Bug#546778: marked as done (request-tracker3.6: XSS vulnerability when displaying Custom Field values)

[Debian Bug Tracking System]

Your message dated Tue, 15 Sep 2009 23:32:12 +0000
with message-id <e1mnhvm-000526...@ries.debian.org>
and subject line Bug#546778: fixed in request-tracker3.6 3.6.9-1
has caused the Debian Bug report #546778,
regarding request-tracker3.6: XSS vulnerability when displaying Custom Field 
values
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
546778: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=546778
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: request-tracker3.6
Version: 3.6.7-5+lenny1
Severity: important
Tags: security patch

According to

http://lists.bestpractical.com/pipermail/rt-announce/2009-September/000172.html

RT 3.6 contains a security problem which affects configurations
populating Custom Fields using untrusted data. A patch is provided.

--- End Message ---

--- Begin Message ---

Source: request-tracker3.6
Source-Version: 3.6.9-1

We believe that the bug you reported is fixed in the latest version of
request-tracker3.6, which is due to be installed in the Debian FTP archive:

request-tracker3.6_3.6.9-1.diff.gz
  to pool/main/r/request-tracker3.6/request-tracker3.6_3.6.9-1.diff.gz
request-tracker3.6_3.6.9-1.dsc
  to pool/main/r/request-tracker3.6/request-tracker3.6_3.6.9-1.dsc
request-tracker3.6_3.6.9-1_all.deb
  to pool/main/r/request-tracker3.6/request-tracker3.6_3.6.9-1_all.deb
request-tracker3.6_3.6.9.orig.tar.gz
  to pool/main/r/request-tracker3.6/request-tracker3.6_3.6.9.orig.tar.gz
rt3.6-apache2_3.6.9-1_all.deb
  to pool/main/r/request-tracker3.6/rt3.6-apache2_3.6.9-1_all.deb
rt3.6-clients_3.6.9-1_all.deb
  to pool/main/r/request-tracker3.6/rt3.6-clients_3.6.9-1_all.deb
rt3.6-db-mysql_3.6.9-1_all.deb
  to pool/main/r/request-tracker3.6/rt3.6-db-mysql_3.6.9-1_all.deb
rt3.6-db-postgresql_3.6.9-1_all.deb
  to pool/main/r/request-tracker3.6/rt3.6-db-postgresql_3.6.9-1_all.deb
rt3.6-db-sqlite_3.6.9-1_all.deb
  to pool/main/r/request-tracker3.6/rt3.6-db-sqlite_3.6.9-1_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 546...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Dominic Hargreaves <d...@earth.li> (supplier of updated request-tracker3.6 
package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Wed, 16 Sep 2009 00:07:42 +0100
Source: request-tracker3.6
Binary: request-tracker3.6 rt3.6-clients rt3.6-apache2 rt3.6-db-postgresql 
rt3.6-db-mysql rt3.6-db-sqlite
Architecture: source all
Version: 3.6.9-1
Distribution: unstable
Urgency: low
Maintainer: Debian Request Tracker Group 
<pkg-request-tracker-maintain...@lists.alioth.debian.org>
Changed-By: Dominic Hargreaves <d...@earth.li>
Description: 
 request-tracker3.6 - Extensible trouble-ticket tracking system
 rt3.6-apache2 - Apache 2 specific files for request-tracker3.6
 rt3.6-clients - Mail gateway and command-line interface to request-tracker3.6
 rt3.6-db-mysql - MySQL database backend for request-tracker3.6
 rt3.6-db-postgresql - PostgreSQL database backend for request-tracker3.6
