Bug#995167: marked as done (new upstream (5.0.2) [CVE-2021-38562])

Thu, 21 Jul 2022 00:21:22 -0700 

Your message dated Thu, 21 Jul 2022 07:19:22 +0000
with message-id <e1oeqsw-0005pu...@fasolo.debian.org>
and subject line Bug#995167: fixed in request-tracker5 5.0.3+dfsg-1
has caused the Debian Bug report #995167,
regarding new upstream (5.0.2) [CVE-2021-38562]
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
995167: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=995167
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message --- 
Package: request-tracker5
Version: 5.0.1+dfsg-1
Severity: serious
Tags: security

Hi,

upstream has fixed the following issue in 5.0.2:
"In previous versions, RT's native login system is vulnerable to user enumeration through a timing side-channel attack. This means an external entity could try to find valid usernames by attempting logins and comparing the time to evaluate each login attempt for valid and invalid usernames. This vulnerability does not allow any access to the RT system. This vulnerability is assigned CVE-2021-38562 and is fixed 
in this release."
It would be nice if you could upgrade (or cherry-pick) that fix, please also mention 'CVE-2021-38562' in the changelog when doing so. 

Regards,
Daniel

--- End Message ---
--- Begin Message --- 
Source: request-tracker5
Source-Version: 5.0.3+dfsg-1
Done: Andrew Ruthven <and...@etc.gen.nz>

