Your message dated Tue, 03 Mar 2015 21:01:46 +0100
with message-id <[email protected]>
and subject line Re: Bug#779658: unblock: request-tracker4/4.2.8-3
has caused the Debian Bug report #779658,
regarding unblock: request-tracker4/4.2.8-3
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
779658: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=779658
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: [email protected]
Usertags: unblock
Please unblock package request-tracker4. It fixes multiple
security issues.
unblock request-tracker4/4.2.8-3
Debdiff:
diff -Nru request-tracker4-4.2.8/debian/changelog
request-tracker4-4.2.8/debian/changelog
--- request-tracker4-4.2.8/debian/changelog 2015-01-01 17:47:33.000000000
+0100
+++ request-tracker4-4.2.8/debian/changelog 2015-02-26 11:05:27.000000000
+0100
@@ -1,3 +1,11 @@
+request-tracker4 (4.2.8-3) unstable; urgency=high
+
+ * Fix remote DoS via email gateway (CVE-2014-9472)
+ * Fix information discloure revealing RSS feed URLs (CVE-2015-1165)
+ * Fix privilege escalation via RSS feed URLs (CVE-2015-1464)
+
+ -- Dominic Hargreaves <[email protected]> Thu, 26 Feb 2015 10:05:25 +0000
+
request-tracker4 (4.2.8-2) unstable; urgency=medium
[ Niko Tyni ]
diff -Nru request-tracker4-4.2.8/debian/.git-dpm
request-tracker4-4.2.8/debian/.git-dpm
--- request-tracker4-4.2.8/debian/.git-dpm 2015-01-01 17:46:41.000000000
+0100
+++ request-tracker4-4.2.8/debian/.git-dpm 2015-02-19 17:43:53.000000000
+0100
@@ -1,6 +1,6 @@
# see git-dpm(1) from git-dpm package
-559785c4e88364b835823521a0e1648db985b05e
-559785c4e88364b835823521a0e1648db985b05e
+5324f915dd17ae61679a97226cd9fce35934cc7b
+5324f915dd17ae61679a97226cd9fce35934cc7b
21890d09947710ac3f48ddd306fe5b6a50f5bbe9
21890d09947710ac3f48ddd306fe5b6a50f5bbe9
request-tracker4_4.2.8.orig.tar.gz
diff -Nru request-tracker4-4.2.8/debian/patches/sec-2015-02-05-1.diff
request-tracker4-4.2.8/debian/patches/sec-2015-02-05-1.diff
--- request-tracker4-4.2.8/debian/patches/sec-2015-02-05-1.diff 1970-01-01
01:00:00.000000000 +0100
+++ request-tracker4-4.2.8/debian/patches/sec-2015-02-05-1.diff 2015-02-19
17:43:53.000000000 +0100
@@ -0,0 +1,30 @@
+From d9cbc2f4f4df2b75e4527c2fb4f19dc087a1655e Mon Sep 17 00:00:00 2001
+From: Alex Vandiver <[email protected]>
+Date: Mon, 1 Dec 2014 16:58:43 -0500
+Subject: Hide utf8 warnings during attempted decoding
+
+EncodeFromToWithCroak is used to exploratorily attempt to decode unknown
+byte strings. This operation, under Encode::FB_DEFAULT, may generate
+warnings -- lots of warnings. This can lead to denial of service in
+some situations. This vulnerability has been assigned CVE-2014-9472.
+
+Unfortunately, "no warnings 'utf8'" does not work to quiet them until
+Encode 2.64; simply skip warnings of this type in the logging handler.
+
+Patch-Name: sec-2015-02-05-1.diff
+---
+ lib/RT.pm | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/lib/RT.pm b/lib/RT.pm
+index 803d54b..3aa7542 100644
+--- a/lib/RT.pm
++++ b/lib/RT.pm
+@@ -374,6 +374,7 @@ sub InitSignalHandlers {
+ ## mechanism (see above).
+
+ $SIG{__WARN__} = sub {
++ return if $_[0] and $_[0] =~ /^Code point \S+ is not Unicode, may not
be portable/;
+ # use 'goto &foo' syntax to hide ANON sub from stack
+ unshift @_, $RT::Logger, qw(level warning message);
+ goto &Log::Dispatch::log;
diff -Nru request-tracker4-4.2.8/debian/patches/sec-2015-02-05-2.diff
request-tracker4-4.2.8/debian/patches/sec-2015-02-05-2.diff
--- request-tracker4-4.2.8/debian/patches/sec-2015-02-05-2.diff 1970-01-01
01:00:00.000000000 +0100
+++ request-tracker4-4.2.8/debian/patches/sec-2015-02-05-2.diff 2015-02-19
17:43:53.000000000 +0100
@@ -0,0 +1,46 @@
+From af54a6d17773f5c9f8f785c8ccd9d1067679ce77 Mon Sep 17 00:00:00 2001
+From: Alex Vandiver <[email protected]>
+Date: Fri, 30 Jan 2015 15:03:16 -0500
+Subject: Prevent text content from being interpreted as HTML by RSS clients
+
+The ->Content method is used to obtain the data to use in the RSS
+<description> tag. However, most RSS feed readers display the contents
+of the <description> tag using a HTML rendering engine; this allows
+textual content to be mistakenly rendered as HTML. This specifically
+includes links, which RSS readers may not hide the "Referer" header of,
+exposing the RSS feed URL and thus allowing for information disclosure.
+This vulnerability has been assigned CVE-2015-1165.
+
+Escape the textual content so that it is not interpreted as HTML by RSS
+readers. This is suprior to requesting ->Content( Type => "text/html" )
+because it is guaranteed to not contain links, and thus not suffer from
+the above Referer disclosure.
