Debian: DSA-5181-1: request-tracker4 security update | LinuxSecurit...

- -------------------------------------------------------------------------
Debian Security Advisory DSA-5181-1                   [email protected]
https://www.debian.org/security/                     Salvatore Bonaccorso
July 13, 2022                         https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : request-tracker4
CVE ID         : CVE-2022-25802

Multiple vulnerabilities have been discovered in Request Tracker, an
extensible trouble-ticket tracking system.

CVE-2022-25802

   It was discovered that Request Tracker is vulnerable to a cross-site
   scripting (XSS) attack when displaying attachment content with
   fraudulent content types.

Additionally it was discovered that Request Tracker did not perform full
rights checks on accesses to file or image type custom fields, possibly
allowing access to these custom fields by users without rights to access
to the associated objects, resulting in information disclosure.

For the oldstable distribution (buster), these problems have been fixed
in version 4.4.3-2+deb10u2.

For the stable distribution (bullseye), these problems have been fixed in
version 4.4.4+dfsg-2+deb11u2.

We recommend that you upgrade your request-tracker4 packages.

For the detailed security status of request-tracker4 please refer to its
security tracker page at:
https://security-tracker.debian.org/tracker/request-tracker4

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: [email protected]

Debian: DSA-5181-1: request-tracker4 security update

July 13, 2022
Multiple vulnerabilities have been discovered in Request Tracker, an extensible trouble-ticket tracking system

Summary

CVE-2022-25802

It was discovered that Request Tracker is vulnerable to a cross-site
scripting (XSS) attack when displaying attachment content with
fraudulent content types.

Additionally it was discovered that Request Tracker did not perform full
rights checks on accesses to file or image type custom fields, possibly
allowing access to these custom fields by users without rights to access
to the associated objects, resulting in information disclosure.

For the oldstable distribution (buster), these problems have been fixed
in version 4.4.3-2+deb10u2.

For the stable distribution (bullseye), these problems have been fixed in
version 4.4.4+dfsg-2+deb11u2.

We recommend that you upgrade your request-tracker4 packages.

For the detailed security status of request-tracker4 please refer to its
security tracker page at:
https://security-tracker.debian.org/tracker/request-tracker4

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: [email protected]

Severity
Multiple vulnerabilities have been discovered in Request Tracker, an
extensible trouble-ticket tracking system.

We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.