copyright
|
disclaimer
|
privacy
|
contact
HOME
About
AusCERT
Membership
Contact Us
PKI Services
Training
Publications
Sec. Bulletins
Conferences
News & Media
Services
Web Log
Site Map
Site Help
Member login
Login »
Become a member »
Home
»
Security Bul...
»
Security Bul...
»
AusCERT Exte...
» ESB-2012.0494.4 - UPDATE [Win][UNIX/Linux][Debian] r...
ESB-2012.0494.4 - UPDATE [Win][UNIX/Linux][Debian] request-tracker3.8: Multiple vulnerabilities
Date:
17 September 2012
References
:
ESB-2011.0074
Click here for printable version
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2012.0494.4 request-tracker3.8 security update 17 September 2012 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: request-tracker3.8 Publisher: Debian Operating System: Debian GNU/Linux 6 UNIX variants (UNIX, Linux, OSX) Windows Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction Cross-site Request Forgery -- Remote with User Interaction Cross-site Scripting -- Remote with User Interaction Access Confidential Data -- Existing Account Unauthorised Access -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2011-4460 CVE-2011-4459 CVE-2011-4458 CVE-2011-2085 CVE-2011-2084 CVE-2011-2083 CVE-2011-2082 CVE-2011-0009 Reference: ESB-2011.0074 Original Bulletin: http://www.debian.org/security/2012/dsa-2480 Revision History: September 17 2012: The calendar popup page in Internet Explorer would be blocked by the CSRF protection mechanism. June 8 2012: June 08 2012: The recent security updates for request-tracker3.8, DSA-2480-1 & DSA-2480-2, contained another regression when running under mod_perl. May 30 2012: The recent request-tracker3.8 update DSA-2480-1 introduced a regression which caused outgoing mail to fail when running under mod_perl. May 25 2012: Initial Release - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - - ------------------------------------------------------------------------- Debian Security Advisory DSA-2480-4 security@debian.org http://www.debian.org/security/ Raphael Geissert September 15, 2012 http://www.debian.org/security/faq - - ------------------------------------------------------------------------- Package : request-tracker3.8 Vulnerability : regression Debian-specific: no The security updates for request-tracker3.8, DSA-2480-1, DSA-2480-2, and DSA-2480-3, contained minor regressions. Namely: * The calendar popup page in Internet Explorer would be blocked by the CSRF protection mechanism. * Search results pages could not be shared without saving, sharing, and then loading the search. * rt-email-dashboards would fail with an error due to a call to an undefined "interp" method. Please note that if you run request-tracker3.8 under the Apache web server, you must stop and start Apache manually. The "restart" mechanism is not recommended, especially when using mod_perl. For the stable distribution (squeeze), this problem has been fixed in version 3.8.8-7+squeeze5. We recommend that you upgrade your request-tracker3.8 packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iEYEARECAAYFAlBUw7kACgkQYy49rUbZzloRmgCfRWU98a5Ug1c5HSGr9ltpRo17 hU8An0wDUZTxSnOEuHfScdRcmuCYB1aW =BaTL - -----END PGP SIGNATURE----- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - - ------------------------------------------------------------------------- Debian Security Advisory DSA-2480-3 security@debian.org http://www.debian.org/security/ Florian Weimer June 07, 2012 http://www.debian.org/security/faq - - ------------------------------------------------------------------------- Package : request-tracker3.8 Vulnerability : regression Debian Bug : 674924 675369 The recent security updates for request-tracker3.8, DSA-2480-1 and DSA-2480-2, contained another regression when running under mod_perl. Please note that if you run request-tracker3.8 under the Apache web server, you must stop and start Apache manually. The "restart" mechanism is not recommended, especially when using mod_perl. For the stable distribution (squeeze), this problem has been fixed in version 3.8.8-7+squeeze4. We recommend that you upgrade your request-tracker3.8 packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJP0PsjAAoJEL97/wQC1SS+7ecH/jFMGacquBz3fhvbfztCPYEH DMlxTJLl9yUEOfZM0bXrnmJaTMRS0FVFdQnqJ/APzq6T0Hh4NG8N4H6KhH/8N1PU uBRO6wVBxZ4Q81c5FZ9MmyXXkqv84j1Se1oqPnZTR9BJ+hFwRF19BzWifMVcE3SC