Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2015.2111 request-tracker4 security update 14 August 2015 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: request-tracker4 Publisher: Debian Operating System: Debian GNU/Linux 7 Debian GNU/Linux 8 UNIX variants (UNIX, Linux, OSX) Windows Impact/Access: Cross-site Scripting -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2015-5475 Original Bulletin: http://www.debian.org/security/2015/dsa-3335 Comment: This advisory references vulnerabilities in products which run on platforms other than Debian. It is recommended that administrators running request-tracker4 check for an updated version of the software for their operating system. - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - - ------------------------------------------------------------------------- Debian Security Advisory DSA-3335-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso August 13, 2015 https://www.debian.org/security/faq - - ------------------------------------------------------------------------- Package : request-tracker4 CVE ID : CVE-2015-5475 It was discovered that Request Tracker, an extensible trouble-ticket tracking system is susceptible to a cross-site scripting attack via the user an group rights management pages (CVE-2015-5475) and via the cryptography interface, allowing an attacker with a carefully-crafted key to inject JavaScript into RT's user interface. Installations which use neither GnuPG nor S/MIME are unaffected by the second cross-site scripting vulnerability. For the oldstable distribution (wheezy), these problems have been fixed in version 4.0.7-5+deb7u4. The oldstable distribution (wheezy) is only affected by CVE-2015-5475. For the stable distribution (jessie), these problems have been fixed in version 4.2.8-3+deb8u1. For the unstable distribution (sid), these problems have been fixed in version 4.2.11-2. We recommend that you upgrade your request-tracker4 packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCgAGBQJVzJhOAAoJEAVMuPMTQ89Exc8P/3jiiaHi58Qd7XKfXtrhiZ9F C151U/8ohyNmh1bPt2VaxJbKI+7/ILYqDzbuYNhrtDg8zgCcBN3O/kjpuJ7lEJo4 569osYurswsZTknZ3JND0BRazmkHUX4T4NFTMOB2DvsV/cpBy7tMvq4ZzHrMoned If+NfyuU8FEJKpielUixulzNzowXGOEwsPp9RTEitRhzWnh5GjM92e+9fyFa4d94 Iy9yIMZkKhB3uxJWX52dxA8sqVzn6Q4Pz7IWbKrgccrEb3p7VYoJ72ehWI5sNR/J FhRJhd09tn/kbl+c4BMG4awNZFLlRbGUsK6Dy0OWz5jdiUx4BF/7hyyJ6k3M/ZIT wktinMGRPXcteOXt5VFPhCBkGSqnEUwejTUwwFpTcimQ9RPyMjvaYrmOiqVpRIMB JaDhPVF9vXGvf6TwbLDio8TE1tdDvDupsf54jHYnJm6Xg/FuBJSn6Gu7A0FhWEsS Viq5ROODuMbmyPdU3KVK9wEh3XLFyWr4HUvKFCInIA2fvc8X+i7Ysopfwm2AmgUl LN0IYHsvoSTuvtAAUYzY9HaGXdJbRGZMNIje4jv66JqNNrWHr1aWgWXLQhjMZzF8 MNaRffl33jZQAA4Y2X1w0vou44PNxZjNhPp9MjnOkLpgy2CgiftO3jh2wv+kFWFu VEgGCo6aTDpXbU/3nUL0 =Aes9 - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBVc01fX6ZAP0PgtI9AQIKsg/+NO0IUTxZ8fZfH0nNAWN71nrQFOh8DzkT wLaeaLzaRmUJ+7WRECPafWPTk0Tx3eFniEQjgaPzb+na2wnRVOFl+SyCU8snLvem oAsN7/fv8rLXE932MX26OGRjlxJflFJT0B8HRm//f8vPoCCLvfWf3ZZS7HBBSkJr XsB9bJDLpYsx1HlrV7I3oS7ZuQ/feNNfgCnmmw0UKAAislYK2iEu0s/WiGREW60X 2AiQIyhvi906uQB3IAR2iB/W+PH5axE2hGilJR/DRS2iQ2KUY/4/LRdlC2GgiM4m HLb0gqelU0/OuZW4yxD2ydgntkN3r+6PItueJ479qJXUTsypDFUpbX3yYb5yhfCE Jhb3NHoNOuxkBe5GMJHS6pcwfhfuXKAFi2IymgoRmG5MMtPaDQekDWtQivcywgZ7 0enGKbX0bZ56mEh0Ih0bDNm6HCehhnqNkofX2MVgJ0LCnNSNfaqBnAsljiaXEDjN MQVdcfXOZo3FNH2wkFIIxNhNX6Ka+2qZ4UepO5GsmyaDAg1inTYtUwP6vc8/fO4O 8ObmxRfzqHZ4d0p+Bm5N/Cyy9cL1abODezhyRxpLPibgsCUxC6UGwwH8fgMkSbUr wlDuaAuelYi2jV1RELRs1P5KPJIfiBRsvbs4AYZFPCSNoBhXk+ZWMTv6CCRv8u7f S1SkBkuUtBU= =KxeG -----END PGP SIGNATURE-----