Bug#690664: [request-tracker-maintainers] Freeze exception for RT 4.0.7?
On Tue, Oct 16, 2012 at 09:38:24AM +0100, Dominic Hargreaves wrote:
> On Wed, Oct 10, 2012 at 11:57:38PM +0200, Julien Cristau wrote:
> > Looks generally ok, although the js changes are annoyingly large. It's
> > getting late, but much of that is my fault, so if you still want this in
> > feel free to upload.
>
> Thanks. Please unblock:
>
> unblock request-tracker4/4.0.7-1
It's now
unblock request-tracker4/4.0.7-2
and this includes some security fixes:
Changes:
request-tracker4 (4.0.7-2) unstable; urgency=high
.
* Multiple security fixes for:
- Email header injection attack (CVE-2012-4730)
- Missing rights checking for Articles (CVE-2012-4731)
- CSRF protection allows attack on bookmarks (CVE-2012-4732)
- Confused deputy attack for non-logged-in users (CVE-2012-4734)
- Multiple message signing/encryption attacks related to GnuPG
(CVE-2012-4735)
- Arbitrary command-line argument injection to GnuPG (CVE-2012-4884)
--
Dominic Hargreaves | http://www.larted.org.uk/~dom/
PGP key 5178E2A5 from the.earth.li (keyserver,web,email)
Reply to: