Debian Security Advisory

DSA-2567-1 request-tracker3.8 -- several vulnerabilities

Date Reported:
26 Oct 2012
Affected Packages:
Security database references:
In Mitre's CVE dictionary: CVE-2012-4730, CVE-2012-4732, CVE-2012-4734, CVE-2012-4884, CVE-2012-6578, CVE-2012-6579, CVE-2012-6580, CVE-2012-6581.
More information:

Several vulnerabilities were discovered in Request Tracker (RT), an issue tracking system.

  • CVE-2012-4730

    Authenticated users can add arbitrary headers or content to mail generated by RT.

  • CVE-2012-4732

    A CSRF vulnerability may allow attackers to toggle ticket bookmarks.

  • CVE-2012-4734

    If users follow a crafted URI and log in to RT, they may trigger actions which would ordinarily blocked by the CSRF prevention logic.

  • CVE-2012-6578, CVE-2012-6579, CVE-2012-6580, CVE-2012-6581

    Several different vulnerabilities in GnuPG processing allow attackers to cause RT to improperly sign outgoing email.

  • CVE-2012-4884

    If GnuPG support is enabled, authenticated users can create arbitrary files as the web server user, which may enable arbitrary code execution.

Please note that if you run request-tracker3.8 under the Apache web server, you must stop and start Apache manually. The restart mechanism is not recommended, especially when using mod_perl.

For the stable distribution (squeeze), these problems have been fixed in version 3.8.8-7+squeeze6.

For the unstable distribution (sid), these problems have been fixed in version 4.0.7-2 of the request-tracker4 package.

We recommend that you upgrade your request-tracker3.8 packages.