Debian: DSA-2670-1: request-tracker3.8 security update

    Date 22 May 2013
    541
    Posted By LinuxSecurity Advisories
    Multiple vulnerabilities have been discovered in Request Tracker, an extensible trouble-ticket tracking system. The Common Vulnerabilities and Exposures project identifies the following problems:
    
    - -------------------------------------------------------------------------
    Debian Security Advisory DSA-2670-1                   This email address is being protected from spambots. You need JavaScript enabled to view it.
    https://www.debian.org/security/                      Salvatore Bonaccorso
    May 22, 2013                           https://www.debian.org/security/faq
    - -------------------------------------------------------------------------
    
    Package        : request-tracker3.8
    Vulnerability  : several
    Problem type   : remote
    Debian-specific: no
    CVE ID         : CVE-2013-3368 CVE-2013-3369 CVE-2013-3370 CVE-2013-3371 
                     CVE-2013-3372 CVE-2013-3373 CVE-2013-3374
    
    Multiple vulnerabilities have been discovered in Request Tracker, an
    extensible trouble-ticket tracking system. The Common Vulnerabilities
    and Exposures project identifies the following problems:
    
    CVE-2013-3368
    
        The rt command line tool uses semi-predictable temporary files. A
        malicious user can use this flaw to overwrite files with permissions
        of the user running the rt command line tool.
    
    CVE-2013-3369
    
        A malicious user who is allowed to see administration pages can run
        arbitrary mason components (without control of arguments), which may
        have negative side-effects.
    
    CVE-2013-3370
    
        Request Tracker allows direct requests to private callback
        components, which could be used to exploit a Request Tracker
        extension or a local callback which uses the arguments passed to it
        insecurely.
    
    CVE-2013-3371
    
        Request Tracker is vulnerable to cross-site scripting attacks via
        attachment filenames.
    
    CVE-2013-3372
    
        Dominic Hargreaves discovered that Request Tracker is vulnerable to
        an HTTP header injection limited to the value of the
        Content-Disposition header.
    
    CVE-2013-3373
    
        Request Tracker is vulnerable to a MIME header injection in outgoing
        email generated by Request Tracker.
    
        Request Tracker stock templates are resolved by this update. But any
        custom email templates should be updated to ensure that values
        interpolated into mail headers do not contain newlines.
    
    CVE-2013-3374
    
        Request Tracker is vulnerable to limited session re-use when using
        the file-based session store, Apache::Session::File. However Request
        Tracker's default session configuration only uses
        Apache::Session::File when configured for Oracle databases.
    
    This version of Request Tracker includes a database content upgrade. If
    you are using a dbconfig-managed database, you will be offered the
    choice of applying this automatically. Otherwise see the explanation in
    /usr/share/doc/request-tracker3.8/NEWS.Debian.gz for the manual steps to
    perform.
    
    Please note that if you run request-tracker3.8 under the Apache web
    server, you must stop and start Apache manually. The "restart" mechanism
    is not recommended, especially when using mod_perl or any form of
    persistent perl process such as FastCGI or SpeedyCGI.
    
    For the oldstable distribution (squeeze), these problems have been fixed in
    version 3.8.8-7+squeeze7.
    
    The stable, testing and unstable distributions do not contain anymore
    request-tracker3.8, which is replaced by request-tracker4.
    
    We recommend that you upgrade your request-tracker3.8 packages.
    
    Further information about Debian Security Advisories, how to apply
    these updates to your system and frequently asked questions can be
    found at: https://www.debian.org/security/
    
    Mailing list: This email address is being protected from spambots. You need JavaScript enabled to view it.
    

    LinuxSecurity Poll

    Do you feel that the Lawful Access to Encrypted Data Act, which aims to force encryption backdoors, is a threat to US citizens' privacy?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 3 answer(s).
    /main-polls/30-do-you-feel-that-the-lawful-access-to-encrypted-data-act-which-aims-to-force-encryption-backdoors-is-a-threat-to-privacy?task=poll.vote&format=json
    30
    radio
    [{"id":"106","title":"Yes - I am a privacy advocate and I am strongly opposed to this bill.","votes":"7","type":"x","order":"1","pct":100,"resources":[]},{"id":"107","title":"I'm undecided - it has its pros and cons.","votes":"0","type":"x","order":"2","pct":0,"resources":[]},{"id":"108","title":"No - I support this bill and feel that it will help protect against crime and threats to our national security. ","votes":"0","type":"x","order":"3","pct":0,"resources":[]}] ["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"] ["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"] 350
    bottom 200

    Advisories

    Please enable / Bitte aktiviere JavaScript!
    Veuillez activer / Por favor activa el Javascript![ ? ]

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.