-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Tue, 06 Sep 2011 08:33:40 +0200 Source: mantis Binary: mantis Architecture: source all Version: 1.1.8+dfsg-10squeeze1 Distribution: stable-security Urgency: high Maintainer: Silvia Alvarez Changed-By: Silvia Alvarez Description: mantis - web-based bug tracking system Changes: mantis (1.1.8+dfsg-10squeeze1) stable-security; urgency=high . * Urgency high: Fixes critical LFI/XSS vulnerabilites (BTS #640297) 1) XSS injection via PHP_SELF : not affected 2) LFI and XSS via bug_actiongroup pages: fixed 3) Projax XSS issues with unescaped parameters: not affected * debian/patches: + added: Multiple vulnerabilities (LFI/XSS injection) Thanks to David Hicks, MantisBT developer. 11-Fix-640297-LFI-XSS-injection-bug-action-group-0.diff 12-Fix-640297-LFI-XSS-injection-bug-action-group-1.diff Checksums-Sha1: 3ebeec2b3d72ba36d9e17d76d876849048896aea 1786 mantis_1.1.8+dfsg-10squeeze1.dsc 4482268075470b5e93f25cd6ee61adecb4ae189f 1965397 mantis_1.1.8+dfsg.orig.tar.gz 02aed5b941dfed87ea5451a0e36428ce93d3624e 55496 mantis_1.1.8+dfsg-10squeeze1.debian.tar.gz b21a9c7388f1d693260ad1d05425e0ecdeedf18e 1744228 mantis_1.1.8+dfsg-10squeeze1_all.deb Checksums-Sha256: 5c57e3d60e8c6cbe94e1da816623393c49429105703bcd6f48cb360947162122 1786 mantis_1.1.8+dfsg-10squeeze1.dsc 350885db48f6298f6d956871777219b011331e9a413bd3e8a4e748fa1be3f573 1965397 mantis_1.1.8+dfsg.orig.tar.gz 2728dc56bd892092756201462e69ba80de69b82688b8bf5c71c9cfa95a24b56a 55496 mantis_1.1.8+dfsg-10squeeze1.debian.tar.gz 4acd95365da646b6866300c23735e8286ba4c2448b3cb72327397fdf46e6a9b2 1744228 mantis_1.1.8+dfsg-10squeeze1_all.deb Files: caa7dc06eb1bc9f2457fab718ba0ae30 1786 web optional mantis_1.1.8+dfsg-10squeeze1.dsc 730527e12f160ce1e13bb2a5c51bdb81 1965397 web optional mantis_1.1.8+dfsg.orig.tar.gz 2c44ef3e369d3e8531b57aacf4067463 55496 web optional mantis_1.1.8+dfsg-10squeeze1.debian.tar.gz a98e8178425114f5024513b07baf77c8 1744228 web optional mantis_1.1.8+dfsg-10squeeze1_all.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) iQIcBAEBCAAGBQJOaQmWAAoJEKgvu4Pz1XAzZW0QAJyr1VsaIO+vOv064PbWdU/h M20P4Opw627MLyMHuw/Kw4OPK1CJdPnQdmipnyRREf/qq4JZm/62j51EA+ze5+sF 0qP/RUUUz9rbl4jQRJe+YCnQpKp4E8Mgrj40Uihi0eaBB/3mukRenL9beS8vDkPJ LyZ3e8vVdLrz86Kzp9DAEhmKkVGt2Egtf++PMWMxSGrx8wkMptuPvdgfiR2dgayG FzxZqphl0VRCEkvIIM0XDXwL/RztfJs5ufZpiSsDHxjdavKKhZmObiSHODPCyG94 fOGsbKd2nhyOzMTSmXKgBDLNZEl7OtNFX1H1rs5MIydOr8pQlVkJioK/YZ23Uypn M/ly1c6491SOkF6zyrcyR8WhWiTICx/Mq1raH++LADttUM/3Btznf90MlrOjeepY MIX7t12WO5VH2SurqZCrDBH5Oq6lK9KY9eWCCni3sfYPJRhXg+fT2k9mSDjcgWaR wDAIuKFawG/OsGO20o/0NS1axBhWFK+aYO81CmrdlgpJ9tny6cMLdg3a4WSPv9WX JPI5U1NnUKO1Pd0xfmnw7TsHFrocR7ZWusIowVtM9R+Dx7Ql74/5cQ7wj53HJdtT 0zQFVMdtjJcy/prL/bqQqM14exvAAvsE6d7JRmZ0zLHzYE9G2o53syxgR95fBQYv p8A32la/46pP3p75W6nv =jp4B -----END PGP SIGNATURE-----