Security Information / 2011 / Security Information -- DSA-2150-1 request-tracker3.6

Debian Security Advisory

DSA-2150-1 request-tracker3.6 -- unsalted password hashing

Date Reported:

22 Jan 2011

Affected Packages:

request-tracker3.6

Vulnerable:

Yes

Security database references:

In Mitre's CVE dictionary: CVE-2011-0009.

More information:

It was discovered that Request Tracker, an issue tracking system, stored passwords in its database by using an insufficiently strong hashing method. If an attacker would have access to the password database, he could decode the passwords stored in it.

For the stable distribution (lenny), this problem has been fixed in version 3.6.7-5+lenny5.

The testing distribution (squeeze) will be fixed soon.

For the unstable distribution (sid), this problem has been fixed in version 3.8.8-7 of the request-tracker3.8 package.

We recommend that you upgrade your Request Tracker packages.