Debian Security Advisory

DSA-2480-4 request-tracker3.8 -- several vulnerabilities

Date Reported:
15 Sep 2012
Affected Packages:
Security database references:
In the Debian bugtracking system: Bug 674924, Bug 675369.
In Mitre's CVE dictionary: CVE-2011-2082, CVE-2011-2083, CVE-2011-2084, CVE-2011-2085, CVE-2011-4458, CVE-2011-4459, CVE-2011-4460.
More information:

Several vulnerabilities were discovered in Request Tracker, an issue tracking system:

  • CVE-2011-2082

    The vulnerable-passwords scripts introduced for CVE-2011-0009 failed to correct the password hashes of disabled users.

  • CVE-2011-2083

    Several cross-site scripting issues have been discovered.

  • CVE-2011-2084

    Password hashes could be disclosed by privileged users.

  • CVE-2011-2085

    Several cross-site request forgery vulnerabilities have been found. If this update breaks your setup, you can restore the old behaviour by setting $RestrictReferrer to 0.

  • CVE-2011-4458

    The code to support variable envelope return paths allowed the execution of arbitrary code.

  • CVE-2011-4459

    Disabled groups were not fully accounted as disabled.

  • CVE-2011-4460

    SQL injection vulnerability, only exploitable by privileged users.

Please note that if you run request-tracker3.8 under the Apache web server, you must stop and start Apache manually. The restart mechanism is not recommended, especially when using mod_perl.

For the stable distribution (squeeze), these problems have been fixed in version 3.8.8-7+squeeze5.

For the unstable distribution (sid), these problems have been fixed in version 4.0.5-3.

We recommend that you upgrade your request-tracker3.8 packages.