Debian Bug report logs - #610850
request-tracker3.8: Weak password hash format in RT database

version graph

Package: request-tracker3.8; Maintainer for request-tracker3.8 is Debian Request Tracker Group <pkg-request-tracker-maintainers@lists.alioth.debian.org>;

Reported by: Dominic Hargreaves <dom@earth.li>

Date: Sun, 23 Jan 2011 11:24:02 UTC

Severity: grave

Tags: security

Found in version request-tracker3.8/3.8.8-6

Fixed in version request-tracker3.8/3.8.8-7

Done: Dominic Hargreaves <dom@earth.li>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Request Tracker Group <pkg-request-tracker-maintainers@lists.alioth.debian.org>:
Bug#610850; Package request-tracker3.8. (Sun, 23 Jan 2011 11:24:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Dominic Hargreaves <dom@earth.li>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Request Tracker Group <pkg-request-tracker-maintainers@lists.alioth.debian.org>. (Sun, 23 Jan 2011 11:24:05 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Dominic Hargreaves <dom@earth.li>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: request-tracker3.8: Weak password hash format in RT database
Date: Sun, 23 Jan 2011 11:22:09 +0000
Package: request-tracker3.8
Version: 3.8.8-6
Severity: grave
Tags: security
Justification: user security hole

Quoting from DSA 2150-1:

It was discovered that Request Tracker, an issue tracking system,
stored passwords in its database by using an insufficiently strong
hashing method. If an attacker would have access to the password
database, he could decode the passwords stored in it.

For the stable distribution (lenny), this problem has been fixed in
version 3.6.7-5+lenny5.

The testing distribution (squeeze) will be fixed soon.

For the unstable distribution (sid), this problem has been fixed in
version 3.8.8-7 of the request-tracker3.8 package.

More info at

http://lists.bestpractical.com/pipermail/rt-announce/2011-January/000185.html




Bug Marked as fixed in versions request-tracker3.8/3.8.8-7. Request was from Dominic Hargreaves <dom@earth.li> to control@bugs.debian.org. (Sun, 23 Jan 2011 11:27:06 GMT) Full text and rfc822 format available.

Reply sent to Dominic Hargreaves <dom@earth.li>:
You have taken responsibility. (Mon, 24 Jan 2011 15:48:09 GMT) Full text and rfc822 format available.

Notification sent to Dominic Hargreaves <dom@earth.li>:
Bug acknowledged by developer. (Mon, 24 Jan 2011 15:48:09 GMT) Full text and rfc822 format available.

Message #12 received at 610850-done@bugs.debian.org (full text, mbox):

From: Dominic Hargreaves <dom@earth.li>
To: 610850-done@bugs.debian.org
Subject: Fixed
Date: Mon, 24 Jan 2011 15:44:54 +0000
This bug is already marked as fixed, so just closing for neatness.

-- 
Dominic Hargreaves | http://www.larted.org.uk/~dom/
PGP key 5178E2A5 from the.earth.li (keyserver,web,email)




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Tue, 22 Feb 2011 07:32:25 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sun Apr 20 16:11:07 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.