Debian Bug report logs - #614575
request-tracker3.8: CVE-2011-1007: Back button attacks

version graph

Package: request-tracker3.8; Maintainer for request-tracker3.8 is Debian Request Tracker Group <pkg-request-tracker-maintainers@lists.alioth.debian.org>;

Reported by: Dominic Hargreaves <dom@earth.li>

Date: Tue, 22 Feb 2011 11:48:14 UTC

Severity: important

Tags: security

Found in version request-tracker3.8/3.8.8-7

Fixed in version request-tracker3.8/3.8.9-1

Done: Dominic Hargreaves <dom@earth.li>

Bug is archived. No further changes may be made.

Forwarded to http://issues.bestpractical.com/Ticket/Display.html?id=15804

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Request Tracker Group <pkg-request-tracker-maintainers@lists.alioth.debian.org>:
Bug#614575; Package request-tracker3.8. (Tue, 22 Feb 2011 11:48:17 GMT) Full text and rfc822 format available.

Acknowledgement sent to Dominic Hargreaves <dom@earth.li>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Request Tracker Group <pkg-request-tracker-maintainers@lists.alioth.debian.org>. (Tue, 22 Feb 2011 11:48:17 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Dominic Hargreaves <dom@earth.li>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: request-tracker3.8: Back button attacks
Date: Tue, 22 Feb 2011 11:44:03 +0000
Package: request-tracker3.8
Version: 3.8.8-7
Severity: important
Tags: security

The following appears in the changelog of 3.8.9:

 * Redirect users to their desired pages after login.
    This prevents possible back button attacks after a user logs out.

This may warrant an update in s-p-u.




Bug Marked as fixed in versions request-tracker3.8/3.8.9-1. Request was from Dominic Hargreaves <dom@earth.li> to control@bugs.debian.org. (Tue, 22 Feb 2011 11:54:08 GMT) Full text and rfc822 format available.

Changed Bug title to 'request-tracker3.8: CVE-2011-1007: Back button attacks' from 'request-tracker3.8: Back button attacks' Request was from Niko Tyni <ntyni@debian.org> to control@bugs.debian.org. (Fri, 25 Feb 2011 18:09:08 GMT) Full text and rfc822 format available.

Set Bug forwarded-to-address to 'http://issues.bestpractical.com/Ticket/Display.html?id=15804'. Request was from Niko Tyni <ntyni@debian.org> to control@bugs.debian.org. (Fri, 25 Feb 2011 18:09:10 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Request Tracker Group <pkg-request-tracker-maintainers@lists.alioth.debian.org>:
Bug#614575; Package request-tracker3.8. (Fri, 25 Feb 2011 18:54:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to Niko Tyni <ntyni@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Request Tracker Group <pkg-request-tracker-maintainers@lists.alioth.debian.org>. (Fri, 25 Feb 2011 18:54:06 GMT) Full text and rfc822 format available.

Message #16 received at 614575@bugs.debian.org (full text, mbox):

From: Niko Tyni <ntyni@debian.org>
To: 614575@bugs.debian.org, 614576@bugs.debian.org
Subject: CVE IDs etc.
Date: Fri, 25 Feb 2011 20:04:31 +0200
package request-tracker3.8
retitle 614575 request-tracker3.8: CVE-2011-1007: Back button attacks
retitle 614576 request-tracker3.8: CVE-2011-1008: Scrip information leakage
forwarded 614575 http://issues.bestpractical.com/Ticket/Display.html?id=15804
thanks

Just filling in some administrivia based on
 http://permalink.gmane.org/gmane.comp.security.oss.general/4243
 http://permalink.gmane.org/gmane.comp.security.oss.general/4247

On Tue, Feb 22, 2011 at 11:44:03AM +0000, Dominic Hargreaves wrote:
> Package: request-tracker3.8
> Version: 3.8.8-7
> Severity: important
> Tags: security
>
> The following appears in the changelog of 3.8.9:
>
>  * Redirect users to their desired pages after login.
>     This prevents possible back button attacks after a user logs out.
>

This has been assigned CVE-2011-1007. 

