package request-tracker3.8 retitle 614575 request-tracker3.8: CVE-2011-1007: Back button attacks retitle 614576 request-tracker3.8: CVE-2011-1008: Scrip information leakage forwarded 614575 http://issues.bestpractical.com/Ticket/Display.html?id=15804 thanks
Just filling in some administrivia based on http://permalink.gmane.org/gmane.comp.security.oss.general/4243 http://permalink.gmane.org/gmane.comp.security.oss.general/4247 On Tue, Feb 22, 2011 at 11:44:03AM +0000, Dominic Hargreaves wrote: > Package: request-tracker3.8 > Version: 3.8.8-7 > Severity: important > Tags: security > > The following appears in the changelog of 3.8.9: > > * Redirect users to their desired pages after login. > This prevents possible back button attacks after a user logs out. > This has been assigned CVE-2011-1007. The base patch was https://github.com/bestpractical/rt/commit/917c211820590950f7eb0521f7f43b31aeed44c4 but, as discussed in http://permalink.gmane.org/gmane.comp.security.oss.general/4247 this breaks RT-Authen-ExternalAuth and was augmented by other changes on the same branch later. A targeted fix should be discussed with <secur...@bestpractical.com>, as requested by Thomas Sibley in the above message. On Tue, Feb 22, 2011 at 11:46:04AM +0000, Dominic Hargreaves wrote: > Package: request-tracker3.8 > Version: 3.8.8-7 > Severity: important > Tags: security > > The following appears in the changelog of 3.8.9: > > * Clone Scrip's TicketObj since we change the CurrentUser and it can leak > information (Custom field values, etc) This has been assigned CVE-2011-1008. A patch is https://github.com/bestpractical/rt/commit/2338cd19ed7a7f4c1e94f639ab2789d6586d01f3 but again, upstream requests coordination for targeted fixes in http://permalink.gmane.org/gmane.comp.security.oss.general/4247 I don't have the time to drive this further myself, just noticed the thread at oss-security. -- Niko Tyni nt...@debian.org -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org