-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                              ESB-2012.0494.4
                    request-tracker3.8 security update
                             17 September 2012

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           request-tracker3.8
Publisher:         Debian
Operating System:  Debian GNU/Linux 6
                   UNIX variants (UNIX, Linux, OSX)
                   Windows
Impact/Access:     Execute Arbitrary Code/Commands -- Remote with User Interaction
                   Cross-site Request Forgery      -- Remote with User Interaction
                   Cross-site Scripting            -- Remote with User Interaction
                   Access Confidential Data        -- Existing Account            
                   Unauthorised Access             -- Existing Account            
Resolution:        Patch/Upgrade
CVE Names:         CVE-2011-4460 CVE-2011-4459 CVE-2011-4458
                   CVE-2011-2085 CVE-2011-2084 CVE-2011-2083
                   CVE-2011-2082 CVE-2011-0009 

Reference:         ESB-2011.0074

Original Bulletin: 
   http://www.debian.org/security/2012/dsa-2480

Revision History:  September 17 2012: The calendar popup page in Internet Explorer would be blocked by the CSRF protection mechanism.
                   June       8 2012: June 08 2012: The recent security updates for request-tracker3.8, DSA-2480-1 & DSA-2480-2, contained another regression when running under mod_perl.
                   May       30 2012: The recent request-tracker3.8 update DSA-2480-1 introduced a regression which caused outgoing mail to fail when running under mod_perl.
                   May       25 2012: Initial Release

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- - -------------------------------------------------------------------------
Debian Security Advisory DSA-2480-4                   security@debian.org
http://www.debian.org/security/                          Raphael Geissert
September 15, 2012                     http://www.debian.org/security/faq
- - -------------------------------------------------------------------------

Package        : request-tracker3.8
Vulnerability  : regression
Debian-specific: no

The security updates for request-tracker3.8, DSA-2480-1, DSA-2480-2,
and DSA-2480-3, contained minor regressions. Namely:

* The calendar popup page in Internet Explorer would be blocked by the
CSRF protection mechanism.
* Search results pages could not be shared without saving, sharing, and
then loading the search.
* rt-email-dashboards would fail with an error due to a call to an
undefined "interp" method.

Please note that if you run request-tracker3.8 under the Apache web
server, you must stop and start Apache manually.  The "restart"
mechanism is not recommended, especially when using mod_perl.

For the stable distribution (squeeze), this problem has been fixed in
version 3.8.8-7+squeeze5.

We recommend that you upgrade your request-tracker3.8 packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlBUw7kACgkQYy49rUbZzloRmgCfRWU98a5Ug1c5HSGr9ltpRo17
hU8An0wDUZTxSnOEuHfScdRcmuCYB1aW
=BaTL
- -----END PGP SIGNATURE-----
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- - -------------------------------------------------------------------------
Debian Security Advisory DSA-2480-3                   security@debian.org
http://www.debian.org/security/                            Florian Weimer
June 07, 2012                          http://www.debian.org/security/faq
- - -------------------------------------------------------------------------

Package        : request-tracker3.8
Vulnerability  : regression
Debian Bug     : 674924 675369

The recent security updates for request-tracker3.8, DSA-2480-1 and
DSA-2480-2, contained another regression when running under mod_perl.

Please note that if you run request-tracker3.8 under the Apache web
server, you must stop and start Apache manually.  The "restart"
mechanism is not recommended, especially when using mod_perl.

For the stable distribution (squeeze), this problem has been fixed in
version 3.8.8-7+squeeze4.

We recommend that you upgrade your request-tracker3.8 packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQEcBAEBAgAGBQJP0PsjAAoJEL97/wQC1SS+7ecH/jFMGacquBz3fhvbfztCPYEH
DMlxTJLl9yUEOfZM0bXrnmJaTMRS0FVFdQnqJ/APzq6T0Hh4NG8N4H6KhH/8N1PU
uBRO6wVBxZ4Q81c5FZ9MmyXXkqv84j1Se1oqPnZTR9BJ+hFwRF19BzWifMVcE3SC
QzGyUOHJ/r/n52KaQP1YUQli+GZaG7RNlYBY34Zag2vuEXXheQyW++O/830mJvz6
M89FnXazM4NuByEm8wINlq5GkJ2+pYNzx8WWNw7rqzJWPiiqXeFPsTcAnUqHHJlA
aacZTM9prUuUDcZhtvUM+fLCWash5xJtYYNh4bIDSjO2JSJhLr50qLF47yB2yc0=
=CgeJ
- -----END PGP SIGNATURE-----
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- - -------------------------------------------------------------------------
Debian Security Advisory DSA-2480-2                   security@debian.org
http://www.debian.org/security/                            Florian Weimer
May 29, 2012                           http://www.debian.org/security/faq
- - -------------------------------------------------------------------------

Package        : request-tracker3.8
Vulnerability  : regression
Problem type   : remote
Debian-specific: no

It was discovered that the recent request-tracker3.8 update,
DSA-2480-1, introduced a regression which caused outgoing mail to fail
when running under mod_perl.