We believe that the bug you reported is fixed in the latest version of
request-tracker5, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 995...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Andrew Ruthven <and...@etc.gen.nz> (supplier of updated request-tracker5 
package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Thu, 21 Jul 2022 17:06:28 +1200
Source: request-tracker5
Architecture: source
Version: 5.0.3+dfsg-1
Distribution: unstable
Urgency: medium
Maintainer: Andrew Ruthven <and...@etc.gen.nz>
Changed-By: Andrew Ruthven <and...@etc.gen.nz>
Closes: 984676 985704 988905 995167
Changes:
 request-tracker5 (5.0.3+dfsg-1) unstable; urgency=medium
 .
   * New upstream release (Closes: #988905).
   * Drop patches merged upstream:
     - use_webpath_for_relateddata_links.diff
     - rt-crypt-gnupg-combine-call.diff
   * Ensure package descriptions consistently refer to version 5
     (Closes: #984676).
   * Ensure a sane database admin user is specified for both PostgreSQL
     and MySQL.
   * Only create symlinks for the DB upgrade scripts we ship (Closes: #985704).
   * Fixes a security vulnerability that involves a login timing side-channel
     attack. This resolves CVE-2021-38562 (Closes: #995167)
   * Update fix_test_ldap_ipv4.diff for new test
       t/externalauth/ldap_email_login.t
   * Add missing dependencies on dbconfig-{mysql,postgresql,sqlite3}.
   * Refresh debian/copyright
   * Fix multiple security issues:
     - [CVE-2022-25803] RT 5.0 is vulnerable to unvalidated, or open,
       redirects in ticket searches.
     - [CVE-2022-25802] A cross-site scripting (XSS) issue when displaying
       attachment content with fraudulent content types. This vulnerability
       is assigned
     - Not performing full rights checks on access to file or image type
       custom fields, possibly allowing access to these custom fields by
       users without rights to access to the associated objects (like the
       ticket it is associated with).
   * RT is incompatible with Test::WWW::Mechanize 1.58, exclude that version.
   * Update upstream signing key.
   * Update Standards-Version to 4.6.1 (no changes)
Checksums-Sha1:
 84f1c0c1f289e8954b540a477889b3e822533c4c 6145 request-tracker5_5.0.3+dfsg-1.dsc
 ef0b663b6363cabf3845f7f6bd5b508d66b0929e 3217706 
request-tracker5_5.0.3+dfsg.orig-third-party-source.tar.gz
 4f043bd95000923aa8189403b73f52b720c534de 18601901 
request-tracker5_5.0.3+dfsg.orig.tar.gz
 307b425a830f9ff3df679e2d365a02a8c566bdcb 455 
request-tracker5_5.0.3+dfsg.orig.tar.gz.asc
 659756e812249ae6187e5e7c496595f2939d45bf 88348 
request-tracker5_5.0.3+dfsg-1.debian.tar.xz
 b4e2d5c6472dea65fb8b70b14a1264754de25c90 22317 
request-tracker5_5.0.3+dfsg-1_amd64.buildinfo
Checksums-Sha256:
 0d22ae2ee6d68d6306be0c6ecf8bb4996a83dc1c562527b83181bc9e79b1c165 6145 
request-tracker5_5.0.3+dfsg-1.dsc
 49b856ff23be2f5265c7b3460ac3d49ef24e4462b8165d39fbb12b7776d0e66a 3217706 
request-tracker5_5.0.3+dfsg.orig-third-party-source.tar.gz
 e23aee3cb291ccad5e521aeabe0fcd2f076bcfa8b7f801af498a7505e53d8441 18601901 
request-tracker5_5.0.3+dfsg.orig.tar.gz
 6cfc32a9bf2d09768a5ac2b103f21d6675dfc3490c06190562296e5b2082ccce 455 
request-tracker5_5.0.3+dfsg.orig.tar.gz.asc
 f0ad088001c12ec681afbdc139aadcf584ddee22c9b86446bab5635c9e6045f8 88348 
request-tracker5_5.0.3+dfsg-1.debian.tar.xz
 c13d56e62d8ef77fdbf0524ac1646117378803378e9240b2826f540bec6cb6ab 22317 
request-tracker5_5.0.3+dfsg-1_amd64.buildinfo
Files:
 1696c4fd66753b9230c6f44c6ff11d7d 6145 misc optional 
request-tracker5_5.0.3+dfsg-1.dsc
 7e052f0715b42102e6387f6e398a6e87 3217706 misc optional 
request-tracker5_5.0.3+dfsg.orig-third-party-source.tar.gz
 ec8a8fc2fbbf1ccebb4825ca0e2aeac5 18601901 misc optional 
request-tracker5_5.0.3+dfsg.orig.tar.gz
 f52489a073fb418b7bc68a6bb672299e 455 misc optional 
request-tracker5_5.0.3+dfsg.orig.tar.gz.asc
 e56b7db42dd0d1d5855089d688810e37 88348 misc optional 
request-tracker5_5.0.3+dfsg-1.debian.tar.xz
 ce3fc248bc6303a3a80b282bba1e2c3d 22317 misc optional 
request-tracker5_5.0.3+dfsg-1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEExgP8TmAPHOzRyNl8S1PZMeTT6GMFAmLY+aYACgkQS1PZMeTT
6GP5yg//Ufr28Yhrmt80zbQI7gbo6yV5kSc/hSIPHeAsnpZftwPrPF23unRC8Y/V
rubcZay115wzHUGud+x0GTNykjQFCcf5b6anXaCoB9IyQwD9/iveDiMLa+ZSg/y0
oDWpawrv+i6U672uRCBawiY7MulEqwfw1Lk06vPKq8O1fnbIo0V1awZw6GQh2KBA
/fJ/HIY3zwOz0SrLrM97XufJSZRiOQbz1AFAUv4fPrFC3XvVOw6YmoXSDv2b9xdL
1//gnnH6qVENWbkYn07e46pTeuIiH4u59udqfsGfHGKfKVNtMHWC1cymDxClSgsl
LNWwkMSGyhv5wjomo3WTzVKnXBTeQw6Yzv8NAguWEfpMZMozzgItUnJcONyP+HFC
bzE9da9YbwDBVmZ2zqLAGyYRSq1jTxYCWHvO5qCGZrI4CeSz/C/KALbfKYSxxvJ6
8Bg5on6nO6WEFJkzdAIgxniO6ZB1jSSA1IAreMZPC6n8rGAPFC6QhaRZlvchUVvK
Q8XpF5yFZJjraVEKofYiuzZJRZooVK9C4YlvgtR/iwoo2DtLCyJyUyWhWYzUSAJ8
qLq8IQ8IeePbcrh7j8YvLCwPSZGs+suIoZVYh9v8OEqgJ6DrHQvjV3TQKhHO5VQw
MoYWLT9AuWcx443QU9B6u7iHbDTIAksU2zchydjsPhZBiZF1CSw=
=RysF
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to