Bug#995175: marked as done (request-tracker4: CVE-2021-38562)

Sat, 02 Oct 2021 04:03:28 -0700 

Your message dated Sat, 02 Oct 2021 11:02:21 +0000
with message-id <e1mwcmb-000feo...@fasolo.debian.org>
and subject line Bug#995175: fixed in request-tracker4 4.4.3-2+deb10u1
has caused the Debian Bug report #995175,
regarding request-tracker4: CVE-2021-38562
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
995175: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=995175
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message --- 
Package: request-tracker5
Version: 5.0.1+dfsg-1
Severity: serious
Tags: security

Hi,

upstream has fixed the following issue in 5.0.2:
"In previous versions, RT's native login system is vulnerable to user enumeration through a timing side-channel attack. This means an external entity could try to find valid usernames by attempting logins and comparing the time to evaluate each login attempt for valid and invalid usernames. This vulnerability does not allow any access to the RT system. This vulnerability is assigned CVE-2021-38562 and is fixed 
in this release."
It would be nice if you could upgrade (or cherry-pick) that fix, please also mention 'CVE-2021-38562' in the changelog when doing so. 

Regards,
Daniel

--- End Message ---
--- Begin Message --- 
Source: request-tracker4
Source-Version: 4.4.3-2+deb10u1
Done: Andrew Ruthven <and...@etc.gen.nz>

We believe that the bug you reported is fixed in the latest version of
request-tracker4, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 995...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Andrew Ruthven <and...@etc.gen.nz> (supplier of updated request-tracker4 
package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Thu, 30 Sep 2021 00:41:47 +1300
Source: request-tracker4
Architecture: source
Version: 4.4.3-2+deb10u1
Distribution: buster
Urgency: medium
Maintainer: Debian Request Tracker Group 
<pkg-request-tracker-maintain...@lists.alioth.debian.org>
Changed-By: Andrew Ruthven <and...@etc.gen.nz>
Closes: 995175
Changes:
 request-tracker4 (4.4.3-2+deb10u1) buster; urgency=medium
 .
   * Apply upstream patch which fixes a security vulnerability that involves a
     login timing side-channel attack. This resolves CVE-2021-38562
     (Closes: #995175)
Checksums-Sha1:
 3ad09155f56c859b407a0786f19cd3e43ba0f23f 5546 
request-tracker4_4.4.3-2+deb10u1.dsc
 cbd22689d735484c83c20b94a2080d68b4f2e9a2 78476 
request-tracker4_4.4.3-2+deb10u1.debian.tar.xz
 50f633cc9bb49419daa0d7344b11cee7e342b536 19027 
request-tracker4_4.4.3-2+deb10u1_source.buildinfo
Checksums-Sha256:
 da313be992172e23fe4ffad92f239fcb44aff380d21c30f228cbfd56f70b99eb 5546 
request-tracker4_4.4.3-2+deb10u1.dsc
 176cd61aead3122141282489d2b632a99860e641e3f6e7fceb28ab93eb49fae9 78476 
request-tracker4_4.4.3-2+deb10u1.debian.tar.xz
 96859f9326042b462af921decc1bbe2f2bef5e032a411325b9cf80dacbcd9d62 19027 
request-tracker4_4.4.3-2+deb10u1_source.buildinfo
Files:
 a68d8bb52277dc7e4395afffc4fd83c3 5546 misc optional 
request-tracker4_4.4.3-2+deb10u1.dsc
 0e94ceab069d6b190f0526dd6f89ef6f 78476 misc optional 
request-tracker4_4.4.3-2+deb10u1.debian.tar.xz
 2157f20473e56298a9fa3b7981d540ea 19027 misc optional 
request-tracker4_4.4.3-2+deb10u1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQJFBAEBCAAvFiEEdqKOQsmBHZHoj7peLsD/s7cwGx8FAmFXX6sRHG50eW5pQGRl
Ymlhbi5vcmcACgkQLsD/s7cwGx8CJRAAg2XYWmTPxhNkhl49n2rQwOuYrRQRIbDI
dnm7Yw4byzteB1s4HtGVaMsTxNqqshgfugszksl4k4e48RaBa8wEMqJrQb4WAwIL
9oVp5IcvDvEIGH5ElbKLeCE+zObpU6aEy7dBHNd9oqc4wDe5FsUtUr/PxqEQgaC6
+wi9E3c7EkYXXod8YJPHg9+5eem5ugOf1Za1GKp0TkGkwwDuY9rRcCiPrQiVTd10
Zql9rJKjNx9dcU2RUk+DDSpbcZykPwfOT7WTKrvzdSurEiI46OCrv/j6YpsCpOmV
RjvVQUNnYmIKTVHNWGRRQafUNiGnf91hnzMjtzcUGtBv3geKqnm8CjX8KkgNIFvx
V9A+rjVt7pQVboNqNKNyxlpxLeUyhp9XWOrKVKNqp0bbkj+RQX7/2qgSFACmAXaf
U40TAGZN4plZN4PIcfxnuUqzaMm1K9l5njb6EA+GvOl2Njf3FLJbyoxvrznPdn8h
v16dyUkyWfm/d0Z7e2lzpddNMTUfbghMfFuOQ4CqkmnnLgnPO8zzs36b2YfKDCxa
yEo846zYLw4WQMooaH8ziFx9uqVHcwyQT4JOyxx2iEW2nSHHPQkKjuk4HrAARwIm
wTRY6KDH+lZcEE4wqnzPZf4l6s7sS472DAx9oA+IdaN+1wdclGlqOyw4aClEk9Df
4Gl7WsyCAqA=
=DS/A
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to