[Secure-testing-team] Re: Bug#335938: mantis: Mantis 't_core_path'
File Inclusion Vulnerability
Thijs Kinkhorst
kink at squirrelmail.org
Mon Oct 31 15:29:35 UTC 2005
On Mon, October 31, 2005 16:07, Moritz Muehlenhoff wrote:
> The included patches look fine and correlate to what I extracted from the
> interdiff. But where's the fix for CVE-2005-3337 aka mantis bug 5959?
>
> The mantis bug is non-public, but according to the description it's
> a cross-site-scripting vulnerability in mantis/view_all_set.php
>
> They claim to have fixed it in 0.19.3 as well, but the interdiff doesn't
> show anything. So CVE-2005-3337 either doesn't apply to 0.19.x and the
> changelog was a mistake or the fix is missing in 0.19.3 or the fix is very
> non-obvious. But it should be checked back with upstream.
According to the changelog, this was already fixed in Debian package
0.19.2-3 uploaded in September. Since this was uploaded by the security
team, can we assume that this was double-checked to be fixed...?
Thijs
Thijs
More information about the Secure-testing-team
mailing list