Debian: DSA-2671-1: request-tracker4 security update

    Date22 May 2013
    CategoryDebian
    55
    Posted ByLinuxSecurity Advisories
    Multiple vulnerabilities have been discovered in Request Tracker, an extensible trouble-ticket tracking system. The Common Vulnerabilities and Exposures project identifies the following problems:
    
    - -------------------------------------------------------------------------
    Debian Security Advisory DSA-2671-1                   This email address is being protected from spambots. You need JavaScript enabled to view it.
    http://www.debian.org/security/                      Salvatore Bonaccorso
    May 22, 2013                           http://www.debian.org/security/faq
    - -------------------------------------------------------------------------
    
    Package        : request-tracker4
    Vulnerability  : several
    Problem type   : remote
    Debian-specific: no
    CVE ID         : CVE-2012-4733 CVE-2013-3368 CVE-2013-3369 CVE-2013-3370 
                     CVE-2013-3371 CVE-2013-3372 CVE-2013-3373 CVE-2013-3374
    
    Multiple vulnerabilities have been discovered in Request Tracker, an
    extensible trouble-ticket tracking system. The Common Vulnerabilities
    and Exposures project identifies the following problems:
    
    CVE-2012-4733
    
        A user with the ModifyTicket right can bypass the DeleteTicket right
        or any custom lifecycle transition rights and thus modify ticket data
        without authorization.
    
    CVE-2013-3368
    
        The rt command line tool uses semi-predictable temporary files. A
        malicious user can use this flaw to overwrite files with permissions
        of the user running the rt command line tool.
    
    CVE-2013-3369
    
        A malicious user who is allowed to see administration pages can run
        arbitrary mason components (without control of arguments), which may
        have negative side-effects.
    
    CVE-2013-3370
    
        Request Tracker allows direct requests to private callback
        components, which could be used to exploit a Request Tracker
        extension or a local callback which uses the arguments passed to it
        insecurely.
    
    CVE-2013-3371
    
        Request Tracker is vulnerable to cross-site scripting attacks via
        attachment filenames.
    
    CVE-2013-3372
    
        Dominic Hargreaves discovered that Request Tracker is vulnerable to
        an HTTP header injection limited to the value of the
        Content-Disposition header.
    
    CVE-2013-3373
    
        Request Tracker is vulnerable to a MIME header injection in outgoing
        email generated by Request Tracker.
    
        Request Tracker stock templates are resolved by this update. But any
        custom email templates should be updated to ensure that values
        interpolated into mail headers do not contain newlines.
    
    CVE-2013-3374
    
        Request Tracker is vulnerable to limited session re-use when using
        the file-based session store, Apache::Session::File. However Request
        Tracker's default session configuration only uses
        Apache::Session::File when configured for Oracle databases.
    
    This version of Request Tracker includes a database content upgrade. If
    you are using a dbconfig-managed database, you will be offered the
    choice of applying this automatically. Otherwise see the explanation in
    /usr/share/doc/request-tracker4/NEWS.Debian.gz for the manual steps to
    perform.
    
    Please note that if you run request-tracker4 under the Apache web
    server, you must stop and start Apache manually. The "restart" mechanism
    is not recommended, especially when using mod_perl or any form of
    persistent perl process such as FastCGI or SpeedyCGI.
    
    For the stable distribution (wheezy), these problems have been fixed in
    version 4.0.7-5+deb7u2.
    
    For the testing distribution (jessie), these problems will be fixed
    soon.
    
    For the unstable distribution (sid), these problems have been fixed in
    version 4.0.12-2.
    
    We recommend that you upgrade your request-tracker4 packages.
    
    Further information about Debian Security Advisories, how to apply
    these updates to your system and frequently asked questions can be
    found at: http://www.debian.org/security/
    
    Mailing list: This email address is being protected from spambots. You need JavaScript enabled to view it.
    
    You are not authorised to post comments.

    Comments powered by CComment

    LinuxSecurity Poll

    What do you think of the articles on LinuxSecurity?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 3 answer(s).
    /main-polls/24-what-do-you-think-of-the-quality-of-the-articles-on-linuxsecurity?task=poll.vote&format=json
    24
    radio
    [{"id":"87","title":"Excellent, don't change a thing!","votes":"40","type":"x","order":"1","pct":48.78,"resources":[]},{"id":"88","title":"Should be more technical","votes":"13","type":"x","order":"2","pct":15.85,"resources":[]},{"id":"89","title":"Should include more HOWTOs","votes":"29","type":"x","order":"3","pct":35.37,"resources":[]}]["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"]["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"]350
    bottom200

    Advisories

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.