Debian Bug report logs -
#1054517
request-tracker5: CVE-2023-41259 CVE-2023-41260 CVE-2023-45024
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Tue, 24 Oct 2023 20:48:01 UTC
Severity: important
Tags: security, upstream
Found in versions request-tracker5/5.0.3+dfsg-3~deb12u1, request-tracker5/5.0.3+dfsg-1, request-tracker5/5.0.4+dfsg-2
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, Debian Request Tracker Group <pkg-request-tracker-maintainers@lists.alioth.debian.org>:
Bug#1054517; Package src:request-tracker5.
(Tue, 24 Oct 2023 20:48:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, Debian Request Tracker Group <pkg-request-tracker-maintainers@lists.alioth.debian.org>.
(Tue, 24 Oct 2023 20:48:03 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: request-tracker5
Version: 5.0.4+dfsg-2
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>
Control: found -1 5.0.3+dfsg-3~deb12u1
Control: found -1 5.0.3+dfsg-1
Hi Andrew, Dominic, Niko
The following vulnerabilities were published for request-tracker5.
Filling it in BTS for visiblity there, and for tracking status in the
various suites.
CVE-2023-41259[0]:
| RT is vulnerable to accepting unvalidated RT email headers in
| incoming email and the mail-gateway REST interface. This vulnerability
| is assigned CVE-2023-41259.
CVE-2023-41260[1]:
| RT is vulnerable to information leakage via response messages returned
| from requests sent via the mail-gateway REST interface. This vulnerability
| is assigned CVE-2023-41260.
CVE-2023-45024[2]:
| RT 5.0 is vulnerable to information leakage via transaction searches made by
| authenticated users in the transaction query builder. This vulnerability is
| assigned CVE-2023-45024. Thanks to edk and bakerst of Libera Chat for reporting
| this finding.
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2023-41259
https://www.cve.org/CVERecord?id=CVE-2023-41259
[1] https://security-tracker.debian.org/tracker/CVE-2023-41260
https://www.cve.org/CVERecord?id=CVE-2023-41260
[2] https://security-tracker.debian.org/tracker/CVE-2023-45024
https://www.cve.org/CVERecord?id=CVE-2023-45024
[3] https://github.com/bestpractical/rt/releases/tag/rt-5.0.5
Regards,
Salvatore
Marked as found in versions request-tracker5/5.0.3+dfsg-3~deb12u1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to submit@bugs.debian.org.
(Tue, 24 Oct 2023 20:48:03 GMT) (full text, mbox, link).
Marked as found in versions request-tracker5/5.0.3+dfsg-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to submit@bugs.debian.org.
(Tue, 24 Oct 2023 20:48:04 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Oct 25 17:54:29 2023;
Machine Name:
bembo
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon