LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 23, 2013

An "enum" for Python 3

An unexpected perf feature

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

request-tracker3.8: multiple vulnerabilities

Package(s):request-tracker3.8 CVE #(s):CVE-2011-2082 CVE-2011-2083 CVE-2011-2084 CVE-2011-2085 CVE-2011-4458 CVE-2011-4459 CVE-2011-4460
Created:May 25, 2012 Updated:September 17, 2012
Description:

From the Debian advisory:

CVE-2011-2082: The vulnerable-passwords scripts introduced for CVE-2011-0009 failed to correct the password hashes of disabled users.

CVE-2011-2083: Several cross-site scripting issues have been discovered.

CVE-2011-2084: Password hashes could be disclosed by privileged users.

CVE-2011-2085: Several cross-site request forgery vulnerabilities have been found. If this update breaks your setup, you can restore the old behaviour by setting $RestrictReferrer to 0.

CVE-2011-4458: The code to support variable envelope return paths allowed the execution of arbitrary code.

CVE-2011-4459: Disabled groups were not fully accounted as disabled.

CVE-2011-4460: SQL injection vulnerability, only exploitable by privileged users.

Alerts:
Debian DSA-2480-1 2012-05-24
Debian DSA-2480-2 2012-05-29
Fedora FEDORA-2012-8290 2012-06-01
Fedora FEDORA-2012-8363 2012-06-02
Fedora FEDORA-2012-8339 2012-06-02
Debian DSA-2480-3 2012-06-07
Debian DSA-2480-4 2012-09-15
(Log in to post comments)

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds