16,7 @@
"Project-Id-Version: mantis\n"
"Report-Msgid-Bugs-To: mantis@packages.debian.org\n"
"POT-Creation-Date: 2009-06-27 14:43+0200\n"
-"PO-Revision-Date: 2007-07-01 13:05+0200\n"
+"PO-Revision-Date: 2010-10-11 17:49+0200\n"
"Last-Translator: Miroslav Kure <kurem@debian.cz>\n"
"Language-Team: Czech <debian-l10n-czech@lists.debian.org>\n"
"Language: cs\n"
@@ -115,15 +115,12 @@
#. Type: note
#. Description
#: ../templates:6001
-#, fuzzy
-#| msgid ""
-#| "By default, the mantis package creates an administrator account. The "
-#| "password for this account is 'root'."
msgid ""
"By default, the mantis package creates an 'administrator' account. The "
"password for this account is 'root'."
msgstr ""
-"Balík mantis standardně vytváří správcovský účet s výchozím heslem „root“."
+"Balík mantis standardně vytváří účet „administrator“ s výchozím heslem "
+"„root“."
#. Type: note
#. Description
Reply to: