Re: [SECURITY] [DSA 1944-1] New request-tracker packages fix session hijack vulnerability
On Thu, Dec 03, 2009 at 10:04:51PM +1100, Steffen Joeris wrote:
> For the stable distribution (lenny), this problem has been fixed in
> version 3.6.7-5+lenny3.
>
> For the oldstable distribution (etch), this problem has been fixed in
> version 3.6.1-4+etch1 of request-tracker3.6 and version 3.4.5-2+etch1
> of request-tracker3.4.
>
> For the testing distribution (squeeze), this problem will be fixed soon.
>
> For the unstable distribution (sid), this problem has been fixed in
> version 3.6.9-2.
Thanks for your work preparing the advisory and doing the release,
Steffen.
One small correction in the above: testing does not contain a
vulnerable version of RT; RT 3.6 has been kept out of testing as it
is basically EOLed (and will be removed from unstable too once the
new rtfm package has matured a bit), and RT 3.8.6 which fixes this is
already in testing.
Cheers,
Dominic.
--
Dominic Hargreaves | http://www.larted.org.uk/~dom/
PGP key 5178E2A5 from the.earth.li (keyserver,web,email)
Reply to: