Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Request Tracker Group <pkg-request-tracker-maintainers@lists.alioth.debian.org>: Bug#614576; Package request-tracker3.8.
(Tue, 22 Feb 2011 11:48:21 GMT) (full text, mbox, link).
Acknowledgement sent
to Dominic Hargreaves <dom@earth.li>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Request Tracker Group <pkg-request-tracker-maintainers@lists.alioth.debian.org>.
(Tue, 22 Feb 2011 11:48:21 GMT) (full text, mbox, link).
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: request-tracker3.8: Scrip information leakage
Date: Tue, 22 Feb 2011 11:46:04 +0000
Package: request-tracker3.8
Version: 3.8.8-7
Severity: important
Tags: security
The following appears in the changelog of 3.8.9:
* Clone Scrip's TicketObj since we change the CurrentUser and it can leak
information (Custom field values, etc)
This may warrant an update in s-p-u.
Bug Marked as fixed in versions request-tracker3.8/3.8.9-1.
Request was from Dominic Hargreaves <dom@earth.li>
to control@bugs.debian.org.
(Tue, 22 Feb 2011 11:54:09 GMT) (full text, mbox, link).
Changed Bug title to 'request-tracker3.8: CVE-2011-1008: Scrip information leakage' from 'request-tracker3.8: Scrip information leakage'
Request was from Niko Tyni <ntyni@debian.org>
to control@bugs.debian.org.
(Fri, 25 Feb 2011 18:09:09 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Request Tracker Group <pkg-request-tracker-maintainers@lists.alioth.debian.org>: Bug#614576; Package request-tracker3.8.
(Fri, 25 Feb 2011 18:54:08 GMT) (full text, mbox, link).
Acknowledgement sent
to Niko Tyni <ntyni@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Request Tracker Group <pkg-request-tracker-maintainers@lists.alioth.debian.org>.
(Fri, 25 Feb 2011 18:54:08 GMT) (full text, mbox, link).
Subject: Bug#614576: fixed in request-tracker3.8 3.8.8-7+squeeze1
Date: Wed, 20 Apr 2011 01:55:51 +0000
Source: request-tracker3.8
Source-Version: 3.8.8-7+squeeze1
We believe that the bug you reported is fixed in the latest version of
request-tracker3.8, which is due to be installed in the Debian FTP archive:
request-tracker3.8_3.8.8-7+squeeze1.diff.gz
to main/r/request-tracker3.8/request-tracker3.8_3.8.8-7+squeeze1.diff.gz
request-tracker3.8_3.8.8-7+squeeze1.dsc
to main/r/request-tracker3.8/request-tracker3.8_3.8.8-7+squeeze1.dsc
request-tracker3.8_3.8.8-7+squeeze1_all.deb
to main/r/request-tracker3.8/request-tracker3.8_3.8.8-7+squeeze1_all.deb
rt3.8-apache2_3.8.8-7+squeeze1_all.deb
to main/r/request-tracker3.8/rt3.8-apache2_3.8.8-7+squeeze1_all.deb
rt3.8-clients_3.8.8-7+squeeze1_all.deb
to main/r/request-tracker3.8/rt3.8-clients_3.8.8-7+squeeze1_all.deb
rt3.8-db-mysql_3.8.8-7+squeeze1_all.deb
to main/r/request-tracker3.8/rt3.8-db-mysql_3.8.8-7+squeeze1_all.deb
rt3.8-db-postgresql_3.8.8-7+squeeze1_all.deb
to main/r/request-tracker3.8/rt3.8-db-postgresql_3.8.8-7+squeeze1_all.deb
rt3.8-db-sqlite_3.8.8-7+squeeze1_all.deb
to main/r/request-tracker3.8/rt3.8-db-sqlite_3.8.8-7+squeeze1_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 614576@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Dominic Hargreaves <dom@earth.li> (supplier of updated request-tracker3.8 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Thu, 14 Apr 2011 08:55:14 +0100
Source: request-tracker3.8
Binary: request-tracker3.8 rt3.8-clients rt3.8-apache2 rt3.8-db-postgresql rt3.8-db-mysql rt3.8-db-sqlite
Architecture: source all
Version: 3.8.8-7+squeeze1
Distribution: stable-security
Urgency: high
Maintainer: Debian Request Tracker Group <pkg-request-tracker-maintainers@lists.alioth.debian.org>
Changed-By: Dominic Hargreaves <dom@earth.li>
Description:
request-tracker3.8 - extensible trouble-ticket tracking system
rt3.8-apache2 - Apache 2 specific files for request-tracker3.8
rt3.8-clients - mail gateway and command-line interface to request-tracker3.8
rt3.8-db-mysql - MySQL database backend for request-tracker3.8
rt3.8-db-postgresql - PostgreSQL database backend for request-tracker3.8
rt3.8-db-sqlite - SQLite database backend for request-tracker3.8
Closes: 614576
Changes:
request-tracker3.8 (3.8.8-7+squeeze1) stable-security; urgency=high
.
* Security fix: fix information leakage in scrips (Closes: 614576;
CVE-2011-1008)
* Multiple security fixes for:
- Remote code execution in external custom fields (CVE-2011-1685)
- Information disclosure via SQL injection (CVE-2011-1686)
- Information disclosure via search interface (CVE-2011-1687)
- Information disclosure via directory traversal (CVE-2011-1688)
- User javascript execution via XSS vulnerability (CVE-2011-1689)
- Authentication credentials theft (CVE-2011-1690)
Checksums-Sha1:
ad823570406581796e6312f1016d188225057778 1632 request-tracker3.8_3.8.8-7+squeeze1.dsc
be3ac598dcbf584f9bcd9a49248a9ccd3affb330 5109734 request-tracker3.8_3.8.8.orig.tar.gz
442bc7dfd8a46e1b034ae41a8505f17036183080 83370 request-tracker3.8_3.8.8-7+squeeze1.diff.gz
144014473a8f3b1b224e7950a4186aa561b9dfb4 4656416 request-tracker3.8_3.8.8-7+squeeze1_all.deb
267277fd65f83e2e8567d2616cb387e01f714eae 47020 rt3.8-clients_3.8.8-7+squeeze1_all.deb
0608364eb70e163515c3921f1f42aabbeac461d3 12450 rt3.8-apache2_3.8.8-7+squeeze1_all.deb
06041598f589105a3bbe03bade37470256e0230d 11134 rt3.8-db-postgresql_3.8.8-7+squeeze1_all.deb
5e3aea667516da514a9a90501073e98d93aafa79 11134 rt3.8-db-mysql_3.8.8-7+squeeze1_all.deb
b8222869f3a915fbe5f49c9a473f0b59d207ae1f 11226 rt3.8-db-sqlite_3.8.8-7+squeeze1_all.deb
Checksums-Sha256:
b5d3cfa8409b2c66df4f434705ab99af9e31c20684ea75b77dd14e5be1d0130a 1632 request-tracker3.8_3.8.8-7+squeeze1.dsc
d3932febc5b3fa1da1168713f305a095ea6b40dd22d508849471e6637ba04c02 5109734 request-tracker3.8_3.8.8.orig.tar.gz
f3713dc51a6dbb0e5a445626a462efdd29c4850fd1a7ced46d07fa4a8a53df8a 83370 request-tracker3.8_3.8.8-7+squeeze1.diff.gz
beec7ee70ccbaed7d616dc54988d36c03fb5137548f5ee3863e0f596c3557ae1 4656416 request-tracker3.8_3.8.8-7+squeeze1_all.deb
ec8ff0be77210063f840d5ad2ae720817ad235fcf86d651881c159c6d81cde00 47020 rt3.8-clients_3.8.8-7+squeeze1_all.deb
fbd183972df1a3c30f6314d3c3b0373be22d6dfd811edd3bc8c0db8c79f077dd 12450 rt3.8-apache2_3.8.8-7+squeeze1_all.deb
a83d45436c3fd9cc39d47a3d68bd3d10c266785ff9b502afcc6cf028ecf79d9d 11134 rt3.8-db-postgresql_3.8.8-7+squeeze1_all.deb
00cafd445840905337c499855f76374d5179a864e3ece372f6f420c9b0e63b12 11134 rt3.8-db-mysql_3.8.8-7+squeeze1_all.deb
deb075b3ce94babb4c274310f5a9142bcad878bac2fcf92ed7fa73bae50159e6 11226 rt3.8-db-sqlite_3.8.8-7+squeeze1_all.deb
Files:
89060935bb2e4552dcec70205480f315 1632 misc optional request-tracker3.8_3.8.8-7+squeeze1.dsc
de062840ce6e2fdb323d77dddf8ff485 5109734 misc optional request-tracker3.8_3.8.8.orig.tar.gz
30a52734a3aac6914591d3115707666c 83370 misc optional request-tracker3.8_3.8.8-7+squeeze1.diff.gz
d677ce379af31b287a816e499a4561e9 4656416 misc optional request-tracker3.8_3.8.8-7+squeeze1_all.deb
b11befa7a21f6d039a408adf62c524c5 47020 misc optional rt3.8-clients_3.8.8-7+squeeze1_all.deb
6935f7973dd67f4456af062c8aecf4bc 12450 misc optional rt3.8-apache2_3.8.8-7+squeeze1_all.deb
c199403b24b5e9e3c41b2d3b49412426 11134 misc optional rt3.8-db-postgresql_3.8.8-7+squeeze1_all.deb
81d4715c06630ee391040e74e799f285 11134 misc optional rt3.8-db-mysql_3.8.8-7+squeeze1_all.deb
4575725abd5cf5e7648ea6fb51b9d88f 11226 misc optional rt3.8-db-sqlite_3.8.8-7+squeeze1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iD8DBQFNrbAfYzuFKFF44qURAtmxAJ9KVXwf7Mlu8d7eQs+R3ezKoH7/YACgnK0B
ZrycySH+GaSAyOMFgOBMyGM=
=A+fr
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Wed, 18 May 2011 07:41:43 GMT) (full text, mbox, link).
Debbugs is free software and licensed under the terms of the GNU General
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.