[request-tracker-maintainers] Bug#674032: Fwd: [rt-announce] Security vulnerabilities in RT

Stefan Hornburg (Racke) racke at linuxia.de
Tue May 22 16:43:13 UTC 2012 

package: request-tracker4
version: 4.0.5-2
tags: security
thanks

-------- Original Message --------
X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on shelby.cobolt.net
X-Spam-Level:
X-Spam-Status: No, score=-10.5 required=5.0 tests=AWL,BAYES_00, RCVD_IN_DNSWL_HI autolearn=ham version=3.2.5
Received: from hipster.bestpractical.com ([136.248.126.165]) by shelby.cobolt.net with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.69) (envelope-from <rt-announce-bounces at lists.bestpractical.com>) id 1SWqCg-0006eo-V9 for racke at linuxia.de; Tue, 22 May 2012 16:36:51 +0200
Received: from hipster.bestpractical.com (localhost [127.0.0.1]) by hipster.bestpractical.com (Postfix) with ESMTP id 5A622240374; Tue, 22 May 2012 10:35:34 -0400 (EDT)
X-Original-To: rt-announce at bestpractical.com
Delivered-To: rt-announce at hipster.bestpractical.com
Received: from [10.1.10.64] (75-147-59-54-NewEngland.hfc.comcastbusiness.net [75.147.59.54]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by hipster.bestpractical.com (Postfix) with ESMTPS id CE8A324028A for <rt-announce at bestpractical.com>; Tue, 22 May 2012 10:34:53 -0400 (EDT)
From: Alex Vandiver <alexmv at bestpractical.com>
To: rt-announce at bestpractical.com
Organization: Best Practical Solutions, LLC
Date: Tue, 22 May 2012 10:34:53 -0400
Message-ID: <1337697293.16298.1038.camel at umgah.localdomain>
Mime-Version: 1.0
X-Mailer: Evolution 2.32.2
X-Mailman-Approved-At: Tue, 22 May 2012 10:35:31 -0400
Subject: [rt-announce] Security vulnerabilities in RT
X-BeenThere: rt-announce at lists.bestpractical.com
X-Mailman-Version: 2.1.13
Precedence: list
List-Id: <rt-announce.lists.bestpractical.com>
List-Unsubscribe: <http://lists.bestpractical.com/cgi-bin/mailman/options/rt-announce>, <mailto:rt-announce-request at lists.bestpractical.com?subject=unsubscribe>
List-Archive: <http://lists.bestpractical.com/pipermail/rt-announce>
List-Post: <mailto:rt-announce at lists.bestpractical.com>
List-Help: <mailto:rt-announce-request at lists.bestpractical.com?subject=help>
List-Subscribe: <http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-announce>, <mailto:rt-announce-request at lists.bestpractical.com?subject=subscribe>
Content-Type: multipart/mixed; boundary="===============1230035183=="
Sender: rt-announce-bounces at lists.bestpractical.com
Errors-To: rt-announce-bounces at lists.bestpractical.com

Internal audits of the RT codebase have uncovered a number of security
vulnerabilities in RT.  We are releasing versions 3.8.12 and 4.0.6 to
resolve these vulnerabilities, as well as patches which apply atop all
released versions of 3.8 and 4.0.


The vulnerabilities addressed by 3.8.12, 4.0.6, and the below patches
include the following:

The previously released tool to upgrade weak password hashes as part of
CVE-2011-0009 was an incomplete fix and failed to upgrade passwords of
disabled users.  This release includes an updated version of the
`vulnerable-passwords` tool, which should be run again to upgrade the
remaining password hashes.  CVE-2011-2082 is assigned to this
vulnerability.

RT versions 3.0 and above contain a number of cross-site scripting (XSS)
vulnerabilities which allow an attacker to run JavaScript with the
user's credentials.  CVE-2011-2083 is assigned to this vulnerability.

RT versions 3.0 and above are vulnerable to multiple information
disclosure vulnerabilities.  This includes the ability for privileged
users to expose users' previous password hashes -- this vulnerability is
particularly dangerous given RT's weak hashing previous to the fix in
CVE-2011-0009.  A separate vulnerability allows privileged users to
obtain correspondence history for any ticket in RT.  CVE-2011-2084 is
assigned to this vulnerability.

All publicly released versions of RT are vulnerable to cross-site
request forgery (CSRF), in which a malicious website causes the browser
to make a request to RT as the currently logged in user.  This attack
vector could be used for information disclosure, privilege escalation,
and arbitrary execution of code.  Because some external integrations may
rely on RT's previously permissive functionality, we have included a
configuration option ($RestrictReferrer) to disable CSRF protection.  We
have also added an additional configuration parameter
($ReferrerWhitelist) to aid in exempting certain originating sites from
CSRF protections.  CVE-2011-2085 is assigned to this vulnerability.

We have also added a separate configuration option
($RestrictLoginReferrer) to prevent login CSRF, a different class of
CSRF attack where the user is silently logged in using the attacker's
credentials.  $RestrictLoginReferrer defaults to disabled, because this
functionality's benign usage is more commonly relied upon and presents
less of a threat vector for RT than many other types of online
applications.

RT versions 3.6.1 and above are vulnerable to a remote execution of code
vulnerability if the optional VERP configuration options ($VERPPrefix
and $VERPDomain) are enabled.  RT 3.8.0 and higher are vulnerable to a
limited remote execution of code which can be leveraged for privilege
escalation.  RT 4.0.0 and above contain a vulnerability in the global
$DisallowExecuteCode option, allowing sufficiently privileged users to
still execute code even if RT was configured to not allow it.
CVE-2011-4458 is assigned to this set of vulnerabilities.

RT versions 3.0 and above may, under some circumstances, still respect
rights that a user only has by way of a currently-disabled group.
CVE-2011-4459 is assigned to this vulnerability.

RT versions 2.0 and above are vulnerable to a SQL injection attack,
which allow privileged users to obtain arbitrary information from the
database.  CVE-2011-4460 is assigned to this vulnerability.


In addition to releasing RT versions 3.8.12 and 4.0.6 which address
these issues, we have also collected patches for all releases of 3.8 and 4.0
into a distribution available for download at this link:

http://download.bestpractical.com/rt/release/security-2012-05-22.tar.gz
http://download.bestpractical.com/rt/release/security-2012-05-22.tar.gz.asc

37e49809e28f1f48313a25b4abf3acd2e863fc26  security-2012-05-22.tar.gz
87be1fad89e078d49a146e8594eb64a78368b7cb  security-2012-05-22.tar.gz.asc


The README in the tarball contains instructions for applying the
patches.  If you need help resolving this issue locally, we will provide
discounted pricing for single-incident support; please contact us at
sales at bestpractical.com for more information.

  - Alex


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-request-tracker-maintainers/attachments/20120522/4e73eeba/attachment.pgp>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: Attached Message Part
URL: <http://lists.alioth.debian.org/pipermail/pkg-request-tracker-maintainers/attachments/20120522/4e73eeba/attachment.ksh>

More information about the pkg-request-tracker-maintainers mailing list