Please note that if you run request-tracker3.8 under the Apache web
server, you must stop and start Apache manually.  The "restart"
mechanism is not recommended, especially when using mod_perl.

For the stable distribution (squeeze), this problem has been fixed in
version 3.8.8-7+squeeze3.

We recommend that you upgrade your request-tracker3.8 packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQEcBAEBAgAGBQJPxSLMAAoJEL97/wQC1SS+G3kH/Raa0U94IZOS/6CeabfnXXWh
APwy/SY2A8yWoEMcP4NnClwnElu6W/V6B+a3f7To0k7nOvM+kLWLBhAR2iNVaxqR
R0+X115GefhZ4RzDge7z2qoXz+zif/BycVrv5VX0XH7UA/9YtCJBRLiOo2jW8s/E
qB+YpHXVjm1op5aQqz+ihX7o67jZMxkkANleP5R0T5IMq0ilLXIOyNIjHK/ldxFf
jK18XGdN5RXqEBYBa9a45c+KVas8Dt5eaCZpXQhCrI/beBd075+dB30Rofl3WZVU
RI+zDoXiKoV3hXcG0YudM34rnbC9MrsknYg+OaGatRoPlnYlJRc0znUD2ikqXSw=
=8t9U
- -----END PGP SIGNATURE-----
- - -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- - - -------------------------------------------------------------------------
Debian Security Advisory DSA-2480-1                   security@debian.org
http://www.debian.org/security/                        Moritz Muehlenhoff
May 24, 2012                           http://www.debian.org/security/faq
- - - -------------------------------------------------------------------------

Package        : request-tracker3.8
Vulnerability  : several
Problem type   : remote
Debian-specific: no
CVE ID         : CVE-2011-2082 CVE-2011-2083 CVE-2011-2084 CVE-2011-2085 
                 CVE-2011-4458 CVE-2011-4459 CVE-2011-4460

Several vulnerabilities were discovered in Request Tracker, an issue
tracking system:

CVE-2011-2082

   The vulnerable-passwords scripts introduced for CVE-2011-0009
   failed to correct the password hashes of disabled users.

CVE-2011-2083

   Several cross-site scripting issues have been discovered.

CVE-2011-2084

   Password hashes could be disclosed by privileged users.

CVE-2011-2085

   Several cross-site request forgery vulnerabilities have been
   found. If this update breaks your setup, you can restore the old
   behaviour by setting $RestrictReferrer to 0.

CVE-2011-4458

   The code to support variable envelope return paths allowed the
   execution of arbitrary code.

CVE-2011-4459

   Disabled groups were not fully accounted as disabled.

CVE-2011-4460

   SQL injection vulnerability, only exploitable by privileged users.


For the stable distribution (squeeze), this problem has been fixed in
version 3.8.8-7+squeeze2.

For the unstable distribution (sid), this problem has been fixed in
version 4.0.5-3.

We recommend that you upgrade your request-tracker3.8 packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
- - -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAk++cYMACgkQXm3vHE4uylokxACguQb84ehN2ODvrYW4Mr1CmOLY
XIkAoJ/DIybBV9MxZA7txyMDE56vsWeM
=+4ft
- - -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBUFaHEO4yVqjM2NGpAQLeWA//fGpLTYIt8H8du0phgW+6yPFEdZ5KSUPE
nFbZaTjmgvt3W8uUiDlLtJN59t3zRSl9EekJs/0BC1xgNUzNvgYWQUjAVtQdF27T
KEJ0acIN5MBGRUvtnGfZBdAmcXxvPAsge/11uKSjb3JlcueL9Mx/q6R4x65eWpA7
krekFUFC6ThMinBnHEWQuZ/cEgT/4nZ/NWhPiIU+Eo86B+RQ9jlgDFtM4XgcuxD8
B3o0vB1v9kmhvY7jFSOmBB8eNg0F2QY3xN3li+tuD0a5TokcjrUcP9UTLDmG++kU
mPpyZDKhqESzSJi6F+fLmXZQPYm1P3NY1OaR4TDut8mcuOiR27ThcHGXHMFIEFhV
UiGObdklcIzrrnSQksamav6wPDNEdgcImb/oP5FvXD+9nImFMVU/K307N7fKMHJC
/WhBZ6dDRffcbZcELbIhBg0Dh12HILJgTst0FTGffvdVDH0iGQ1ReoKOz+CRTb1e
A8G42JMnrgRq08Z9wdQ/D+jY9ULPx9JvDjFPylhJgLg7w0my+j7mo3D3pedLjcxf
WmFd6D0zzbUq5a+w++D9iTyTqn5kQff3qwhnv9oaprRlhchSEbxS2lG/xD87pECq
GcuX4N+wXpnsBA6xvCymab541sa9/SuFzAldMJ8bsI9hd8rXzbYL4emQ9M/Kq2GA
kLiAgkhNk7Q=
=PxKa
-----END PGP SIGNATURE-----