[BSA-033] Security Update for request-tracker3.8
-----BEGIN PGP SIGNED MESSAGE-----
Jan Wagner uploaded new packages for request-tracker3.8 which fixed the
following security problems:
If the external custom field feature is enabled, Request Tracker
allows authenticated users to execute arbitrary code with the
permissions of the web server, possible triggered by a cross-site
request forgery attack. (External custom fields are disabled by
Multiple SQL injection attacks allow authenticated users to obtain
data from the database in an unauthorized way.
An information leak allows an authenticated privileged user to
obtain sensitive information, such as encrypted passwords, via the
When running under certain web servers (such as Lighttpd), Request
Tracker is vulnerable to a directory traversal attack, allowing
attackers to read any files accessible to the web server. Request
Tracker instances running under Apache or Nginx are not affected.
Request Tracker contains multiple cross-site scripting
Request Tracker enables attackers to redirect authentication
credentials supplied by legitimate users to third-party servers.
For the lenny-backports distribution the problems have been fixed in
For the stable distribution (squeeze), these problems have been fixed
in version 3.8.8-7+squeeze1 of the request-tracker3.8 package.
For the testing distribution (wheezy) and the unstable distribution
(sid), these problems have been fixed in version 3.8.10-1 of the
If you don't use pinning (see ) you have to update the package
manually via "apt-get -t lenny-backports install <packagelist>" with
the packagelist of your installed packages affected by this update.
We recommend to pin the backports repository to 200 so that new
versions of installed backports will be installed automatically.
Pin: release a=lenny-backports
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
-----END PGP SIGNATURE-----