[request-tracker-maintainers] Bug#533069: request-tracker3.8: ShowConfigTab unintentionally grants rights intended for SuperUsers
Dominic Hargreaves
dom at earth.li
Sun Jun 14 14:08:05 UTC 2009
Package: request-tracker3.8
Version: 3.8.2-1
Severity: important
Tags: patch,security
RT 3.8.4 was released this week with a fix for a minor security issue:
"The most important fix is that RT now requires the SuperUser
right to edit global RT at a Glance. In all previous 3.8
releases, the "ShowConfigTab" right unintentionally enabled this.
If you have not granted this right to any non-administrative user,
then this issue should not affect you."
http://lists.bestpractical.com/pipermail/rt-announce/2009-June/000170.html
A short patch is included with the release.
More information about the pkg-request-tracker-maintainers
mailing list