request-tracker3.6, request-tracker3.8 -- several vulnerabilities

ID DSA-2220
Type debian
Reporter Debian
Modified 2011-04-19T00:00:00


Several vulnerabilities were discovered in Request Tracker, an issue tracking system.

If the external custom field feature is enabled, Request Tracker allows authenticated users to execute arbitrary code with the permissions of the web server, possible triggered by a cross-site request forgery attack. (External custom fields are disabled by default.)

Multiple SQL injection attacks allow authenticated users to obtain data from the database in an unauthorized way.

An information leak allows an authenticated privileged user to obtain sensitive information, such as encrypted passwords, via the search interface.

When running under certain web servers (such as Lighttpd), Request Tracker is vulnerable to a directory traversal attack, allowing attackers to read any files accessible to the web server. Request Tracker instances running under Apache or Nginx are not affected.

Request Tracker contains multiple cross-site scripting vulnerabilities.

Request Tracker enables attackers to redirect authentication credentials supplied by legitimate users to third-party servers.

For the oldstable distribution (lenny), these problems have been fixed in version 3.6.7-5+lenny6 of the request-tracker3.6 package.

For the stable distribution (squeeze), these problems have been fixed in version 3.8.8-7+squeeze1 of the request-tracker3.8 package.

For the testing distribution (wheezy) and the unstable distribution (sid), these problems have been fixed in version 3.8.10-1 of the request-tracker3.8 package.

We recommend that you upgrade your Request Tracker packages.