Security Information / 2012 / Security Information -- DSA-2567-1 request-tracker3.8

Debian Security Advisory

DSA-2567-1 request-tracker3.8 -- several vulnerabilities

Date Reported:

26 Oct 2012

Affected Packages:

request-tracker3.8

Vulnerable:

Yes

Security database references:

In Mitre's CVE dictionary: CVE-2012-4730, CVE-2012-4732, CVE-2012-4734, CVE-2012-4884, CVE-2012-6578, CVE-2012-6579, CVE-2012-6580, CVE-2012-6581.

More information:

Several vulnerabilities were discovered in Request Tracker (RT), an issue tracking system.

• CVE-2012-4730

  Authenticated users can add arbitrary headers or content to mail generated by RT.

• CVE-2012-4732

  A CSRF vulnerability may allow attackers to toggle ticket bookmarks.

• CVE-2012-4734

  If users follow a crafted URI and log in to RT, they may trigger actions which would ordinarily blocked by the CSRF prevention logic.

• CVE-2012-6578, CVE-2012-6579, CVE-2012-6580, CVE-2012-6581

  Several different vulnerabilities in GnuPG processing allow attackers to cause RT to improperly sign outgoing email.

• CVE-2012-4884

  If GnuPG support is enabled, authenticated users can create arbitrary files as the web server user, which may enable arbitrary code execution.

Please note that if you run request-tracker3.8 under the Apache web server, you must stop and start Apache manually. The restart mechanism is not recommended, especially when using mod_perl.

For the stable distribution (squeeze), these problems have been fixed in version 3.8.8-7+squeeze6.

For the unstable distribution (sid), these problems have been fixed in version 4.0.7-2 of the request-tracker4 package.

We recommend that you upgrade your request-tracker3.8 packages.