[request-tracker-maintainers] Bug#674558: Security upgrade for request-tracker3.8 (DSA-2480) regression: Invalid escape flag: j
Elmar S. Heeb
heeb at phys.ethz.ch
Fri May 25 12:28:22 UTC 2012
Package: request-tracker3.8
Version: 3.8.8-7+squeeze2
Severity: grave
Justification: renders package unusable
After the security upgrade of DSA-2480 our request tracker stopped
working. The browser shows "Invalid escape flag: j" for any URL.
To reproduce this bug I installed a fresh Debian host with 64bit squeeze
(using VirtualBox) and then the packages:
apache2 2.2.16-6+squeeze7
mysql-server 5.1.61-0+squeeze1
request-tracker3.8 3.8.8-7+squeeze1
I made sure I got a proper RT login page before doing the security
upgrade and I did. I then upgraded request-tracker3.8 to
3.8.8-7+squeeze2. After that the RT login page only shows:
Invalid escape flag: j
Incidentially, while preparing this bug report with reportbug I got the
following error message:
The package bug script /usr/share/bug/request-tracker3.8/script exited
with an error status (return code = 256). Do you still want to file a
report? [y|N|q|?]? y
Regards, -- Elmar
-- Package-specific info:
Changed files:
-- System Information:
Debian Release: 6.0.5
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.32-5-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored:
LC_ALL set to en_US.UTF8)
Shell: /bin/sh linked to /bin/dash
Versions of packages request-tracker3.8 depends on:
ii dbconfig-common 1.8.46+squeeze.0 common framework for
packaging dat
ii debconf [debconf-2.0] 1.5.36.1 Debian configuration
management sy
ii exim4 4.72-6+squeeze2 metapackage to ease Exim
MTA (v4)
ii exim4-daemon-light [ma 4.72-6+squeeze2 lightweight Exim MTA (v4)
daemon
ii libapache-session-perl 1.87-1 Perl modules for keeping
persisten
ii libcache-simple-timede 0.27-2 Perl module to cache and
expire ke
ii libcalendar-simple-per 1.21-1 module for producing simple
calend
ii libcgi-fast-perl 5.10.1-17squeeze3 CGI::Fast Perl module
ii libcgi-pm-perl 3.49-1squeeze1 module for Common Gateway
Interfac
ii libclass-returnvalue-p 0.55-1 A return-value object that
lets yo
ii libcss-squish-perl 0.09-1 module to compact many CSS
files i
ii libdata-ical-perl 0.16+dfsg-1 Perl module for
manipulating iCale
ii libdbi-perl 1.612-1 Perl Database Interface (DBI)
ii libdbix-searchbuilder- 1.56-1 Perl implementation of a
simple OR
ii libdevel-stacktrace-pe 1.2100-1 Perl module containing
stack trace
ii libemail-address-perl 1.889-2 RFC 2822 Address Parsing
and Creat
ii libfcgi-procmanager-pe 0.18-2 Functions for managing
FastCGI app
ii libfile-sharedir-perl 1.00-0.1 Locate per-dist and
per-module sha
ii libgd-graph-perl 1.44-3 Graph Plotting Module for
Perl 5
ii libgd-text-perl 0.86-5 Text utilities for use with GD
ii libgnupg-interface-per 0.42-3 Perl interface to GnuPG
ii libgraphviz-perl 2.04-1 Perl interface to the
GraphViz gra
ii libhtml-mason-perl 1:1.44-1 HTML::Mason Perl module
ii libhtml-parser-perl 3.66-1 collection of modules that
parse H
ii libhtml-rewriteattribu 0.03-1 concise attribute rewriting
ii libhtml-scrubber-perl 0.08-4 Perl extension for
scrubbing/sanit
ii libipc-run-safehandles 0.02-1 Use IPC::Run and IPC::Run3
safely
ii libjs-prototype 1.6.1-1 JavaScript Framework for
dynamic w
ii libjs-scriptaculous 1.8.3-1 JavaScript library for
dynamic web
ii liblocale-maketext-fuz 0.10-1 Maketext from already
interpolated
ii liblocale-maketext-lex 0.82-1 lexicon-handling backends
for Loca
ii liblog-dispatch-perl 2.22-1 Dispatches messages to
multiple Lo
ii libmailtools-perl 2.06-1 Manipulate email in perl
programs
ii libmime-tools-perl [li 5.428-1 Perl5 modules for
MIME-compliant m
ii libmime-types-perl 1.30-1 Perl extension for
