Debian: DSA-1944-1: New request-tracker packages fix session hijack vulnerability

    Date03 Dec 2009
    CategoryDebian
    40
    Posted ByLinuxSecurity Advisories
    Mikal Gule discovered that request-tracker, an extensible trouble-ticket tracking system, is prone to an attack, where an attacker with access to the same domain can hijack a user's RT session.
    
    - ------------------------------------------------------------------------
    Debian Security Advisory DSA-1944-1                  This email address is being protected from spambots. You need JavaScript enabled to view it.
    http://www.debian.org/security/                      Steffen Joeris
    December 03, 2009                     http://www.debian.org/security/faq
    - ------------------------------------------------------------------------
    
    Package        : request-tracker3.4/request-tracker3.6
    Vulnerability  : session hijack
    Problem type   : remote
    Debian-specific: no
    CVE Id         : CVE-2009-3585
    
    
    Mikal Gule discovered that request-tracker, an extensible trouble-ticket
    tracking system, is prone to an attack, where an attacker with access
    to the same domain can hijack a user's RT session.
    
    
    For the stable distribution (lenny), this problem has been fixed in
    version 3.6.7-5+lenny3.
    
    For the oldstable distribution (etch), this problem has been fixed in
    version 3.6.1-4+etch1 of request-tracker3.6 and version 3.4.5-2+etch1
    of request-tracker3.4.
    
    For the testing distribution (squeeze), this problem will be fixed soon.
    
    For the unstable distribution (sid), this problem has been fixed in
    version 3.6.9-2.
    
    We recommend that you upgrade your request-tracker packages.
    
    
    Upgrade instructions
    - --------------------
    
    wget url
            will fetch the file for you
    dpkg -i file.deb
            will install the referenced file.
    
    If you are using the apt-get package manager, use the line for
    sources.list as given below:
    
    apt-get update
            will update the internal database
    apt-get upgrade
            will install corrected packages
    
    You may use an automated update by adding the resources from the
    footer to the proper configuration.
    
    
    Debian GNU/Linux 4.0 alias etch
    - -------------------------------
    
    Debian (oldstable)
    - ------------------
    
    Oldstable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.
    
    Source archives:
    
      http://security.debian.org/pool/updates/main/r/request-tracker3.4/request-tracker3.4_3.4.5-2+etch1.diff.gz
        Size/MD5 checksum:    24450 41891b8a012e671b706facdf4ece3402
      http://security.debian.org/pool/updates/main/r/request-tracker3.6/request-tracker3.6_3.6.1-4+etch1.diff.gz
        Size/MD5 checksum:    23488 3c3914d16ad3e719cd502e2490561cc0
      http://security.debian.org/pool/updates/main/r/request-tracker3.6/request-tracker3.6_3.6.1-4+etch1.dsc
        Size/MD5 checksum:      916 c03c1972b5ccab3574f9dfdd3fec0bee
      http://security.debian.org/pool/updates/main/r/request-tracker3.4/request-tracker3.4_3.4.5-2+etch1.dsc
        Size/MD5 checksum:      876 5a18cf29db217c6fd2265f6923a938cb
      http://security.debian.org/pool/updates/main/r/request-tracker3.4/request-tracker3.4_3.4.5.orig.tar.gz
        Size/MD5 checksum:  1410154 16c8007cba54669e6c9de95cfc680b2a
      http://security.debian.org/pool/updates/main/r/request-tracker3.6/request-tracker3.6_3.6.1.orig.tar.gz
        Size/MD5 checksum:  1545708 40c5a828fadaeef9e150255a517d0b17
    
    Architecture independent packages:
    
