Lucene search

K
osvGoogleOSV:DSA-2480-3
HistorySep 15, 2012 - 12:00 a.m.

request-tracker3.8 - regression

2012-09-1500:00:00
Google
osv.dev
9

EPSS

0.066

Percentile

93.8%

Several vulnerabilities were discovered in Request Tracker, an issue
tracking system:

  • CVE-2011-2082
    The vulnerable-passwords scripts introduced for
    CVE-2011-0009
    failed to correct the password hashes of disabled users.
  • CVE-2011-2083
    Several cross-site scripting issues have been discovered.
  • CVE-2011-2084
    Password hashes could be disclosed by privileged users.
  • CVE-2011-2085
    Several cross-site request forgery vulnerabilities have been
    found. If this update breaks your setup, you can restore the old
    behaviour by setting $RestrictReferrer to 0.
  • CVE-2011-4458
    The code to support variable envelope return paths allowed the
    execution of arbitrary code.
  • CVE-2011-4459
    Disabled groups were not fully accounted as disabled.
  • CVE-2011-4460
    SQL injection vulnerability, only exploitable by privileged
    users.

Please note that if you run request-tracker3.8 under the Apache web server,
you must stop and start Apache manually. The restart mechanism is not
recommended, especially when using mod_perl.

For the stable distribution (squeeze), these problems have been fixed in
version 3.8.8-7+squeeze5.

For the unstable distribution (sid), these problems have been fixed in
version 4.0.5-3.

We recommend that you upgrade your request-tracker3.8 packages.