Seen on oss-security: http://openwall.com/lists/oss-security/2015/06/25/3 Also see: https://mantisbt.org/bugs/view.php?id=19873
Bug does not appear to be fixed upstream yet. Waiting for release.
Still not fixed upstream.
(In reply to Dan Langille from comment #2) > Still not fixed upstream. That is not quite correct. It is fixed, but the fix is not released. Because of this difference i was able to track down the change and wrote a patch for this issue. As there is already a solution we should not wait for the lazy upstream to release it. Please have a look at the patch. It contains just the security fix - but a PORTREVISION bump is also needed.
Created attachment 162697 [details] security fix for CVE-2015-5059
Comment on attachment 162697 [details] security fix for CVE-2015-5059 Its two weeks ago i provided a patch to fix the security issue. @Maintainer: can you please have a look at the patch?
I apologize for being slow. Code review submitted: https://reviews.freebsd.org/D4196
A commit references this bug: Author: dvl Date: Wed Dec 23 21:20:51 UTC 2015 New revision: 404324 URL: https://svnweb.freebsd.org/changeset/ports/404324 Log: patch with security fix for CVE-2015-5059 Submitted by: Torsten Zuhlsdorff & Jason Unovitch PR: 201106 202865 Approved by: mat (mentor) Differential Review: D4196 Changes: head/databases/mantis/Makefile head/databases/mantis/files/patch-config__defaults__inc.php
Thank you.
A commit references this bug: Author: junovitch Date: Thu Dec 24 14:57:59 UTC 2015 New revision: 404370 URL: https://svnweb.freebsd.org/changeset/ports/404370 Log: Document information disclosure vulnerability in the Mantis Bug Tracker PR: 201106 Security: CVE-2015-5059 Security: https://vuxml.FreeBSD.org/freebsd/e1b5318c-aa4d-11e5-8f5c-002590263bf5.html Changes: head/security/vuxml/vuln.xml
(In reply to commit-hook from comment #9) Thank you
Set merge-quarterly? Dan, can you send an email to ports-secteam@ and portmgr@ per https://www.FreeBSD.org/doc/en_US.ISO8859-1/articles/committers-guide/ports.html#ports-qa-misc-request-mfh to request an MFH using: Tools/scripts/mfh 2015Q4 404324 Once this is MFH'd. You can set merge-quarterly+ and close the PR.
set merge-quarterly to ? and set status to in-progress.
(In reply to Jason Unovitch from comment #11) and email sent. I did not know about this procedure. Thank you.
A commit references this bug: Author: dvl Date: Sun Dec 27 02:30:13 UTC 2015 New revision: 404544 URL: https://svnweb.freebsd.org/changeset/ports/404544 Log: MFH: r404324 patch with security fix for CVE-2015-5059 Submitted by: Torsten Zuhlsdorff & Jason Unovitch PR: 201106 202865 Approved by: mat (mentor) Differential Review: D4196 Approved by: ports-secteam Changes: _U branches/2015Q4/ branches/2015Q4/databases/mantis/Makefile branches/2015Q4/databases/mantis/files/patch-config__defaults__inc.php