The base patch was
 https://github.com/bestpractical/rt/commit/917c211820590950f7eb0521f7f43b31aeed44c4
but, as discussed in
 http://permalink.gmane.org/gmane.comp.security.oss.general/4247
this breaks RT-Authen-ExternalAuth and was augmented by other changes on
the same branch later.

A targeted fix should be discussed with <security@bestpractical.com>,
as requested by Thomas Sibley in the above message.

On Tue, Feb 22, 2011 at 11:46:04AM +0000, Dominic Hargreaves wrote:
> Package: request-tracker3.8
> Version: 3.8.8-7
> Severity: important
> Tags: security
> 
> The following appears in the changelog of 3.8.9:
> 
>  * Clone Scrip's TicketObj since we change the CurrentUser and it can leak
>     information (Custom field values, etc)

This has been assigned CVE-2011-1008.
A patch is
 https://github.com/bestpractical/rt/commit/2338cd19ed7a7f4c1e94f639ab2789d6586d01f3
but again, upstream requests coordination for targeted fixes in
 http://permalink.gmane.org/gmane.comp.security.oss.general/4247

I don't have the time to drive this further myself, just noticed the
thread at oss-security.
-- 
Niko Tyni   ntyni@debian.org




Information forwarded to debian-bugs-dist@lists.debian.org, Debian Request Tracker Group <pkg-request-tracker-maintainers@lists.alioth.debian.org>:
Bug#614575; Package request-tracker3.8. (Sun, 10 Apr 2011 11:33:08 GMT) Full text and rfc822 format available.

Acknowledgement sent to Dominic Hargreaves <dom@earth.li>:
Extra info received and forwarded to list. Copy sent to Debian Request Tracker Group <pkg-request-tracker-maintainers@lists.alioth.debian.org>. (Sun, 10 Apr 2011 11:33:12 GMT) Full text and rfc822 format available.

Message #21 received at 614575@bugs.debian.org (full text, mbox):

From: Dominic Hargreaves <dom@earth.li>
To: Niko Tyni <ntyni@debian.org>, 614575@bugs.debian.org
Subject: Re: [request-tracker-maintainers] Bug#614575: CVE IDs etc.
Date: Sun, 10 Apr 2011 12:31:54 +0100
On Fri, Feb 25, 2011 at 08:04:31PM +0200, Niko Tyni wrote:
> package request-tracker3.8
> retitle 614575 request-tracker3.8: CVE-2011-1007: Back button attacks

> On Tue, Feb 22, 2011 at 11:44:03AM +0000, Dominic Hargreaves wrote:

> > The following appears in the changelog of 3.8.9:
> >
> >  * Redirect users to their desired pages after login.
> >     This prevents possible back button attacks after a user logs out.
> >
> 
> This has been assigned CVE-2011-1007. 

I discussed this a bit with upstream and I concluded that although it's
clearly a useful security enhancement, it probably doesn't qualify as a
security bug that justifies the potentially large breakage in stable that
a stable update would entail (we know, for example, that it would break
a popular extension).

-- 
Dominic Hargreaves | http://www.larted.org.uk/~dom/
PGP key 5178E2A5 from the.earth.li (keyserver,web,email)




Bug closed, send any further explanations to Dominic Hargreaves <dom@earth.li> Request was from Dominic Hargreaves <dom@earth.li> to control@bugs.debian.org. (Sun, 10 Apr 2011 12:55:01 GMT) Full text and rfc822 format available.

Message sent on to Dominic Hargreaves <dom@earth.li>:
Bug#614575. (Sun, 10 Apr 2011 13:27:19 GMT) Full text and rfc822 format available.

Message #26 received at 614575-submitter@bugs.debian.org (full text, mbox):

From: Dominic Hargreaves <dom@earth.li>
To: control@bugs.debian.org
Cc: 614575-submitter@bugs.debian.org
Subject: closing 614575
Date: Sun, 10 Apr 2011 12:35:15 +0100
close 614575 
thanks
-- 
Dominic Hargreaves | http://www.larted.org.uk/~dom/
PGP key 5178E2A5 from the.earth.li (keyserver,web,email)





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 09 May 2011 07:47:44 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Fri Apr 18 03:17:17 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.