Re: [SECURITY] [DSA 1944-1] New request-tracker packages fix session hijack vulnerability

To: debian-security@lists.debian.org
Subject: Re: [SECURITY] [DSA 1944-1] New request-tracker packages fix session hijack vulnerability
From: Dominic Hargreaves <dom@earth.li>
Date: Thu, 3 Dec 2009 11:53:01 +0000
Message-id: <[🔎] 20091203115301.GT31435@urchin.earth.li>
In-reply-to: <20091203110451.7A4C9848974@hannah.localdomain>
References: <20091203110451.7A4C9848974@hannah.localdomain>

On Thu, Dec 03, 2009 at 10:04:51PM +1100, Steffen Joeris wrote:

> For the stable distribution (lenny), this problem has been fixed in
> version 3.6.7-5+lenny3.
> 
> For the oldstable distribution (etch), this problem has been fixed in
> version 3.6.1-4+etch1 of request-tracker3.6 and version 3.4.5-2+etch1
> of request-tracker3.4.
> 
> For the testing distribution (squeeze), this problem will be fixed soon.
> 
> For the unstable distribution (sid), this problem has been fixed in
> version 3.6.9-2.

Thanks for your work preparing the advisory and doing the release,
Steffen.

One small correction in the above: testing does not contain a 
vulnerable version of RT; RT 3.6 has been kept out of testing as it
is basically EOLed (and will be removed from unstable too once the
new rtfm package has matured a bit), and RT 3.8.6 which fixes this is
already in testing.

Cheers,
Dominic.

-- 
Dominic Hargreaves | http://www.larted.org.uk/~dom/
PGP key 5178E2A5 from the.earth.li (keyserver,web,email)

Reply to:

Prev by Date: [SECURITY] [DSA 1943-1] New openldap2.3/openldap packages fix SSL certificate verification weakness [Incidente:091202-001039]
Next by Date: clamav 0.95.3+dfsg-1~volatile1 and rar files
Previous by thread: [SECURITY] [DSA 1943-1] New openldap2.3/openldap packages fix SSL certificate verification weakness [Incidente:091202-001039]
Next by thread: clamav 0.95.3+dfsg-1~volatile1 and rar files
Index(es):
- Date
- Thread