      http://security.debian.org/pool/updates/main/r/request-tracker3.6/rt3.6-apache2_3.6.1-4+etch1_all.deb
        Size/MD5 checksum:   118264 318517b3d5539a84dee1639710048d92
      http://security.debian.org/pool/updates/main/r/request-tracker3.6/rt3.6-apache_3.6.1-4+etch1_all.deb
        Size/MD5 checksum:   117786 6f3da07edc9499cc282ceed8e71cf26d
      http://security.debian.org/pool/updates/main/r/request-tracker3.4/rt3.4-clients_3.4.5-2+etch1_all.deb
        Size/MD5 checksum:   120578 e404452bd2f9128255550644b26c72de
      http://security.debian.org/pool/updates/main/r/request-tracker3.4/request-tracker3.4_3.4.5-2+etch1_all.deb
        Size/MD5 checksum:  1198788 9af1648e53a722155dfd9acaaaf364cd
      http://security.debian.org/pool/updates/main/r/request-tracker3.4/rt3.4-apache_3.4.5-2+etch1_all.deb
        Size/MD5 checksum:    92002 009fe1090c6142409210f3304f63240d
      http://security.debian.org/pool/updates/main/r/request-tracker3.6/request-tracker3.6_3.6.1-4+etch1_all.deb
        Size/MD5 checksum:  1315556 9a06544261bd4b7800ae89065d4f4317
      http://security.debian.org/pool/updates/main/r/request-tracker3.6/rt3.6-clients_3.6.1-4+etch1_all.deb
        Size/MD5 checksum:   146902 8c4a83429ef704025849373a24cf06d5
      http://security.debian.org/pool/updates/main/r/request-tracker3.4/rt3.4-apache2_3.4.5-2+etch1_all.deb
        Size/MD5 checksum:    92402 2737f376b27e6c3087dd355e5977edb5
    
    
    Debian GNU/Linux 5.0 alias lenny
    - --------------------------------
    
    Debian (stable)
    - ---------------
    
    Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.
    
    Source archives:
    
      http://security.debian.org/pool/updates/main/r/request-tracker3.6/request-tracker3.6_3.6.7.orig.tar.gz
        Size/MD5 checksum:  1764471 46c0b29cd14010ee6a3f181743aeb6ef
      http://security.debian.org/pool/updates/main/r/request-tracker3.6/request-tracker3.6_3.6.7-5+lenny3.dsc
        Size/MD5 checksum:     1623 b8a904d8fa89cf4ea78fce2d95d95701
      http://security.debian.org/pool/updates/main/r/request-tracker3.6/request-tracker3.6_3.6.7-5+lenny3.diff.gz
        Size/MD5 checksum:    51485 7b588a81fe9cbaa4bd9ac7d07b76d8f8
    
    Architecture independent packages:
    
      http://security.debian.org/pool/updates/main/r/request-tracker3.6/rt3.6-db-mysql_3.6.7-5+lenny3_all.deb
        Size/MD5 checksum:   185574 f71cdd55d18a69d908eea7f35434098c
      http://security.debian.org/pool/updates/main/r/request-tracker3.6/rt3.6-db-sqlite_3.6.7-5+lenny3_all.deb
        Size/MD5 checksum:   185676 82fe2682e028c113f469117937649636
      http://security.debian.org/pool/updates/main/r/request-tracker3.6/rt3.6-apache2_3.6.7-5+lenny3_all.deb
        Size/MD5 checksum:   187274 15328ffc1f76bd4e864c9c0faf4a4724
      http://security.debian.org/pool/updates/main/r/request-tracker3.6/rt3.6-db-postgresql_3.6.7-5+lenny3_all.deb
        Size/MD5 checksum:   185576 6c40b8a471370911da6e12cdc6b85727
      http://security.debian.org/pool/updates/main/r/request-tracker3.6/request-tracker3.6_3.6.7-5+lenny3_all.deb
        Size/MD5 checksum:  1540476 9d2cff7aca09a68a7b2707f91a6272ca
      http://security.debian.org/pool/updates/main/r/request-tracker3.6/rt3.6-clients_3.6.7-5+lenny3_all.deb
        Size/MD5 checksum:   215800 5052e370d018a81b9b786eb539b7cb05
    
    
      These files will probably be moved into the stable distribution on
      its next update.
    
    - ---------------------------------------------------------------------------------
    For apt-get: deb http://security.debian.org/ stable/updates main
    For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
    Mailing list: This email address is being protected from spambots. You need JavaScript enabled to view it.
    Package info: `apt-cache show ' and http://packages.debian.org/
    
    You are not authorised to post comments.

    Comments powered by CComment

    LinuxSecurity Poll

    What do you think of the articles on LinuxSecurity?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 3 answer(s).
    /main-polls/24-what-do-you-think-of-the-quality-of-the-articles-on-linuxsecurity?task=poll.vote&format=json
    24
    radio
    [{"id":"87","title":"Excellent, don't change a thing!","votes":"14","type":"x","order":"1","pct":53.85,"resources":[]},{"id":"88","title":"Should be more technical","votes":"4","type":"x","order":"2","pct":15.38,"resources":[]},{"id":"89","title":"Should include more HOWTOs","votes":"8","type":"x","order":"3","pct":30.77,"resources":[]}]["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"]["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"]350
    bottom200

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.