David, This is only the second report we've had of this failure mode, but it _is_ the second report.
On Wed, Dec 09, 2009 at 10:50:48AM -0800, David Griffith wrote: > > Debian 5.0 upgraded fixed a session fixation vulnerability on December 1, > 2009 (http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=559020). It seems > that when this happened, my installation now requires unprivileged users > to log in twice. What version of RT are you using? Have you customized it in any way? Are you using only RT's built-in authentication system? > At the first login, the username and password fields are > cleared and nothing seems to have happened. Put in the username and > password a second time and the user is logged in. Sometimes if I try to > log in as an unprivileged user, get put back to the login screen, then > login as a privileged user, I get logged in with diminished privileges. That sentence doesn't make much sense to me. Can you take another shot at it? > Would someone please tell me what's going on? Maybe now would be a good > time to upgrade to 3.8? RT 3.8 is much better than what came before, but we'd certainly not like to have broken earlier releases with a security fix. > -- > David Griffith > [email protected] > > A: Because it fouls the order in which people normally read text. > Q: Why is top-posting such a bad thing? > A: Top-posting. > Q: What is the most annoying thing in e-mail? > _______________________________________________ > http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users > > Community help: http://wiki.bestpractical.com > Commercial support: [email protected] > > > Discover RT's hidden secrets with RT Essentials from O'Reilly Media. > Buy a copy at http://rtbook.bestpractical.com > -- _______________________________________________ http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users Community help: http://wiki.bestpractical.com Commercial support: [email protected] Discover RT's hidden secrets with RT Essentials from O'Reilly Media. Buy a copy at http://rtbook.bestpractical.com
