Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Request Tracker Group <pkg-request-tracker-maintainers@lists.alioth.debian.org>: Bug#614575; Package request-tracker3.8.
(Tue, 22 Feb 2011 11:48:17 GMT) (full text, mbox, link).
Acknowledgement sent
to Dominic Hargreaves <dom@earth.li>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Request Tracker Group <pkg-request-tracker-maintainers@lists.alioth.debian.org>.
(Tue, 22 Feb 2011 11:48:17 GMT) (full text, mbox, link).
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: request-tracker3.8: Back button attacks
Date: Tue, 22 Feb 2011 11:44:03 +0000
Package: request-tracker3.8
Version: 3.8.8-7
Severity: important
Tags: security
The following appears in the changelog of 3.8.9:
* Redirect users to their desired pages after login.
This prevents possible back button attacks after a user logs out.
This may warrant an update in s-p-u.
Bug Marked as fixed in versions request-tracker3.8/3.8.9-1.
Request was from Dominic Hargreaves <dom@earth.li>
to control@bugs.debian.org.
(Tue, 22 Feb 2011 11:54:08 GMT) (full text, mbox, link).
Changed Bug title to 'request-tracker3.8: CVE-2011-1007: Back button attacks' from 'request-tracker3.8: Back button attacks'
Request was from Niko Tyni <ntyni@debian.org>
to control@bugs.debian.org.
(Fri, 25 Feb 2011 18:09:08 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Request Tracker Group <pkg-request-tracker-maintainers@lists.alioth.debian.org>: Bug#614575; Package request-tracker3.8.
(Fri, 25 Feb 2011 18:54:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Niko Tyni <ntyni@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Request Tracker Group <pkg-request-tracker-maintainers@lists.alioth.debian.org>.
(Fri, 25 Feb 2011 18:54:06 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Request Tracker Group <pkg-request-tracker-maintainers@lists.alioth.debian.org>: Bug#614575; Package request-tracker3.8.
(Sun, 10 Apr 2011 11:33:08 GMT) (full text, mbox, link).
Acknowledgement sent
to Dominic Hargreaves <dom@earth.li>:
Extra info received and forwarded to list. Copy sent to Debian Request Tracker Group <pkg-request-tracker-maintainers@lists.alioth.debian.org>.
(Sun, 10 Apr 2011 11:33:12 GMT) (full text, mbox, link).
To: Niko Tyni <ntyni@debian.org>, 614575@bugs.debian.org
Subject: Re: [request-tracker-maintainers] Bug#614575: CVE IDs etc.
Date: Sun, 10 Apr 2011 12:31:54 +0100
On Fri, Feb 25, 2011 at 08:04:31PM +0200, Niko Tyni wrote:
> package request-tracker3.8
> retitle 614575 request-tracker3.8: CVE-2011-1007: Back button attacks
> On Tue, Feb 22, 2011 at 11:44:03AM +0000, Dominic Hargreaves wrote:
> > The following appears in the changelog of 3.8.9:
> >
> > * Redirect users to their desired pages after login.
> > This prevents possible back button attacks after a user logs out.
> >
>
> This has been assigned CVE-2011-1007.
I discussed this a bit with upstream and I concluded that although it's
clearly a useful security enhancement, it probably doesn't qualify as a
security bug that justifies the potentially large breakage in stable that
a stable update would entail (we know, for example, that it would break
a popular extension).
--
Dominic Hargreaves | http://www.larted.org.uk/~dom/
PGP key 5178E2A5 from the.earth.li (keyserver,web,email)
Bug closed, send any further explanations to Dominic Hargreaves <dom@earth.li>
Request was from Dominic Hargreaves <dom@earth.li>
to control@bugs.debian.org.
(Sun, 10 Apr 2011 12:55:01 GMT) (full text, mbox, link).
Message sent on
to Dominic Hargreaves <dom@earth.li>:
Bug#614575.
(Sun, 10 Apr 2011 13:27:19 GMT) (full text, mbox, link).
Debbugs is free software and licensed under the terms of the GNU General
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.