Debian: DSA-2567-1 Moderate: Request Tracker 3.8 Remote Threats
debian
October 26, 2012
Several vulnerabilities were discovered in Request Tracker, an issue tracking system
Topics Covered
Summary
Several vulnerabilities were discovered in Request Tracker, an issue
tracking system.
CVE-2012-4730
Authenticated users can add arbitrary headers or content to
mail generated by RT.
CVE-2012-4732
A CSRF vulnerability may allow attackers to toggle ticket
bookmarks.
CVE-2012-4734
If users follow a crafted URI and log in to RT, they may
trigger actions which would ordinarily blocked by the CSRF
prevention logic.
CVE-2012-4735
Several different vulnerabilities in GnuPG processing allow
attackers to cause RT to improperly sign outgoing email.
CVE-2012-4884
If GnuPG support is enabled, authenticated users attackers can
create arbitrary files as the web server user, which may
enable arbitrary code execution.
Please note that if you run request-tracker3.8 under the Apache web
server, you must stop and start Apache manually. The "restart"
mechanism is not recommended, especially when using mod_perl.
For the stable distribution (squeeze), these problems have been fixed
in version 3.8.8-7+squeeze6.
For ...
PREVIOUS
NEXT
Package: request-tracker3.8
CVE ID: CVE-2012-4730 CVE-2012-4732 CVE-2012-4734 CVE-2012-4735
Topics Covered
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Related News
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!