Pullup ticket #2569 - requested by adrianp mantis: security update Revisions pulled up: - devel/mantis/Makefile 1.33 - devel/mantis/distinfo 1.13 --- Module Name: pkgsrc Committed By: adrianp Date: Sun Nov 2 17:25:18 UTC 2008 Modified Files: pkgsrc/devel/mantis: Makefile distinfo Log Message: Update to 1.1.4 2008.10.18 - 1.1.4 =================================== We had to withdraw 1.1.3 because of a serious flaw affecting the bug_report* pages. This new release fixes that problem and a newly discovered security issue. - 0009704: [security] Remote Code Execution in manage_proj_page.php (giallu) - resolved. - 0009691: [bugtracker] Failed to report issue.(Always APPLICATION ERROR #2800) (jreese) - resolved. - 0009690: [other] Wrong parameter count for session_set_cookie_params() (jreese) - resolved. - 0009693: [webpage] Generated HTML contains multiple hostnames when proxied (jreese) - resolved. 2008.10.09 - 1.1.3 =================================== In this release we fixed a couple of nasty bugs sneaked into 1.1.2, where sending bugnotes email notifications would fail and browser caching was not functional. We also refined the implementation of form security tokens and closed a couple of security issues, an information disclosure (with no CVE) and a session hijacking (CVE-2008-3102). - 0009321: [security] Users can get title and status of issues that they don't have access to. (vboctor) - resolved. - 0009533: [security] Mantis should use secure sessions on https connections (jreese) - resolved. - 0009286: [administration] stray "2" in manage_user_prune.php (vboctor) - resolved. - 0009664: [authentication] Logout without unsetting session cookie (jreese) - resolved. - 0009323: [bugtracker] Browser caching broken since 1.1.2 (jreese) - resolved. - 0009470: [bugtracker] Tags filter not filling into text field when selecting from list using Internet Explorer (jreese) - resolved. - 0009493: [custom fields] Removing custom fields from project causes application error 2800 (giallu) - resolved. - 0009309: [email] Problems with e-mail notifications about bugnotes [PATCH] (giallu) - resolved. - 0004678: [filters] Filter combos don't fill up on if switched to 'All Projects' - closed. - 0009430: [graphs] bug_graph_bystatus shows heading by_category (thraxisp) - resolved. - 0009431: [localization] no localization for usage of open, resolved, closed in bug_graph_bystatus.php (thraxisp) - resolved. - 0008882: [other] Gravatar causes annoying security popups on IE when using Mantis over HTTPS/SSL (jreese) - resolved. - 0009361: [other] php session fail created cause mantis app error. (jreese) - resolved. - 0009560: [other] Wrong behaviour in Session API (session_save_path error message) (jreese) - resolved. - 0009672: [other] Fixing form error by going back fails because of security token (jreese) - resolved. - 0009343: [scripting] form security token prevents changing relationship while resolving bug (jreese) - resolved.

(tron)

 @@ -1,16 +1,16 @@
-# $NetBSD: Makefile,v 1.32 2008/06/21 15:17:00 adrianp Exp $
+# $NetBSD: Makefile,v 1.32.8.1 2008/11/04 11:43:24 tron Exp $
-DISTNAME=	mantis-1.1.2
+DISTNAME=	mantis-1.1.4
 CATEGORIES=	devel www
 MASTER_SITES=	${MASTER_SITE_SOURCEFORGE:=mantisbt/}
 MAINTAINER=	adrianp@NetBSD.org
 HOMEPAGE=	http://www.mantisbt.org/
 COMMENT=	PHP/MySQL/web based bugtracking system
 DEPENDS+=	${APACHE_PKG_PREFIX}-${PHP_PKG_PREFIX}>=4.0.6:../../www/ap-php
 DEPENDS+=	${PHP_PKG_PREFIX}-mysql>=4.0.6:../../databases/php-mysql
 PKG_DESTDIR_SUPPORT=	user-destdir
 NO_BUILD=	YES

 @@ -1,5 +1,5 @@
-$NetBSD: distinfo,v 1.12 2008/06/21 15:17:00 adrianp Exp $
+$NetBSD: distinfo,v 1.12.8.1 2008/11/04 11:43:24 tron Exp $
-SHA1 (mantis-1.1.2.tar.gz) = 291026ca4135961faf97597280cdc2a766b89e3c
+SHA1 (mantis-1.1.4.tar.gz) = 7e64529508d3e35b98ae49c12b808998e669ef76
-RMD160 (mantis-1.1.2.tar.gz) = 251a7daee876468ebe63e72df72824a85680dcc8
+RMD160 (mantis-1.1.4.tar.gz) = e67d3aa48e65498b7a75909a5976f21db9554d75
-Size (mantis-1.1.2.tar.gz) = 2582860 bytes
+Size (mantis-1.1.4.tar.gz) = 2584719 bytes