[request-tracker-maintainers] [alexmv at bestpractical.com: [Rt-announce] Security vulnerabilities in RT]

Dominic Hargreaves dom at earth.li
Thu Apr 14 14:13:47 UTC 2011


Fixes are in svn at

svn+ssh://svn.debian.org/svn/pkg-request-tracker/packages/request-tracker3.8/branches/squeeze
svn+ssh://svn.debian.org/svn/pkg-request-tracker/packages/request-tracker3.6/branches/lenny

and the security team have been prodded (initial notification went
out to them on Saturday). Hopefully they'll be able to push out a DSA
soon.

Dominic.

----- Forwarded message from Alex Vandiver <alexmv at bestpractical.com> -----

Date: Thu, 14 Apr 2011 09:59:18 -0400
From: Alex Vandiver <alexmv at bestpractical.com>
To: rt-announce at lists.bestpractical.com
Subject: [Rt-announce] Security vulnerabilities in RT
X-Spam-Status: No, score=-4.2 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_MED,
	T_RP_MATCHES_RCVD autolearn=ham version=3.3.1
Resent-From: Dominic Hargreaves <dominic.hargreaves at oucs.ox.ac.uk>
Resent-Date: Thu, 14 Apr 2011 15:05:17 +0100
Resent-To: dom at larted.org.uk
X-Mailer: Evolution 2.30.3
X-Urchin-Spam-Score-Int: -41
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.2

In the process of preparing the release of RT 4.0.0, we performed an
extensive security audit of RT's source code.  During this audit,
several vulnerabilities were found which affect earlier releases of RT.
We are releasing versions 3.6.11, 3.8.10, and 4.0.0rc8 to resolve these
vulnerabilities, as well as patches which apply atop 3.6.10 and all
versions of RT 3.8.

RT versions 3.8.0 and above with the "external custom field" feature
enabled and configured are vulnerable to a remote code execution
vulnerability.  An authenticated user (either privileged or
unprivileged) can use this vulnerability to execute arbitrary code with
the permissions of the webserver; they may also be tricked into doing so
via cross-site request forgery (CSRF).  The external custom field option
is disabled by default; if you have not explicitly enabled
"CustomFieldValuesSources" in your RT configuration, your RT instance is
not vulnerable.  We have been assigned CVE-2011-1685 for this
vulnerability.

RT versions 2.0.0 and above are vulnerable to multiple SQL injection
attacks.  We do not believe these attacks to be capable of directly
inserting, altering or removing data from the database, but an
authenticated user (either privileged or unprivileged) could use them to
retrieve unauthorized ticket data.  Deployments since 3.6.0 are
additionally vulnerable to a more complex attack, which can be used by a
privileged user to retrieve arbitrary data from the database.  We have
been assigned CVE-2011-1686 for this vulnerability.

RT versions 3.0.0 and higher are vulnerable to an information leak
wherein an authenticated privileged user could gain sensitive
information, such as encrypted passwords, via the search interface.  We
have been assigned CVE-2011-1687 for this vulnerability.  This
vulnerability is particularly notable given RT's previous vulnerability
with insecure hashing (CVE-2011-0009).

RT versions 3.6.0 through 3.8.7, as well as 3.8.8 to a more limited
degree, are vulnerable to a malicious attacker tricking the user into
sending their authentication credentials to a third-party server.  We
have been assigned CVE-2011-1690 for this vulnerability.

RT versions 3.2.0 and above are vulnerable to a directory traversal
attack where an unauthenticated attacker can read any file which is
readable by the webserver.  While some servers (Apache, nginx) have
safeguards which mitigate this attack, preventing such traversals from
accessing files outside of RT's document root, many others (including
the standalone server provided with RT, plackup, starman, twiggy, and
lighttpd) are vulnerable to this exploit.  We have been assigned
CVE-2011-1688 for this vulnerability.

RT versions 2.0.0 and above are vulnerable to javascript
cross-site-scripting vulnerabilities, which allow an attacker to run
javascript with the user's credentials.  We have been assigned
CVE-2011-1689 for this vulnerability.


In addition to releasing RT versions 3.6.11, 3.8.10, and 4.0.0rc8, we
have collected patches for 3.6.10 and all releases of 3.8 into a
distribution available for download at this link:

http://download.bestpractical.com/pub/rt/release/security-2011-04-14.tar.gz
http://download.bestpractical.com/pub/rt/release/security-2011-04-14.tar.gz.sig

7d09b1315785a90d915bdbc86da1a0c9bd017a03  security-2011-04-14.tar.gz
7898a45b15474641a0f9c381d0f6f58fb34afcc3  security-2011-04-14.tar.gz.sig

The README in the tarball contains instructions for applying the
patches.

If you need help resolving this issue locally, we will provide
discounted pricing for single-incident support.  Please contact us at
sales at bestpractical.com for more information.

 - Alex




_______________________________________________
RT-Announce mailing list
RT-Announce at lists.bestpractical.com
http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-announce


----- End forwarded message -----

-- 
Dominic Hargreaves | http://www.larted.org.uk/~dom/
PGP key 5178E2A5 from the.earth.li (keyserver,web,email)



More information about the pkg-request-tracker-maintainers mailing list