 rt3.6-db-sqlite - SQLite database backend for request-tracker3.6
Closes: 537079 546778
Changes: 
 request-tracker3.6 (3.6.9-1) unstable; urgency=low
 .
   * New upstream release
     - Fix XSS security problem in custom field display (Closes: #546778)
   * Spanish debconf translation, thanks to Omar Campagne (Closes: #537079)
   * Update Standards-Version (no changes)
   * Add README.source
Checksums-Sha1: 
 8406e64be90f3d40e14c1545749f1416fc39afdd 1596 request-tracker3.6_3.6.9-1.dsc
 eaaa3d6d9b9e955ba7c4dc0c9b4eca3d02ad6fef 1603425 
request-tracker3.6_3.6.9.orig.tar.gz
 99ae4591f823aca6c9a7debe066ce34dce33144f 53704 
request-tracker3.6_3.6.9-1.diff.gz
 ab666318e71431a5d5a91bbdb6000f88152e2e1a 1366834 
request-tracker3.6_3.6.9-1_all.deb
 df94a7ec9d6525d5c9755ff96effb40fba9afe9c 38150 rt3.6-clients_3.6.9-1_all.deb
 7e89f7338f9e0ce3123c7f527a02a163301e7a1f 9906 rt3.6-apache2_3.6.9-1_all.deb
 57f0a1e24ad81a0d3ad8ab3d7dc7e7a401f44624 8518 
rt3.6-db-postgresql_3.6.9-1_all.deb
 e00546156e03da4a60194bff3115509d42a14ae2 8516 rt3.6-db-mysql_3.6.9-1_all.deb
 847a52e6c01c73881f8b99d538b8cf6be23061d7 8616 rt3.6-db-sqlite_3.6.9-1_all.deb
Checksums-Sha256: 
 70b09d7586193e6a24d10b900c94a550063366fcd078b3611b3029c084cc10a7 1596 
request-tracker3.6_3.6.9-1.dsc
 ac580bbb391510d9e9dc459280b9e7fae5eaa115a1ec398eff1b0970dc585205 1603425 
request-tracker3.6_3.6.9.orig.tar.gz
 3446fd59162a1d7323f1e3caaae44f791aaff05ba90c32ac0de625caaeed0649 53704 
request-tracker3.6_3.6.9-1.diff.gz
 3e0d7e4619ce0b1dc43202becb9ee2caa68c3a4680e0320020eb2f1fe49a9aee 1366834 
request-tracker3.6_3.6.9-1_all.deb
 9fd75a120b80bc23dcde0d8ef5ff13ec0a3370010706914054a6379b4c82ab47 38150 
rt3.6-clients_3.6.9-1_all.deb
 5ada12900be0a72887e122398c57cd152134602e2342ef0a5f78d0272d209eac 9906 
rt3.6-apache2_3.6.9-1_all.deb
 de4408663b450db6c54cbe6173b8ca0c291757b52746c8d18790f77d53282983 8518 
rt3.6-db-postgresql_3.6.9-1_all.deb
 a8c353cf87b096d1287c19cb006fc28289af09aee9d87cbc954dda4d96f1e369 8516 
rt3.6-db-mysql_3.6.9-1_all.deb
 a8f74e91c794e8f38358412d4a7c5359f45d2e20394734d3ed4cf7ea93364dfe 8616 
rt3.6-db-sqlite_3.6.9-1_all.deb
Files: 
 f5bc514a269457b836e1573dd0268876 1596 misc optional 
request-tracker3.6_3.6.9-1.dsc
 0426548efc55281f610d628cf56870f0 1603425 misc optional 
request-tracker3.6_3.6.9.orig.tar.gz
 021bbbdf12a8bb252f56d6fdb456ce20 53704 misc optional 
request-tracker3.6_3.6.9-1.diff.gz
 0a36c15a34ba818a7ab35706470eff59 1366834 misc optional 
request-tracker3.6_3.6.9-1_all.deb
 c75fbb5ed974eb4056b21461eb61140d 38150 misc optional 
rt3.6-clients_3.6.9-1_all.deb
 1f328e901a996962fc6630014414ce1b 9906 misc optional 
rt3.6-apache2_3.6.9-1_all.deb
 034ef3dd0bc7e550e4e76aebb2d77d25 8518 misc optional 
rt3.6-db-postgresql_3.6.9-1_all.deb
 cd5672622286c24ade9428ded7c47bb3 8516 misc optional 
rt3.6-db-mysql_3.6.9-1_all.deb
 b0f6f4549ee0b322ee3f8ce79571dbfd 8616 misc optional 
rt3.6-db-sqlite_3.6.9-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iD8DBQFKsB9fYzuFKFF44qURAr7FAJ943/DIyHxeM27B2ss0yQvKJxe6AACfcilI
dGshlR/0j97d0MaygebkXn0=
=qBkA
-----END PGP SIGNATURE-----

--- End Message ---