determining MIM
ii libmodule-versions-rep 1.06-1 Report versions of all
modules in
ii libperlio-eol-perl 0.14-1+b1 PerlIO layer for
normalizing line
ii libregexp-common-perl 2010010201-1 module with common regular
express
ii libtext-autoformat-per 1.669002-1 module for automatic text
wrapping
ii libtext-quoted-perl 2.06-1 Perl module to extract the
structu
ii libtext-template-perl 1.45-1 Text::Template perl module
ii libtext-wikiformat-per 0.78-1 translates Wiki formatted
text int
ii libtext-wrapper-perl 1.02-1 Simple word wrapping routine
ii libtime-modules-perl 2006.0814-2 Various Perl modules for
time/date
ii libtimedate-perl 1.2000-1 collection of modules to
manipulat
ii libtree-simple-perl 1.18-1 A simple tree object
ii libuniversal-require-p 0.13-1 Load modules from a variable
ii libxml-rss-perl 1.48-1 Perl module for managing
RSS (RDF
ii libxml-simple-perl 2.18-3 Perl module for reading and
writin
ii perl [libdigest-sha-pe 5.10.1-17squeeze3 Larry Wall's Practical
Extraction
ii perl-modules [libcgi-p 5.10.1-17squeeze3 Core Perl modules
ii rsyslog [system-log-da 4.6.4-2 enhanced multi-threaded syslogd
ii rt3.8-apache2 3.8.8-7+squeeze2 Apache 2 specific files for
reques
ii rt3.8-clients 3.8.8-7+squeeze2 mail gateway and
command-line inte
ii rt3.8-db-sqlite 3.8.8-7+squeeze2 SQLite database backend for
reques
ii ucf 3.0025+nmu1 Update Configuration File:
preserv
Versions of packages request-tracker3.8 recommends:
ii cron [cron-daemon] 3.0pl1-116 process scheduling daemon
ii libdatetime-locale-perl 1:0.45-1 Perl extension providing
localizat
ii libdatetime-perl 2:0.6100-2 module for manipulating
dates, tim
ii speedy-cgi-perl 2.22-13 speed up perl scripts by
making th
Versions of packages request-tracker3.8 suggests:
pn rt3.8-rtfm <none> (no description available)
-- debconf information:
* request-tracker3.8/organization: vagrant-debian-squeeze64.vagrantup.com
request-tracker3.8/pgsql/no-empty-passwords:
request-tracker3.8/pgsql/authmethod-user: password
* request-tracker3.8/handle-siteconfig-permissions: true
request-tracker3.8/install-error: abort
* request-tracker3.8/correspondaddress:
rt at vagrant-debian-squeeze64.vagrantup.com
request-tracker3.8/dbconfig-remove:
request-tracker3.8/mysql/method: unix socket
request-tracker3.8/install-cronjobs:
request-tracker3.8/upgrade-error: abort
request-tracker3.8/mysql/admin-user: root
request-tracker3.8/remote/port:
request-tracker3.8/dbconfig-reinstall: false
request-tracker3.8/db/dbname: rtdb
request-tracker3.8/pgsql/changeconf: false
request-tracker3.8/dbconfig-upgrade: true
request-tracker3.8/missing-db-package-error: abort
request-tracker3.8/pgsql/method: unix socket
* request-tracker3.8/dbconfig-install: true
request-tracker3.8/purge: false
request-tracker3.8/pgsql/authmethod-admin: ident
request-tracker3.8/pgsql/manualconf:
* request-tracker3.8/webpath: /rt
request-tracker3.8/remove-error: abort
request-tracker3.8/upgrade-backup: true
request-tracker3.8/warn-sqlite-file:
request-tracker3.8/db/basepath:
/var/lib/dbconfig-common/sqlite3/request-tracker3.8
request-tracker3.8/internal/skip-preseed: false
request-tracker3.8/remote/newhost:
request-tracker3.8/pgsql/admin-user: postgres
request-tracker3.8/db/app-user: rtuser
* request-tracker3.8/webbaseurl:
http://vagrant-debian-squeeze64.vagrantup.com
request-tracker3.8/remote/host:
* request-tracker3.8/rtname: dumbledore.ethz.ch
request-tracker3.8/internal/reconfiguring: false
* request-tracker3.8/commentaddress:
rt-comment at vagrant-debian-squeeze64.vagrantup.com
request-tracker3.8/passwords-do-not-match:
* request-tracker3.8/database-type: sqlite3
More information about the pkg-request-tracker-maintainers
mailing list