Hi Mike, I know this is a little confusing, let me explain. Long time ago... (sorry, just kidding) :-) The shortest explanation is: all CVE were fixed before they were published, and the -3578 was fixed and detected before any advice was announced (I found out when I was working on the other ones). I'll try to make a chronological explanation: On 01/14/2012 09:22 PM, Michael Gilbert wrote: > On Sat, Jan 14, 2012 at 10:03 AM, sils <sils@powered-by-linux.com> wrote: > I'm confused by this. There are three issues. CVE-2011-3357, -3358, > and -3578. Are you saying all of them were fixed in the last DSA? > Looking at the source, there are only two patches. Haven't really > looked into it, but I assume those are -3357 and -3358? 04 Sep 2011 -------------- Was published on BTS a bug #640297, related with 3 critical issues [1], directly from upstream. 1) XSS injection via PHP_SELF 2) LFI and XSS via bug_actiongroup_ext_page.php 3) XSS issues with unescaped os, os_build and platform parameters on bug_report_page.php and bug_update_advanced_page.php This was submitted to openwall, but no CVE were published yet. These vulnerabilities were splitted (time after) as: [4] CVE-2011-3357 [5] CVE-2011-3358 05 Sep 2011 -------------- Working with MantisBT team, I found out another vulnerability (new one), which was reported to upstream and published in MantisBT bugtracker [3]. This new issue mixed up two problems, injection via PHP_SELF and bug-action-group, different than CVE-2011-3357. The CVE (long time after): [6] CVE-2011-3578 Package information : fixed issues ----------------------------------- Noticed that not all versions had been affected with the same issues. [7] wheezy: 05 Sep 2011 : mantis (1.2.7-1) [8] squeeze: 06 Sep 2011 : mantis (1.1.8+dfsg-10squeeze1) [9] lenny: 07 Sep 2011 : mantis (1.1.6+dfsg-2lenny5) 12 Sep 2011 -------------- Additional upgrade in sid, new security upstream release, mantis (1.2.8-1), patches were dropped instead of security arrangement from upstream, fixing all CVE vulnerabilities. All vulnerabilities were fixed (3357,3358,3578), including -3578, but this CVE was published some more time after, which was related with my advice on 05 Sep. I realise this is difficult to understand and explain, as well. Please,let me know if there's something else you need to understand this case. Thanks for your time. Best regards, Sils PS: please cc me, I'm not in debian-security list. [1]http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=640297 [2] http://www.openwall.com/lists/oss-security/2011/09/04/1 [3] http://www.mantisbt.org/bugs/view.php?id=13191 [4]http://security-tracker.debian.org/tracker/CVE-2011-3357 More info: - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3357 - http://lists.debian.org/debian-security-tracker/2011/09/msg00012.html [5]http://security-tracker.debian.org/tracker/CVE-2011-3358 More info: - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3358 - http://lists.debian.org/debian-security-tracker/2011/09/msg00012.html [6]http://security-tracker.debian.org/tracker/CVE-2011-3578 More info: - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3578 - http://lists.debian.org/debian-security-tracker/2011/09/msg00012.html [7]http://packages.debian.org/changelogs/pool/main/m/mantis/current/changelog#version1.2.7-1 [8]http://packages.debian.org/changelogs/pool/main/m/mantis/mantis_1.1.8+dfsg-10squeeze1/changelog#version1.1.8_dfsg-10squeeze1 [9]http://packages.debian.org/changelogs/pool/main/m/mantis/mantis_1.1.6+dfsg-2lenny6/changelog#version1.1.6_dfsg-2lenny5
Attachment:
signature.asc
Description: OpenPGP digital signature