+
+Patch-Name: sec-2015-02-05-2.diff
+---
+ share/html/Search/Elements/ResultsRSSView | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/share/html/Search/Elements/ResultsRSSView
b/share/html/Search/Elements/ResultsRSSView
+index 45e7369..7381ba7 100644
+--- a/share/html/Search/Elements/ResultsRSSView
++++ b/share/html/Search/Elements/ResultsRSSView
+@@ -128,10 +128,17 @@ $r->content_type('application/rss+xml; charset=utf-8');
+ while ( my $Ticket = $Tickets->Next()) {
+ my $creator_str = $Ticket->CreatorObj->Format;
+ $creator_str =~ s/[\r\n]//g;
++
++ # Get the plain-text content; it is interpreted as HTML by RSS
++ # readers, so it must be escaped (and is escaped _again_ when
++ # inserted into the XML).
++ my $content = $Ticket->Transactions->First->Content;
++ $content = $m->interp->apply_escapes( $content, 'h');
++
+ $rss->add_item(
+ title => $Ticket->Subject || loc('No Subject'),
+ link => $url . "Ticket/Display.html?id=".$Ticket->id,
+- description => $Ticket->Transactions->First->Content,
++ description => $content,
+ dc => { creator => $creator_str,
+ date => $Ticket->CreatedObj->RFC2822,
+ },
diff -Nru request-tracker4-4.2.8/debian/patches/sec-2015-02-05-3.diff
request-tracker4-4.2.8/debian/patches/sec-2015-02-05-3.diff
--- request-tracker4-4.2.8/debian/patches/sec-2015-02-05-3.diff 1970-01-01
01:00:00.000000000 +0100
+++ request-tracker4-4.2.8/debian/patches/sec-2015-02-05-3.diff 2015-02-19
17:43:53.000000000 +0100
@@ -0,0 +1,54 @@
+From 5324f915dd17ae61679a97226cd9fce35934cc7b Mon Sep 17 00:00:00 2001
+From: Alex Vandiver <[email protected]>
+Date: Mon, 2 Feb 2015 12:24:56 -0500
+Subject: Never place the temporary current user in the session
+
+Setting $session{'CurrentUser'} to a different user opens a window
+wherein if the request can be aborted, the client will be left with a
+session for the other user. This allows escalation from knowing an RSS
+feed link (which is generally just information disclosure) into full
+login privileges, which may allow for arbitrary execution of code.
+
+Patch-Name: sec-2015-02-05-3.diff
+---
+ share/html/Search/Elements/ResultsRSSView | 11 ++++-------
+ 1 file changed, 4 insertions(+), 7 deletions(-)
+
+diff --git a/share/html/Search/Elements/ResultsRSSView
b/share/html/Search/Elements/ResultsRSSView
+index 7381ba7..176da8d 100644
+--- a/share/html/Search/Elements/ResultsRSSView
++++ b/share/html/Search/Elements/ResultsRSSView
+@@ -46,7 +46,7 @@
+ %#
+ %# END BPS TAGGED BLOCK }}}
+ <%INIT>
+-my $old_current_user;
++my $current_user = $session{CurrentUser};
+
+ if ( $m->request_comp->path =~ RT->Config->Get('WebNoAuthRegex') ) {
+ my $path = $m->dhandler_arg;
+@@ -76,13 +76,11 @@ if ( $m->request_comp->path =~
RT->Config->Get('WebNoAuthRegex') ) {
+ unless $user->ValidateAuthString( $auth,
+ $ARGS{Query} . $ARGS{Order} . $ARGS{OrderBy} );
+
+- $old_current_user = $session{'CurrentUser'};
+- my $cu = RT::CurrentUser->new;
+- $cu->Load($user);
+- $session{'CurrentUser'} = $cu;
++ $current_user = RT::CurrentUser->new;
++ $current_user->Load($user);
+ }
+
+-my $Tickets = RT::Tickets->new($session{'CurrentUser'});
++my $Tickets = RT::Tickets->new($current_user);
+ $Tickets->FromSQL($ARGS{'Query'});
+ if ($OrderBy =~ /\|/) {
+ # Multiple Sorts
+@@ -147,7 +145,6 @@ $r->content_type('application/rss+xml; charset=utf-8');
+ }
+
+ $m->out($rss->as_string);
+-$session{'CurrentUser'} = $old_current_user if $old_current_user;
+ $m->abort();
+ </%INIT>
+ <%ARGS>
diff -Nru request-tracker4-4.2.8/debian/patches/series
request-tracker4-4.2.8/debian/patches/series
--- request-tracker4-4.2.8/debian/patches/series 2015-01-01
17:46:41.000000000 +0100
+++ request-tracker4-4.2.8/debian/patches/series 2015-02-19
17:43:53.000000000 +0100
@@ -10,3 +10,6 @@
debianize_UPGRADING-4.2.diff
font_path.diff
assettracker-sysgroups.diff
+sec-2015-02-05-1.diff
+sec-2015-02-05-2.diff
+sec-2015-02-05-3.diff
-- System Information:
Debian Release: 8.0
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.16.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
--- End Message ---
--- Begin Message ---
On 2015-03-03 18:16, Moritz Muehlenhoff wrote:
> Package: release.debian.org
> Severity: normal
> User: [email protected]
> Usertags: unblock
>
> Please unblock package request-tracker4. It fixes multiple
> security issues.
>
> unblock request-tracker4/4.2.8-3
>
> [...]
>
>
Unblocked, thanks.
~Niels
--- End Message ---