QzGyUOHJ/r/n52KaQP1YUQli+GZaG7RNlYBY34Zag2vuEXXheQyW++O/830mJvz6 M89FnXazM4NuByEm8wINlq5GkJ2+pYNzx8WWNw7rqzJWPiiqXeFPsTcAnUqHHJlA aacZTM9prUuUDcZhtvUM+fLCWash5xJtYYNh4bIDSjO2JSJhLr50qLF47yB2yc0= =CgeJ - -----END PGP SIGNATURE----- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - - ------------------------------------------------------------------------- Debian Security Advisory DSA-2480-2 security@debian.org http://www.debian.org/security/ Florian Weimer May 29, 2012 http://www.debian.org/security/faq - - ------------------------------------------------------------------------- Package : request-tracker3.8 Vulnerability : regression Problem type : remote Debian-specific: no It was discovered that the recent request-tracker3.8 update, DSA-2480-1, introduced a regression which caused outgoing mail to fail when running under mod_perl. Please note that if you run request-tracker3.8 under the Apache web server, you must stop and start Apache manually. The "restart" mechanism is not recommended, especially when using mod_perl. For the stable distribution (squeeze), this problem has been fixed in version 3.8.8-7+squeeze3. We recommend that you upgrade your request-tracker3.8 packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJPxSLMAAoJEL97/wQC1SS+G3kH/Raa0U94IZOS/6CeabfnXXWh APwy/SY2A8yWoEMcP4NnClwnElu6W/V6B+a3f7To0k7nOvM+kLWLBhAR2iNVaxqR R0+X115GefhZ4RzDge7z2qoXz+zif/BycVrv5VX0XH7UA/9YtCJBRLiOo2jW8s/E qB+YpHXVjm1op5aQqz+ihX7o67jZMxkkANleP5R0T5IMq0ilLXIOyNIjHK/ldxFf jK18XGdN5RXqEBYBa9a45c+KVas8Dt5eaCZpXQhCrI/beBd075+dB30Rofl3WZVU RI+zDoXiKoV3hXcG0YudM34rnbC9MrsknYg+OaGatRoPlnYlJRc0znUD2ikqXSw= =8t9U - -----END PGP SIGNATURE----- - - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - - - ------------------------------------------------------------------------- Debian Security Advisory DSA-2480-1 security@debian.org http://www.debian.org/security/ Moritz Muehlenhoff May 24, 2012 http://www.debian.org/security/faq - - - ------------------------------------------------------------------------- Package : request-tracker3.8 Vulnerability : several Problem type : remote Debian-specific: no CVE ID : CVE-2011-2082 CVE-2011-2083 CVE-2011-2084 CVE-2011-2085 CVE-2011-4458 CVE-2011-4459 CVE-2011-4460 Several vulnerabilities were discovered in Request Tracker, an issue tracking system: CVE-2011-2082 The vulnerable-passwords scripts introduced for CVE-2011-0009 failed to correct the password hashes of disabled users. CVE-2011-2083 Several cross-site scripting issues have been discovered. CVE-2011-2084 Password hashes could be disclosed by privileged users. CVE-2011-2085 Several cross-site request forgery vulnerabilities have been found. If this update breaks your setup, you can restore the old behaviour by setting $RestrictReferrer to 0. CVE-2011-4458 The code to support variable envelope return paths allowed the execution of arbitrary code. CVE-2011-4459 Disabled groups were not fully accounted as disabled. CVE-2011-4460 SQL injection vulnerability, only exploitable by privileged users. For the stable distribution (squeeze), this problem has been fixed in version 3.8.8-7+squeeze2. For the unstable distribution (sid), this problem has been fixed in version 4.0.5-3. We recommend that you upgrade your request-tracker3.8 packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org - - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iEYEARECAAYFAk++cYMACgkQXm3vHE4uylokxACguQb84ehN2ODvrYW4Mr1CmOLY XIkAoJ/DIybBV9MxZA7txyMDE56vsWeM =+4ft - - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBUFaHEO4yVqjM2NGpAQLeWA//fGpLTYIt8H8du0phgW+6yPFEdZ5KSUPE nFbZaTjmgvt3W8uUiDlLtJN59t3zRSl9EekJs/0BC1xgNUzNvgYWQUjAVtQdF27T KEJ0acIN5MBGRUvtnGfZBdAmcXxvPAsge/11uKSjb3JlcueL9Mx/q6R4x65eWpA7 krekFUFC6ThMinBnHEWQuZ/cEgT/4nZ/NWhPiIU+Eo86B+RQ9jlgDFtM4XgcuxD8 B3o0vB1v9kmhvY7jFSOmBB8eNg0F2QY3xN3li+tuD0a5TokcjrUcP9UTLDmG++kU mPpyZDKhqESzSJi6F+fLmXZQPYm1P3NY1OaR4TDut8mcuOiR27ThcHGXHMFIEFhV UiGObdklcIzrrnSQksamav6wPDNEdgcImb/oP5FvXD+9nImFMVU/K307N7fKMHJC /WhBZ6dDRffcbZcELbIhBg0Dh12HILJgTst0FTGffvdVDH0iGQ1ReoKOz+CRTb1e A8G42JMnrgRq08Z9wdQ/D+jY9ULPx9JvDjFPylhJgLg7w0my+j7mo3D3pedLjcxf WmFd6D0zzbUq5a+w++D9iTyTqn5kQff3qwhnv9oaprRlhchSEbxS2lG/xD87pECq GcuX4N+wXpnsBA6xvCymab541sa9/SuFzAldMJ8bsI9hd8rXzbYL4emQ9M/Kq2GA kLiAgkhNk7Q= =PxKa -----END PGP SIGNATURE-----
Comments? Click here
http://www.auscert.org.au/render.html?cid=1980&it=15869