UbuntuUpdates.org

Package "request-tracker3.8"

Name: request-tracker3.8

Description:

extensible trouble-ticket tracking system

Latest version: 3.8.11-1ubuntu0.1
Release: precise (12.04)
Level: security
Repository: universe

Links


Download "request-tracker3.8"


Other versions of "request-tracker3.8" in Precise

Repository Area Version
base universe 3.8.11-1
updates universe 3.8.11-1ubuntu0.1

Packages in group

Deleted packages are displayed in grey.


Changelog

Version: 3.8.11-1ubuntu0.1 2012-11-27 16:06:53 UTC

  request-tracker3.8 (3.8.11-1ubuntu0.1) precise-security; urgency=low

  [ Dominic Hargreaves ]
  * Multiple security fixes for:
    - XSS vulnerabilities (CVE-2011-2083)
    - information disclosure vulnerabilities including password hash
      exposure and correspondence disclosure to privileged users
      (CVE-2011-2084)
    - CSRF vulnerabilities allowing information disclosure,
      privilege escalation, and arbitrary code execution. Original
      behaviour may be restored by setting $RestrictReferrer to 0 for
      installations which rely on it (CVE-2011-2085)
    - remote code execution vulnerabilities including in VERP
      functionality (CVE-2011-4458)
  * Fix the vulnerable-passwords script to also upgrade password hashes
    for disabled users, and rerun the script in postinst (CVE-2011-2082)
  * Include clean-user-txns script to accompany the above fixes, and
    run in postinst
  * Provide specific instructions for restarting a mod_perl based
    Apache server

  [ Marc Deslauriers ]
  * debian/patches/60_misc_sec_regressions.dpatch: fix regression in
    rt-email-dashboards, and whitelist search results and calendar helper
    from CSRF protection
  * SECURITY UPDATE: Multiple security fixes (LP: #1004834):
    - Email header injection attack (CVE-2012-4730)
    - CSRF protection allows attack on bookmarks (CVE-2012-4732)
    - Confused deputy attack for non-logged-in users (CVE-2012-4734)
    - Multiple message signing/encryption attacks related to GnuPG
      (CVE-2012-4735)
    - Arbitrary command-line argument injection to GnuPG (CVE-2012-4884)
 -- Marc Deslauriers <email address hidden> Fri, 09 Nov 2012 15:08:36 -0500

1004834 Multiple security vulnerabilities in request-tracker3.8
CVE-2011-2083 Multiple cross-site scripting (XSS) vulnerabilities in Best Practical Solutions RT 3.x before 3.8.12 and 4.x before 4.0.6 allow remote attackers to in
CVE-2011-2084 Best Practical Solutions RT 3.x before 3.8.12 and 4.x before 4.0.6 allows remote authenticated users to read (1) hashes of former passwords and (2) ti
CVE-2011-2085 Multiple cross-site request forgery (CSRF) vulnerabilities in Best Practical Solutions RT before 3.8.12 and 4.x before 4.0.6 allow remote attackers to
CVE-2011-4458 Best Practical Solutions RT 3.6.x, 3.7.x, and 3.8.x before 3.8.12 and 4.x before 4.0.6, when the VERPPrefix and VERPDomain options are enabled, allows
CVE-2011-2082 The vulnerable-passwords script in Best Practical Solutions RT 3.x before 3.8.12 and 4.x before 4.0.6 does not update the password-hash algorithm for
CVE-2012-4730 Request Tracker (RT) 3.8.x before 3.8.15 and 4.0.x before 4.0.8 allows remote authenticated users with ModifySelf or AdminUser privileges to inject a
CVE-2012-4732 Cross-site request forgery (CSRF) vulnerability in Request Tracker (RT) 3.8.12 and other versions before 3.8.15, and 4.0.6 and other versions before
CVE-2012-4734 Request Tracker (RT) 3.8.x before 3.8.15 and 4.0.x before 4.0.8 allows remote attackers to conduct a "confused deputy" attack to bypass the CSRF warn
CVE-2012-4884 Argument injection vulnerability in Request Tracker (RT) 3.8.x before 3.8.15 and 4.0.x before 4.0.8 allows remote attackers to create arbitrary files



About   -   Send Feedback to @ubuntu_updates