Re: Fixes for RT 3.x issue CVE-2011-0009
On Thu, January 20, 2011 09:28, Dominic Hargreaves wrote:
> On Tue, Jan 18, 2011 at 10:50:58PM +0000, Dominic Hargreaves wrote:
>> Sorry, I got the timing wrong. It's tomorrow, Wednesday, that I believe
>> the planned release is. I'll email both you and the stable release
>> managers after then and we'll see where people are best placed.
>
> This issue has now been released:
> <http://lists.bestpractical.com/pipermail/rt-announce/2011-January/000185.html>
>
> An proposed update for lenny is now sitting at
> svn+ssh://svn.debian.org/svn/pkg-request-tracker/packages/request-tracker3.6/branches/lenny-security
> and I'd like to get this fixed in lenny. The security team isn't sure
> whether they can fix this in a DSA or not at this stage, and suggested
> a stable update as a possibility.
>
> Please can either DSA or SRM let me know of their preferred option?
> The fix is ready to upload either way.
Thanks for your work on this. The issue boils down to the fact that
passwords are now hashed in md5 and they switched to sha256 with salt.
This is of course a good development but I don't think it's a security
issue directly, since you need to have some way obtain those hashes in the
first place.
I would say that we update this through stable update, as it's a useful
hardening but current installations aren't in immediate danger.
Cheers,
Thijs
Reply to: