| Revision Date: | 2014-06-23 | Version: | 20 | | Title: | DSA-2220-1 request-tracker3.6, request-tracker3.8 -- several | | Description: | Several vulnerabilities were in Request Tracker, an issue tracking system. CVE-2011-1685 If the external custom field feature is enabled, Request Tracker allows authenticated users to execute arbitrary code with the permissions of the web server, possible triggered by a cross-site request forgery attack. CVE-2011-1686 Multiple SQL injection attacks allow authenticated users to obtain data from the database in an unauthorised way. CVE-2011-1687 An information leak allows an authenticated privileged user to obtain sensitive information, such as encrypted passwords, via the search interface. CVE-2011-1688 When running under certain web servers, Request Tracker is vulnerable to a directory traversal attack, allowing attackers to read any files accessible to the web server. Request Tracker instances running under Apache or Nginx are not affected. CVE-2011-1689 Request Tracker contains multiple cross-site scripting vulnerabilities. CVE-2011-1690 Request Tracker enables attackers to redirect authentication credentials supplied by legitimate users to third-party servers. | | Family: | unix | Class: | patch | | Status: | ACCEPTED | Reference(s): | CVE-2011-1685
CVE-2011-1686
CVE-2011-1687
CVE-2011-1688
CVE-2011-1689
CVE-2011-1690
DSA-2220-1
| | Platform(s): | Debian GNU/kFreeBSD 6.0
Debian GNU/Linux 5.0
Debian GNU/Linux 6.0
| Product(s): | request-tracker3.6
request-tracker3.6, request-tracker3.8
request-tracker3.8
| | Definition Synopsis | | Release section Debian GNU/Linux 5.0 is installed
AND Installed architecture is all
AND request-tracker3.6, request-tracker3.8 DPKG is earlier than 3.6.7-5+lenny6
OR Release section
Debian 6.0 is installed
AND GNU/Linux or GNU/kFreeBSD kernel
Debian GNU/Linux is installed
OR Debian GNU/kFreeBSD is installed
AND Installed architecture is all
AND request-tracker3.6, request-tracker3.8 DPKG is earlier than 3.8.8-7+squeeze1
|
|