Hard Light Productions Forums
Site Management => Site Support / Feedback => Topic started by: Echelon9 on August 19, 2012, 04:11:13 am
-
Similar to the SCP internal discussion, here (http://www.hard-light.net/forums/index.php?topic=81271.0), I'd like to note that the powers that be should update the HLP-hosted Mantis bug tracker install (http://hard-light.net/mantis/my_view_page.php).
Reason: the version 1.1.7 is getting long in the tooth, with a few security bugs found and fixed in subsequent releases.
http://www.mantisbt.org/bugs/changelog_page.php?project=mantisbt&version=1.2.11
CVE-2012-1118
Mantis installation in which the private_bug_view_threshold
configuration option has been set to an array value do not
properly enforce bug viewing restrictions.
CVE-2012-1119
Copy/clone bug report actions fail to leave an audit trail.
CVE-2012-1120
The delete_bug_threshold/bugnote_allow_user_edit_delete
access check can be bypassed by users who have write
access to the SOAP API.
CVE-2012-1122
Mantis performed access checks incorrectly when moving bugs
between projects.
CVE-2012-1123
A SOAP client sending a null password field can authenticate
as the Mantis administrator.
CVE-2012-2692
Mantis does not check the delete_attachments_threshold
permission when a user attempts to delete an attachment from
an issue.
Steps to do this, including backups, have been kindly written up by chief9183 (http://www.hard-light.net/forums/index.php?topic=79553.0):
# Download the new Mantis
cd public_html
wget http://internode.dl.sourceforge.net/sourceforge/mantisbt/mantisbt-1.2.11.tar.gz
tar -xzvf mantisbt-1.2.11.tar.gz
# Fix permissions issue after extraction
chmod 755 mantisbt-1.2.11
cp ~/public_html/mantis/config_inc.php ~/public_html/mantisbt-1.2.11/
# Repeat for custom_strings_inc.php, custom_constants_inc.php, and custom_functions_inc.php if they exist
# Announce the downtime
cp -r ~/public_html/mantis/library/jpgraph ~/public_html/mantisbt-1.2.11/library/jpgraph
cp -r ~/public_html/mantis/library/fonts ~/public_html/mantisbt-1.2.11/library/fonts
cd mantis
cp mantis_offline.php.sample mantis_offline.php
# Backup the database (use credentials in the existing config_inc.php)
cd ../..
mysqldump --opt -u <dbuser> -p mantis_scp > mantis_backup_<MM-DD-YYYY>.sql
# <enter password>
# Move backup to backups folder
mv mantis_backup_*.sql backups/mantis/
# Access http://scp.indiegames.us/mantisbt-1.2.11/admin/install.php to complete installation
# Click install/upgrade - if all green, click continue
# Confirm working by viewing attachments/issues
cd public_html
rm -rf ~/public_html/mantisbt-1.2.11/admin
mv mantis ../backups/mantis/mantis-1.2.8
mv mantisbt-1.2.11 mantis
# The script send_emails.php has moved from the root of the mantis install to the scripts folder.
# Edit the crontab and make sure the path to the script is correct for the new install.
# Also, on scp.indiegames.us, we don't have CLI PHP. The script needs to be edited to run through the
# web server. Comment out the PHP-CGI check and rearrange the first two lines to work through the server.
# Not necessary if you can set up the script to run via command line PHP in the cron.
# Announce upgrade completed via forums
-
1.1.7 you say? That's... old. Seriously guys, don't neglect updating software. It's going to cost you if any security holes are exploited.
-
Nonsense! Old DOS is the best DOS!
/OT
-
So which of the powers that be have to see this thread, for the security patch to actually happen?
-
Rev_posix said that he saw this thread. Apparently, though, just because he saw it doesn't mean he followed through with the upgrade. :sigh:
-
Yep, I saw it. Didn't mean I had any time to do anything about it when I saw it, but I saw it. :P
But regardless, it's done. Seems to be running as expected, someone with an account might want to check it a bit more thoroughly to make sure it's still working as well as it was before. The tarball of the old install, with the sql dump in said archive, is in the backup directory.
-
All does not seem well, post upgrade.
On a system which has no prior login in browser cache:
APPLICATION ERROR #401
Database query failed. Error received from database was #1146: Table 'c2_mantis_6932.mantis_category_table' doesn't exist for the query: SELECT c.*, p.name AS project_name FROM mantis_category_table AS c
LEFT JOIN mantis_project_table AS p
ON c.project_id=p.id
WHERE project_id=0
ORDER BY c.name .
On my usual system, which has a prior login cookie in the browser cache:
APPLICATION ERROR #401
Database query failed. Error received from database was #1054: Unknown column 'p.inherit_global' in 'field list' for the query: SELECT DISTINCT p.id, ph.parent_id, p.name, p.inherit_global, ph.inherit_parent
FROM mantis_project_table p
LEFT JOIN mantis_project_hierarchy_table ph
ON ph.child_id = p.id
WHERE p.enabled = ?
ORDER BY p.name.
-
What did you do to get that? I'm hitting it with a browser I've never used to look at it and it's coming up fine for me. I can browse through the tickets, read attachments, etc/
-
Clicking directly on the link I used in first post takes me there. Reconfirmed again that it is happening.
-
Ah, there we go. Try now.
-
Looks good here.
-
Works for me.
-
Thanks, all good.