Bug#995175: marked as done (request-tracker4: CVE-2021-38562)

[Debian Bug Tracking System]

Your message dated Fri, 01 Oct 2021 20:38:49 +0000
with message-id <e1mwpiv-000473...@fasolo.debian.org>
and subject line Bug#995175: fixed in request-tracker4 4.4.4+dfsg-3
has caused the Debian Bug report #995175,
regarding request-tracker4: CVE-2021-38562
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
995175: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=995175
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: request-tracker5
Version: 5.0.1+dfsg-1
Severity: serious
Tags: security

Hi,

upstream has fixed the following issue in 5.0.2:

"In previous versions, RT's native login system is vulnerable to user enumeration through a timing side-channel attack. This means an external entity could try to find valid usernames by attempting logins and comparing the time to evaluate each login attempt for valid and invalid usernames. This vulnerability does not allow any access to the RT system. This vulnerability is assigned CVE-2021-38562 and is fixed

in this release."

It would be nice if you could upgrade (or cherry-pick) that fix, please also mention 'CVE-2021-38562' in the changelog when doing so.

Regards,
Daniel

--- End Message ---

--- Begin Message ---

Source: request-tracker4
Source-Version: 4.4.4+dfsg-3
Done: Niko Tyni <nt...@debian.org>

We believe that the bug you reported is fixed in the latest version of
request-tracker4, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 995...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Niko Tyni <nt...@debian.org> (supplier of updated request-tracker4 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Fri, 01 Oct 2021 22:13:21 +0300
Source: request-tracker4
Architecture: source
Version: 4.4.4+dfsg-3
Distribution: unstable
Urgency: medium
Maintainer: Debian Request Tracker Group 
<pkg-request-tracker-maintain...@lists.alioth.debian.org>
Changed-By: Niko Tyni <nt...@debian.org>
Closes: 985141 995175
Changes:
 request-tracker4 (4.4.4+dfsg-3) unstable; urgency=medium
 .
   [ Andrew Ruthven ]
   * Specify correct branch in d/upstream/metadata
   * Ensure a sane database admin user is specified (Closes: #985141)
   * Apply upstream patch which fixes a security vulnerability that involves a
     login timing side-channel attack. This resolves CVE-2021-38562
     (Closes: #995175)
Checksums-Sha1:
 89dc81e2af5393bc3c9ef5b71c1935f9739a6f91 5562 request-tracker4_4.4.4+dfsg-3.dsc
 21e68a5d95610a9aa71b1f93b86427829f26d7d4 86560 
request-tracker4_4.4.4+dfsg-3.debian.tar.xz
 37f9f1a2a3d7014c59e29b179eec29095308633a 19047 
request-tracker4_4.4.4+dfsg-3_source.buildinfo
Checksums-Sha256:
 ac6c91f6361548efb05de5dd0de76e9db9bd0af7370f86813fff97b7df5e8283 5562 
request-tracker4_4.4.4+dfsg-3.dsc
 ae89ea94456f453e3f4f1ba92841ab25c40e4331e06a43d4702385b4e5f4e367 86560 
request-tracker4_4.4.4+dfsg-3.debian.tar.xz
 6da1cb4a39ad23c9748284042b7c7eb4ddef713564d365caa42a57dc6a7c76ef 19047 
request-tracker4_4.4.4+dfsg-3_source.buildinfo
Files:
 b88c5381147afa3d1476dbdfec07d94e 5562 misc optional 
request-tracker4_4.4.4+dfsg-3.dsc
 dddb889861420ade20ce6e9475ed26f3 86560 misc optional 
request-tracker4_4.4.4+dfsg-3.debian.tar.xz
 8434668b856b0d28abe52e71af8c563e 19047 misc optional 
request-tracker4_4.4.4+dfsg-3_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQJFBAEBCAAvFiEEdqKOQsmBHZHoj7peLsD/s7cwGx8FAmFXX1sRHG50eW5pQGRl
Ymlhbi5vcmcACgkQLsD/s7cwGx8NqBAAthrENFtMNWFCc5wxeEP3TqWzBv0ryKTq
HmNM2SAXbrBFJ3q4o3XI8btz8OgJEAXR6EFTOBRLLgULJjjBGumg4pgUlf2nDOB1
fMdAMWaHsFBo3BFSlievMWeT2R++nu5i7HzoJHciYkDjVihiRaMxUr5T3td7Aw9p
7JvFI+wQPtONjRhcGzVg0+EkcCUFl2qPG03Jr0XN1C/g5Tspj7nHioE63snkuLF0
XPmqhQiCBOJC90ICsTKOqHhLH4uEz2z1JMHyG3LamhwgqM3BFfEaCXrjsEFlvJIS
z+9cXs3cK+wywkyb/Tw2EtTaQ0JUaQii5Es34a5XBGe5jnNfkSSmg3n82pjuZ7qk
d/H3xYJPi70GtTgW3gosbH3frffk/IyuDq/pSvSnui0WaMNvAp3IjTf0Qsc9aNUQ
rozgj9pkqd1BJYGjpfGqKS6KgiKQY9FGULhfjRgaNV4p1fo+g50MYb2ycWGx8jYM
19NgX2q6/WLhIAmGLIvg2XQcog0gK9U9IkUL7xevRJlMvduUtMdUSm+NRltScKjG
qPJwMHLYd+8bPe64oGLM2AJkJjjj5tTzZcpAIMtt+YcypBtAnx9ikJ6AVx8KiWMn
bP+auO8LrVl3Atvz7aWdMJIg+pIcs+Q701C5XlI9sssjGiwccGTpN6vOgjrtZ0Oy
19i7dYrnjiQ=
=z2tR
-----END PGP SIGNATURE-----

--- End Message ---