Bug#995175: marked as done (request-tracker4: CVE-2021-38562)

Sat, 02 Oct 2021 04:03:28 -0700 

Your message dated Sat, 02 Oct 2021 11:02:08 +0000
with message-id <e1mwcmo-000fzd...@fasolo.debian.org>
and subject line Bug#995175: fixed in request-tracker4 4.4.4+dfsg-2+deb11u1
has caused the Debian Bug report #995175,
regarding request-tracker4: CVE-2021-38562
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
995175: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=995175
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message --- 
Package: request-tracker5
Version: 5.0.1+dfsg-1
Severity: serious
Tags: security

Hi,

upstream has fixed the following issue in 5.0.2:
"In previous versions, RT's native login system is vulnerable to user enumeration through a timing side-channel attack. This means an external entity could try to find valid usernames by attempting logins and comparing the time to evaluate each login attempt for valid and invalid usernames. This vulnerability does not allow any access to the RT system. This vulnerability is assigned CVE-2021-38562 and is fixed 
in this release."
It would be nice if you could upgrade (or cherry-pick) that fix, please also mention 'CVE-2021-38562' in the changelog when doing so. 

Regards,
Daniel

--- End Message ---
--- Begin Message --- 
Source: request-tracker4
Source-Version: 4.4.4+dfsg-2+deb11u1
Done: Andrew Ruthven <and...@etc.gen.nz>

We believe that the bug you reported is fixed in the latest version of
request-tracker4, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 995...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Andrew Ruthven <and...@etc.gen.nz> (supplier of updated request-tracker4 
package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Wed, 29 Sep 2021 23:28:05 +1300
Source: request-tracker4
Architecture: source
Version: 4.4.4+dfsg-2+deb11u1
Distribution: bullseye
Urgency: medium
Maintainer: Debian Request Tracker Group 
<pkg-request-tracker-maintain...@lists.alioth.debian.org>
Changed-By: Andrew Ruthven <and...@etc.gen.nz>
Closes: 995175
Changes:
 request-tracker4 (4.4.4+dfsg-2+deb11u1) bullseye; urgency=medium
 .
   * Apply upstream patch which fixes a security vulnerability that involves a
     login timing side-channel attack. This resolves CVE-2021-38562
     (Closes: #995175)
Checksums-Sha1:
 e327257ec4d0842f3f82443143e81ad2ecc6a7f0 5594 
request-tracker4_4.4.4+dfsg-2+deb11u1.dsc
 99d7a3b3a88a2227033847d84e8bd354546f77e6 86440 
request-tracker4_4.4.4+dfsg-2+deb11u1.debian.tar.xz
 84102362bee21d68ed32b5f776b1f08f008b31ac 19079 
request-tracker4_4.4.4+dfsg-2+deb11u1_source.buildinfo
Checksums-Sha256:
 9ba545f6ff7bef10072478cb69bd704e9b16f1962aee8e972f199e8e6c8ee4a1 5594 
request-tracker4_4.4.4+dfsg-2+deb11u1.dsc
 734939c35c2777983a5c68a14c411336ce10c4c5084211bdd1abb86b309501e5 86440 
request-tracker4_4.4.4+dfsg-2+deb11u1.debian.tar.xz
 d17286995fb4bb6bdeccc6bcb3de2b4bbbb6f0089ba37186e81466c643a7b1fb 19079 
request-tracker4_4.4.4+dfsg-2+deb11u1_source.buildinfo
Files:
 13f13fbf4e1eb4727a2aa304c1fb5b7c 5594 misc optional 
request-tracker4_4.4.4+dfsg-2+deb11u1.dsc
 4015e2d47a3715e033088c17e7f2d9ae 86440 misc optional 
request-tracker4_4.4.4+dfsg-2+deb11u1.debian.tar.xz
 0da9bf48f6891fd91638d5325d02cc2e 19079 misc optional 
request-tracker4_4.4.4+dfsg-2+deb11u1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQJFBAEBCAAvFiEEdqKOQsmBHZHoj7peLsD/s7cwGx8FAmFXX7YRHG50eW5pQGRl
Ymlhbi5vcmcACgkQLsD/s7cwGx90yhAAgDAHf2WTk0JYyRHi6CSkBmGIDkr53+oI
N5zFRSY8KONTWEwQbB0ADDQGNdk3BITqHcPnYaD3jKVsRCcwO0iDis06Bxm2yc/S
Jk4m8JLA/SPRDlqMZuetEm2Xjj1gW/3MSYkHQWZ2JKCy4Ap35CFF+uo11FfrRgv7
B+4G4FD61psNdrK96XBJ2V6pffQJUbGfSDisHXkvYP49ghkQjWm4HiFsCihsCVaU
/5K3QD+wfNsGeMVwWQlK7tgLfOPRaKEEK0gYiB1wvYUekLIe014VcwADGe2HuwVY
ezxhu+yUNtvEqO57JBho9Uvhi+xRTQCncKRvjXbGmeVRFvbT8+LBtn+a5kFUWR6Z
u+3MyoP3NbcgBkcbhVVryLeAHp1LL0//DoRZoVh9oGMDPDBypcqYzc17sTh2qqgr
lWO1gLgmf+YDv++hjXhckzaltFnrbG+ytqBBjvnMtfgBapWoE90iJ8GwOEBbU96T
DjAvZtp3eHnb2WTQLnGEi1mc0yRC5wFzf/AqUTm14zPtdexmOIhSu4XHOhOSPNLw
M3WqsWWF1PIa6ZPTtzQjkPV40dS/RzhDMJm/Qs2FvoWs1L3B0GXkFsbXcEzYALrA
1BZzp4w0svHhe1nED7JjJOVk4gvTa/ib+4a7HTAGfTVbFbuAJqBPmoOkMbKuhxy5
ZvSJzSOAmYc=
=/ydF
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to