[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#600115: marked as done (unblock: mantis/1.1.8+dfsg-8)

Your message dated Wed, 13 Oct 2010 22:37:11 +0200
with message-id <4CB61877.5040309@debian.org>
and subject line Re: Bug#600115: unblock: mantis/1.1.8+dfsg-8
has caused the Debian Bug report #600115,
regarding unblock: mantis/1.1.8+dfsg-8
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
600115: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=600115
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hi Team,

Please unblock mantis/1.1.8+dfsg-8


Closes bugs:

#599710 CVE-2010-3303
#599846 Updated Czech translation of mantis po-debconf messages


Here is the changelog:

mantis (1.1.8+dfsg-8) unstable; urgency=medium

  * debian/patches/09-CVE-2010-3303-04-and-05.diff:
    Fixes for CVE-2010-3303 (4) and (5) vulnerabilities.
    Note: Mantis debian packages (1.1.6 and 1.1.8) are not affected 
    for vulnerabilities described as 1, 2 and 3 at 
    http://security-tracker.debian.org/tracker/CVE-2010-3303
    (Closes: #599710)
  * debian/po/cs.po: Updated. (Closes: #599846)
    Thanks to Miroslav Kure <kurem@upcase.inf.upol.cz>

 -- Dario Minnucci <midget@debian.org>  Wed, 13 Oct 2010 17:42:04 +0200


Debdiff attached.

Thanks in advance.


- -- System Information:
Debian Release: squeeze/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (101, 'experimental')
Architecture: i386 (i686)

Kernel: Linux 2.6.35.7 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQIcBAEBCAAGBQJMtgNaAAoJEKgvu4Pz1XAzVOgP/RF5xxLw+9sRd0CZsfn/zCqP
vjiIcIGnBXV6WvAr2UgfyiCypxJgNgXfQC/8NFtIoavHkmSD5oTYGiuBx50k733w
MtStsL1uiMoM23VgZTbUjyywqKyNS3JH7s8Ud6u0pdYemLvXz9xfiI0kBTTJi9DC
FnCkd3ufLAQ0i3ZgZk6vZVhiQ8cjujJrPTc98QVv9WT4pSfXhL2e90MczRgTcfSR
FwC9Mb/AUG4juA0U8o3h8LgT8kOXf5dCR4D14R7SLIy0hF25zxN4QFjQrMaPdwid
7uCvehQaHulfphuGay7N7Hy8P/YL2a+5MK1i5qhLqCJSBWj2DPrE1VlIyU19H0HH
kKeXxYQ+mkqDpDDhKNzSsFTKqggahXbYP47X7bK02GGIOMBJOUQF2jqS/KbXniNl
UdrrK9NgfseHR83WaMqkUpyFbE3H7gHdNDuZ1mhHSL5yF1ig4NJZVyqhpFKGrUZz
QOKYAnOuxsFitaG8wUxvQbIHKXBZrWIEZhSS9E0j0+DBv3SRMQYUIzCVY+B0S5cU
1ov5LglRrF/IdkN+/Wm6w2vDqnsfUpZFzyVWBoBH3jgIH/sbbCXdqzXDs0RfzBnL
VzN2aIPaU4AFNXSZymTR2jYHSD5291hrmlJXT3wF62nJsHlXWA0GyZZj8MKGaysk
EBmlEI3Be7DgfUMHvZq8
=zG/S
-----END PGP SIGNATURE-----

diff -Nru mantis-1.1.8+dfsg/debian/changelog mantis-1.1.8+dfsg/debian/changelog
--- mantis-1.1.8+dfsg/debian/changelog	2010-10-04 12:53:38.000000000 +0200
+++ mantis-1.1.8+dfsg/debian/changelog	2010-10-13 17:49:49.000000000 +0200
@@ -1,3 +1,16 @@
+mantis (1.1.8+dfsg-8) unstable; urgency=medium
+
+  * debian/patches/09-CVE-2010-3303-04-and-05.diff:
+    Fixes for CVE-2010-3303 (4) and (5) vulnerabilities.
+    Note: Mantis debian packages (1.1.6 and 1.1.8) are not affected 
+    for vulnerabilities described as 1, 2 and 3 at 
+    http://security-tracker.debian.org/tracker/CVE-2010-3303
+    (Closes: #599710)
+  * debian/po/cs.po: Updated. (Closes: #599846)
+    Thanks to Miroslav Kure <kurem@upcase.inf.upol.cz>
+
+ -- Dario Minnucci <midget@debian.org>  Wed, 13 Oct 2010 17:42:04 +0200
+
 mantis (1.1.8+dfsg-7) unstable; urgency=low
 
   * debian/po/da.po: Updated.
diff -Nru mantis-1.1.8+dfsg/debian/patches/09-CVE-2010-3303-04-and-05.diff mantis-1.1.8+dfsg/debian/patches/09-CVE-2010-3303-04-and-05.diff
--- mantis-1.1.8+dfsg/debian/patches/09-CVE-2010-3303-04-and-05.diff	1970-01-01 01:00:00.000000000 +0100
+++ mantis-1.1.8+dfsg/debian/patches/09-CVE-2010-3303-04-and-05.diff	2010-10-13 17:42:01.000000000 +0200
@@ -0,0 +1,33 @@
+#
+# Description: Fix for CVE-2010-3303 (4) and (5) vulnerabilities.
+#
+#   Patch based on upstream repository commit:
+#   http://git.mantisbt.org/?p=mantisbt.git;a=commitdiff;h=3bc117fc87003af07d8871f7ad81b5c999215efd#patch1
+#
+#   CVE-2010-3303 : Multiple cross-site scripting (XSS) vulnerabilities 
+#   in MantisBT before 1.2.3 allow remote authenticated administrators to 
+#   inject arbitrary web script or HTML via (1) a plugin name, related to 
+#   manage_plugin_uninstall.php; (2) an enumeration value or (3) a String 
+#   value of a custom field, related to core/cfdefs/cfdef_standard.php; or 
+#   a (4) project or (5) category name to print_all_bug_page_word.php.
+#
+# Author: Dario Minnucci <midget@debian.org>
+# Bug: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3303
+# Bug: http://security-tracker.debian.org/tracker/CVE-2010-3303
+# Bug: http://www.mantisbt.org/bugs/view.php?id=12371
+# Bug-Debian: http://bugs.debian.org/599710
+# Last-Update: 2010-10-13
+#
+Index: mantis-1.1.8+dfsg/print_all_bug_page_word.php
+===================================================================
+--- mantis-1.1.8+dfsg.orig/print_all_bug_page_word.php	2010-10-13 17:17:36.767106519 +0200
++++ mantis-1.1.8+dfsg/print_all_bug_page_word.php	2010-10-13 17:17:55.062831594 +0200
+@@ -160,7 +160,7 @@
+ 		<?php echo $v_id ?>
+ 	</td>
+ 	<td class="print">
+-		<?php echo "[$t_project_name] $v_category" ?>
++		<?php echo '[' . string_display_line( $t_project_name ) . '] ' . string_display_line( $v_category ) ?>
+ 	</td>
+ 	<td class="print">
+ 		<?php echo get_enum_element( 'severity', $v_severity ) ?>
diff -Nru mantis-1.1.8+dfsg/debian/patches/series mantis-1.1.8+dfsg/debian/patches/series
--- mantis-1.1.8+dfsg/debian/patches/series	2010-09-05 00:53:04.000000000 +0200
+++ mantis-1.1.8+dfsg/debian/patches/series	2010-10-13 17:18:43.000000000 +0200
@@ -6,3 +6,4 @@
 05-fix-phpmailer.patch
 06-use-libnusoap-php.patch
 08-CVE-2010-2574.diff
+09-CVE-2010-3303-04-and-05.diff
diff -Nru mantis-1.1.8+dfsg/debian/po/cs.po mantis-1.1.8+dfsg/debian/po/cs.po
--- mantis-1.1.8+dfsg/debian/po/cs.po	2010-09-05 21:13:29.000000000 +0200
+++ mantis-1.1.8+dfsg/debian/po/cs.po	2010-10-13 16:13:05.000000000 +0200
@@ -16,7 +16,7 @@
 "Project-Id-Version: mantis\n"
 "Report-Msgid-Bugs-To: mantis@packages.debian.org\n"
 "POT-Creation-Date: 2009-06-27 14:43+0200\n"
-"PO-Revision-Date: 2007-07-01 13:05+0200\n"
+"PO-Revision-Date: 2010-10-11 17:49+0200\n"
 "Last-Translator: Miroslav Kure <kurem@debian.cz>\n"
 "Language-Team: Czech <debian-l10n-czech@lists.debian.org>\n"
 "Language: cs\n"
@@ -115,15 +115,12 @@
 #. Type: note
 #. Description
 #: ../templates:6001
-#, fuzzy
-#| msgid ""
-#| "By default, the mantis package creates an administrator account. The "
-#| "password for this account is 'root'."
 msgid ""
 "By default, the mantis package creates an 'administrator' account. The "
 "password for this account is 'root'."
 msgstr ""
-"Balík mantis standardně vytváří správcovský účet s výchozím heslem „root“."
+"Balík mantis standardně vytváří účet „administrator“ s výchozím heslem "
+"„root“."
 
 #. Type: note
 #. Description

--- End Message ---
--- Begin Message --- 
On 10/13/2010 09:07 PM, Dario Minnucci wrote:

> Hi Team,

Hi Dario

> Please unblock mantis/1.1.8+dfsg-8
> 
> 
> Closes bugs:
> 
> #599710 CVE-2010-3303
> #599846 Updated Czech translation of mantis po-debconf messages

updated unblock

Cheers

Luk

--- End Message ---
Reply to: