Your message dated Wed, 20 Apr 2011 01:55:51 +0000
with message-id <[email protected]>
and subject line Bug#614576: fixed in request-tracker3.8 3.8.8-7+squeeze1
has caused the Debian Bug report #614576,
regarding request-tracker3.8: CVE-2011-1008: Scrip information leakage
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
614576: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=614576
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: request-tracker3.8
Version: 3.8.8-7
Severity: important
Tags: security
The following appears in the changelog of 3.8.9:
* Clone Scrip's TicketObj since we change the CurrentUser and it can leak
information (Custom field values, etc)
This may warrant an update in s-p-u.
--- End Message ---
--- Begin Message ---
Source: request-tracker3.8
Source-Version: 3.8.8-7+squeeze1
We believe that the bug you reported is fixed in the latest version of
request-tracker3.8, which is due to be installed in the Debian FTP archive:
request-tracker3.8_3.8.8-7+squeeze1.diff.gz
to main/r/request-tracker3.8/request-tracker3.8_3.8.8-7+squeeze1.diff.gz
request-tracker3.8_3.8.8-7+squeeze1.dsc
to main/r/request-tracker3.8/request-tracker3.8_3.8.8-7+squeeze1.dsc
request-tracker3.8_3.8.8-7+squeeze1_all.deb
to main/r/request-tracker3.8/request-tracker3.8_3.8.8-7+squeeze1_all.deb
rt3.8-apache2_3.8.8-7+squeeze1_all.deb
to main/r/request-tracker3.8/rt3.8-apache2_3.8.8-7+squeeze1_all.deb
rt3.8-clients_3.8.8-7+squeeze1_all.deb
to main/r/request-tracker3.8/rt3.8-clients_3.8.8-7+squeeze1_all.deb
rt3.8-db-mysql_3.8.8-7+squeeze1_all.deb
to main/r/request-tracker3.8/rt3.8-db-mysql_3.8.8-7+squeeze1_all.deb
rt3.8-db-postgresql_3.8.8-7+squeeze1_all.deb
to main/r/request-tracker3.8/rt3.8-db-postgresql_3.8.8-7+squeeze1_all.deb
rt3.8-db-sqlite_3.8.8-7+squeeze1_all.deb
to main/r/request-tracker3.8/rt3.8-db-sqlite_3.8.8-7+squeeze1_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Dominic Hargreaves <[email protected]> (supplier of updated request-tracker3.8
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Thu, 14 Apr 2011 08:55:14 +0100
Source: request-tracker3.8
Binary: request-tracker3.8 rt3.8-clients rt3.8-apache2 rt3.8-db-postgresql
rt3.8-db-mysql rt3.8-db-sqlite
Architecture: source all
Version: 3.8.8-7+squeeze1
Distribution: stable-security
Urgency: high
Maintainer: Debian Request Tracker Group
<[email protected]>
Changed-By: Dominic Hargreaves <[email protected]>
Description:
request-tracker3.8 - extensible trouble-ticket tracking system
rt3.8-apache2 - Apache 2 specific files for request-tracker3.8
rt3.8-clients - mail gateway and command-line interface to request-tracker3.8
rt3.8-db-mysql - MySQL database backend for request-tracker3.8
rt3.8-db-postgresql - PostgreSQL database backend for request-tracker3.8
rt3.8-db-sqlite - SQLite database backend for request-tracker3.8
Closes: 614576
Changes:
request-tracker3.8 (3.8.8-7+squeeze1) stable-security; urgency=high
.
* Security fix: fix information leakage in scrips (Closes: 614576;
CVE-2011-1008)
* Multiple security fixes for:
- Remote code execution in external custom fields (CVE-2011-1685)
- Information disclosure via SQL injection (CVE-2011-1686)
- Information disclosure via search interface (CVE-2011-1687)
- Information disclosure via directory traversal (CVE-2011-1688)
- User javascript execution via XSS vulnerability (CVE-2011-1689)
- Authentication credentials theft (CVE-2011-1690)
Checksums-Sha1:
ad823570406581796e6312f1016d188225057778 1632
request-tracker3.8_3.8.8-7+squeeze1.dsc
be3ac598dcbf584f9bcd9a49248a9ccd3affb330 5109734
request-tracker3.8_3.8.8.orig.tar.gz
442bc7dfd8a46e1b034ae41a8505f17036183080 83370
request-tracker3.8_3.8.8-7+squeeze1.diff.gz
144014473a8f3b1b224e7950a4186aa561b9dfb4 4656416
request-tracker3.8_3.8.8-7+squeeze1_all.deb
267277fd65f83e2e8567d2616cb387e01f714eae 47020
rt3.8-clients_3.8.8-7+squeeze1_all.deb
0608364eb70e163515c3921f1f42aabbeac461d3 12450
rt3.8-apache2_3.8.8-7+squeeze1_all.deb
06041598f589105a3bbe03bade37470256e0230d 11134
rt3.8-db-postgresql_3.8.8-7+squeeze1_all.deb
5e3aea667516da514a9a90501073e98d93aafa79 11134
rt3.8-db-mysql_3.8.8-7+squeeze1_all.deb
b8222869f3a915fbe5f49c9a473f0b59d207ae1f 11226
rt3.8-db-sqlite_3.8.8-7+squeeze1_all.deb
Checksums-Sha256:
b5d3cfa8409b2c66df4f434705ab99af9e31c20684ea75b77dd14e5be1d0130a 1632
request-tracker3.8_3.8.8-7+squeeze1.dsc
d3932febc5b3fa1da1168713f305a095ea6b40dd22d508849471e6637ba04c02 5109734
request-tracker3.8_3.8.8.orig.tar.gz
f3713dc51a6dbb0e5a445626a462efdd29c4850fd1a7ced46d07fa4a8a53df8a 83370
request-tracker3.8_3.8.8-7+squeeze1.diff.gz
beec7ee70ccbaed7d616dc54988d36c03fb5137548f5ee3863e0f596c3557ae1 4656416
request-tracker3.8_3.8.8-7+squeeze1_all.deb
ec8ff0be77210063f840d5ad2ae720817ad235fcf86d651881c159c6d81cde00 47020
rt3.8-clients_3.8.8-7+squeeze1_all.deb
fbd183972df1a3c30f6314d3c3b0373be22d6dfd811edd3bc8c0db8c79f077dd 12450
rt3.8-apache2_3.8.8-7+squeeze1_all.deb
a83d45436c3fd9cc39d47a3d68bd3d10c266785ff9b502afcc6cf028ecf79d9d 11134
rt3.8-db-postgresql_3.8.8-7+squeeze1_all.deb
00cafd445840905337c499855f76374d5179a864e3ece372f6f420c9b0e63b12 11134
rt3.8-db-mysql_3.8.8-7+squeeze1_all.deb
deb075b3ce94babb4c274310f5a9142bcad878bac2fcf92ed7fa73bae50159e6 11226
rt3.8-db-sqlite_3.8.8-7+squeeze1_all.deb
Files:
89060935bb2e4552dcec70205480f315 1632 misc optional
request-tracker3.8_3.8.8-7+squeeze1.dsc
de062840ce6e2fdb323d77dddf8ff485 5109734 misc optional
request-tracker3.8_3.8.8.orig.tar.gz
30a52734a3aac6914591d3115707666c 83370 misc optional
request-tracker3.8_3.8.8-7+squeeze1.diff.gz
d677ce379af31b287a816e499a4561e9 4656416 misc optional
request-tracker3.8_3.8.8-7+squeeze1_all.deb
b11befa7a21f6d039a408adf62c524c5 47020 misc optional
rt3.8-clients_3.8.8-7+squeeze1_all.deb
6935f7973dd67f4456af062c8aecf4bc 12450 misc optional
rt3.8-apache2_3.8.8-7+squeeze1_all.deb
c199403b24b5e9e3c41b2d3b49412426 11134 misc optional
rt3.8-db-postgresql_3.8.8-7+squeeze1_all.deb
81d4715c06630ee391040e74e799f285 11134 misc optional
rt3.8-db-mysql_3.8.8-7+squeeze1_all.deb
4575725abd5cf5e7648ea6fb51b9d88f 11226 misc optional
rt3.8-db-sqlite_3.8.8-7+squeeze1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iD8DBQFNrbAfYzuFKFF44qURAtmxAJ9KVXwf7Mlu8d7eQs+R3ezKoH7/YACgnK0B
ZrycySH+GaSAyOMFgOBMyGM=
=A+fr
-----END PGP SIGNATURE-----
--- End Message ---