Your message dated Mon, 21 Sep 2009 01:57:14 +0000
with message-id <[email protected]>
and subject line Bug#546778: fixed in request-tracker3.6 3.6.7-5+lenny2
has caused the Debian Bug report #546778,
regarding request-tracker3.6: XSS vulnerability when displaying Custom Field
values
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
546778: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=546778
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: request-tracker3.6
Version: 3.6.7-5+lenny1
Severity: important
Tags: security patch
According to
http://lists.bestpractical.com/pipermail/rt-announce/2009-September/000172.html
RT 3.6 contains a security problem which affects configurations
populating Custom Fields using untrusted data. A patch is provided.
--- End Message ---
--- Begin Message ---
Source: request-tracker3.6
Source-Version: 3.6.7-5+lenny2
We believe that the bug you reported is fixed in the latest version of
request-tracker3.6, which is due to be installed in the Debian FTP archive:
request-tracker3.6_3.6.7-5+lenny2.diff.gz
to pool/main/r/request-tracker3.6/request-tracker3.6_3.6.7-5+lenny2.diff.gz
request-tracker3.6_3.6.7-5+lenny2.dsc
to pool/main/r/request-tracker3.6/request-tracker3.6_3.6.7-5+lenny2.dsc
request-tracker3.6_3.6.7-5+lenny2_all.deb
to pool/main/r/request-tracker3.6/request-tracker3.6_3.6.7-5+lenny2_all.deb
rt3.6-apache2_3.6.7-5+lenny2_all.deb
to pool/main/r/request-tracker3.6/rt3.6-apache2_3.6.7-5+lenny2_all.deb
rt3.6-clients_3.6.7-5+lenny2_all.deb
to pool/main/r/request-tracker3.6/rt3.6-clients_3.6.7-5+lenny2_all.deb
rt3.6-db-mysql_3.6.7-5+lenny2_all.deb
to pool/main/r/request-tracker3.6/rt3.6-db-mysql_3.6.7-5+lenny2_all.deb
rt3.6-db-postgresql_3.6.7-5+lenny2_all.deb
to pool/main/r/request-tracker3.6/rt3.6-db-postgresql_3.6.7-5+lenny2_all.deb
rt3.6-db-sqlite_3.6.7-5+lenny2_all.deb
to pool/main/r/request-tracker3.6/rt3.6-db-sqlite_3.6.7-5+lenny2_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Dominic Hargreaves <[email protected]> (supplier of updated request-tracker3.6
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Sat, 19 Sep 2009 14:50:08 +0100
Source: request-tracker3.6
Binary: request-tracker3.6 rt3.6-clients rt3.6-apache2 rt3.6-db-postgresql
rt3.6-db-mysql rt3.6-db-sqlite
Architecture: source all
Version: 3.6.7-5+lenny2
Distribution: stable
Urgency: low
Maintainer: Debian Request Tracker Group
<[email protected]>
Changed-By: Dominic Hargreaves <[email protected]>
Description:
request-tracker3.6 - Extensible trouble-ticket tracking system
rt3.6-apache2 - Apache 2 specific files for request-tracker3.6
rt3.6-clients - Mail gateway and command-line interface to request-tracker3.6
rt3.6-db-mysql - MySQL database backend for request-tracker3.6
rt3.6-db-postgresql - PostgreSQL database backend for request-tracker3.6
rt3.6-db-sqlite - SQLite database backend for request-tracker3.6
Closes: 546778
Changes:
request-tracker3.6 (3.6.7-5+lenny2) stable; urgency=low
.
* Security fix: escape custom field values before display to prevent
XSS attack (Closes: #546778)
Checksums-Sha1:
4ddd4e0f4cdd8bda63ad149f90b4d2e414979858 1623
request-tracker3.6_3.6.7-5+lenny2.dsc
17b6a2af09cee72e6e4b029a56bde59d48c83790 50934
request-tracker3.6_3.6.7-5+lenny2.diff.gz
6e606bc58896a521a2f248eba54ce4930a7a881b 1540312
request-tracker3.6_3.6.7-5+lenny2_all.deb
f0d635a537bab2147252d1d8ee8cbbe9f1bcac1f 215690
rt3.6-clients_3.6.7-5+lenny2_all.deb
1d05ee7fcbd02fd9f4ef94ddc5a674a48a24b3a3 187166
rt3.6-apache2_3.6.7-5+lenny2_all.deb
dde0f382c285b727748ee5c28eea7c9eb9dae564 185476
rt3.6-db-postgresql_3.6.7-5+lenny2_all.deb
f5018e4e4dea8d02ac8a99b87715564cbde532b4 185470
rt3.6-db-mysql_3.6.7-5+lenny2_all.deb
10501baf4ec7b164a1e536d91d087f3c94601222 185566
rt3.6-db-sqlite_3.6.7-5+lenny2_all.deb
Checksums-Sha256:
a29f6d27a9dc94c2b42dd0af87014fbabb7ec63ebc673f04c0a3f6cc955e3688 1623
request-tracker3.6_3.6.7-5+lenny2.dsc
6e0433759ddc88435e29a41e2c35a9fe96c5ee43fdac90ff464898c3adbda870 50934
request-tracker3.6_3.6.7-5+lenny2.diff.gz
10a07cc95ad373e288d6a3347f5f169e823832dda3112f39e8617e9a147c8eda 1540312
request-tracker3.6_3.6.7-5+lenny2_all.deb
f47c25ac211b539c68bd7460cb7d5b00939b2791bcbfd80ef7300aa12e988ff5 215690
rt3.6-clients_3.6.7-5+lenny2_all.deb
ce71a8d72c9e0000cf315e2bef1d16b3f2ef2ca94883da34119ec8140ee563cf 187166
rt3.6-apache2_3.6.7-5+lenny2_all.deb
43f1d8f5d25d24e6d04cbd051e15f225119aa070b83e09a73c21240cb7a6b361 185476
rt3.6-db-postgresql_3.6.7-5+lenny2_all.deb
34443766ed66aae9526e44c7fcdd6083d2c111f9ac0ebd16326a3729f21e3b1f 185470
rt3.6-db-mysql_3.6.7-5+lenny2_all.deb
7a5a08d443e7d7b2d9bf5e6f59782e399ee7971d001189507a0c8611dfb68e8c 185566
rt3.6-db-sqlite_3.6.7-5+lenny2_all.deb
Files:
f61f890d3dbdb7e4f8cfeb714854e8e2 1623 misc optional
request-tracker3.6_3.6.7-5+lenny2.dsc
0f86f96416da6f6ec42eb3c50bc24f0a 50934 misc optional
request-tracker3.6_3.6.7-5+lenny2.diff.gz
0bab67726348981b578c94917f0d65bf 1540312 misc optional
request-tracker3.6_3.6.7-5+lenny2_all.deb
c5b0a58309fe29f19fa013dde2853d97 215690 misc optional
rt3.6-clients_3.6.7-5+lenny2_all.deb
7b749f5db19f884ea26a0e0cc3028ffc 187166 misc optional
rt3.6-apache2_3.6.7-5+lenny2_all.deb
d330cfd6bc4d29c9dac79ccde9533a9a 185476 misc optional
rt3.6-db-postgresql_3.6.7-5+lenny2_all.deb
522c98591b495a88fd1bd82a20b8f462 185470 misc optional
rt3.6-db-mysql_3.6.7-5+lenny2_all.deb
52e62e0b7aa207140082db07d53dba7d 185566 misc optional
rt3.6-db-sqlite_3.6.7-5+lenny2_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iD8DBQFKtOIkYzuFKFF44qURAjx+AKDCzqTjqbxaV/qC4hWIdrfUzU+C9gCeOISW
1+RRunv2Tnr5lKMPGdx/lhs=
=tQXM
-----END PGP SIGNATURE-----
--- End Message ---
