Bug 201106
| Summary: | databases/mantis: [security] CVE-2015-5059: documentation in private projects can be seen by every user | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Ports & Packages | Reporter: | Jason Unovitch <junovitch> | ||||
| Component: | Individual Port(s) | Assignee: | Dan Langille <dvl> | ||||
| Status: | Closed FIXED | ||||||
| Severity: | Affects Some People | CC: | dvl, junovitch, ports | ||||
| Priority: | --- | Flags: | bugzilla:
maintainer-feedback?
(dvl) dvl: merge-quarterly+ |
||||
| Version: | Latest | ||||||
| Hardware: | Any | ||||||
| OS: | Any | ||||||
| See Also: | https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=202865 | ||||||
| Attachments: |
|
||||||
|
Description
Jason Unovitch
2015-06-25 13:02:53 UTC
Bug does not appear to be fixed upstream yet. Waiting for release. Still not fixed upstream. (In reply to Dan Langille from comment #2) > Still not fixed upstream. That is not quite correct. It is fixed, but the fix is not released. Because of this difference i was able to track down the change and wrote a patch for this issue. As there is already a solution we should not wait for the lazy upstream to release it. Please have a look at the patch. It contains just the security fix - but a PORTREVISION bump is also needed. Created attachment 162697 [details]
security fix for CVE-2015-5059
Comment on attachment 162697 [details]
security fix for CVE-2015-5059
Its two weeks ago i provided a patch to fix the security issue.
@Maintainer: can you please have a look at the patch?
I apologize for being slow. Code review submitted: https://reviews.freebsd.org/D4196 A commit references this bug: Author: dvl Date: Wed Dec 23 21:20:51 UTC 2015 New revision: 404324 URL: https://svnweb.freebsd.org/changeset/ports/404324 Log: patch with security fix for CVE-2015-5059 Submitted by: Torsten Zuhlsdorff & Jason Unovitch PR: 201106 202865 Approved by: mat (mentor) Differential Review: D4196 Changes: head/databases/mantis/Makefile head/databases/mantis/files/patch-config__defaults__inc.php Thank you. A commit references this bug: Author: junovitch Date: Thu Dec 24 14:57:59 UTC 2015 New revision: 404370 URL: https://svnweb.freebsd.org/changeset/ports/404370 Log: Document information disclosure vulnerability in the Mantis Bug Tracker PR: 201106 Security: CVE-2015-5059 Security: https://vuxml.FreeBSD.org/freebsd/e1b5318c-aa4d-11e5-8f5c-002590263bf5.html Changes: head/security/vuxml/vuln.xml (In reply to commit-hook from comment #9) Thank you Set merge-quarterly? Dan, can you send an email to ports-secteam@ and portmgr@ per https://www.FreeBSD.org/doc/en_US.ISO8859-1/articles/committers-guide/ports.html#ports-qa-misc-request-mfh to request an MFH using: Tools/scripts/mfh 2015Q4 404324 Once this is MFH'd. You can set merge-quarterly+ and close the PR. set merge-quarterly to ? and set status to in-progress. (In reply to Jason Unovitch from comment #11) and email sent. I did not know about this procedure. Thank you. A commit references this bug: Author: dvl Date: Sun Dec 27 02:30:13 UTC 2015 New revision: 404544 URL: https://svnweb.freebsd.org/changeset/ports/404544 Log: MFH: r404324 patch with security fix for CVE-2015-5059 Submitted by: Torsten Zuhlsdorff & Jason Unovitch PR: 201106 202865 Approved by: mat (mentor) Differential Review: D4196 Approved by: ports-secteam Changes: _U branches/2015Q4/ branches/2015Q4/databases/mantis/Makefile branches/2015Q4/databases/mantis/files/patch-config__defaults__inc.php |