Your message dated Tue, 21 Aug 2012 10:33:23 +0000 with message-id <e1t3llz-0003im...@franck.debian.org> and subject line Bug#683288: fixed in rt-authen-externalauth 0.10-2 has caused the Debian Bug report #683288, regarding rt-authen-externalauth: privilege escalation to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 683288: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=683288 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: rt-authen-externalauth Severity: grave Tags: security Justification: user security hole Hi, a security issue has been found in rt-authen-externalauth package. From http://blog.bestpractical.com/2012/07/security-vulnerabilities-in-three-commonly-deployed-rt-extensions.html: ---- RT::Authen::ExternalAuth 0.10 and below (for all versions of RT) are vulnerable to an escalation of privilege attack where the URL of a RSS feed of the user can be used to acquire a fully logged-in session as that user. CVE-2012-2770 has been assigned to this vulnerability. ---- For Wheezy, please fix this with an isolated fix instead of updating to a new upstream release (since the freeze is in effect) Regards, -- Yves-Alexis -- System Information: Debian Release: wheezy/sid APT prefers unstable APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 3.2.0-3-grsec-amd64 (SMP w/4 CPU cores) Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash
--- End Message ---
--- Begin Message ---Source: rt-authen-externalauth Source-Version: 0.10-2 We believe that the bug you reported is fixed in the latest version of rt-authen-externalauth, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 683...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Tom Jampen <t...@cryptography.ch> (supplier of updated rt-authen-externalauth package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.8 Date: Thu, 10 Aug 2012 21:53:49 +0200 Source: rt-authen-externalauth Binary: rt4-extension-authenexternalauth Architecture: source i386 Version: 0.10-2 Distribution: unstable Urgency: low Maintainer: Tom Jampen <t...@cryptography.ch> Changed-By: Tom Jampen <t...@cryptography.ch> Description: rt4-extension-authenexternalauth - External authentication module for request tracker 4 Closes: 683288 Changes: rt-authen-externalauth (0.10-2) unstable; urgency=low . * Fixing typos in README.Debian. * Adding patch from Alex Vandiver <a...@chmrr.net> to fix privilege escalation bug (Closes: #683288). Checksums-Sha1: a7713698f2a20662208849b36b9425609e02a0d3 1316 rt-authen-externalauth_0.10-2.dsc 8818bfc4e5f5ae98652d5decb9a89ca3e65e1b5e 3436 rt-authen-externalauth_0.10-2.debian.tar.xz 62ed48372a8c7d9f894418d52af17a9b4c7ae7ef 28980 rt4-extension-authenexternalauth_0.10-2_i386.deb Checksums-Sha256: 9ad9e308f51e678c0afba82168a5ce998602ba19e543d4f23ffaded82a6ca1dd 1316 rt-authen-externalauth_0.10-2.dsc 4772862609b3a56fb90ee86b11817422509147f101f2b90d5e7fd78b0b6f7e72 3436 rt-authen-externalauth_0.10-2.debian.tar.xz 26038ae6e6422ef8b19427946c638570af6d86419062a8863fcbd272af355b2f 28980 rt4-extension-authenexternalauth_0.10-2_i386.deb Files: b409f7ca00627c865ceaa9b51682c358 1316 perl optional rt-authen-externalauth_0.10-2.dsc 029173eddfa1f2d92947b7df4974097d 3436 perl optional rt-authen-externalauth_0.10-2.debian.tar.xz 2adf4e47a32cc25c22ae18bdb79414ec 28980 perl optional rt4-extension-authenexternalauth_0.10-2_i386.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iEYEARECAAYFAlAzYEQACgkQ+C5cwEsrK540ygCfZqSMRcMpQpbPBV+F8F5X1T7f roMAn03PTsS96ISr7rPsUwxJEzlpUQQ/ =BNyu -----END PGP SIGNATURE-----
--- End Message ---
