Debian Bug report logs -
#683290
rt3.8-rtfm: multiple XSS vulnerabilities in RTFM
Reported by: Yves-Alexis Perez <corsac@debian.org>
Date: Mon, 30 Jul 2012 15:09:04 UTC
Severity: important
Fixed in version rtfm/2.4.2-4+squeeze1
Done: Dominic Hargreaves <dom@earth.li>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Debian Request Tracker Group <pkg-request-tracker-maintainers@lists.alioth.debian.org>:
Bug#683290; Package rt3.8-rtfm.
(Mon, 30 Jul 2012 15:09:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Yves-Alexis Perez <corsac@debian.org>:
New Bug report received and forwarded. Copy sent to Debian Request Tracker Group <pkg-request-tracker-maintainers@lists.alioth.debian.org>.
(Mon, 30 Jul 2012 15:09:06 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: rt3.8-rtfm
Severity: important
Hi,
multiple cross-side scripting (XSS) vulnerabilities were found in RTFM.
From
http://blog.bestpractical.com/2012/07/security-vulnerabilities-in-three-commonly-deployed-rt-extensions.html:
----
RT::FM versions 2.0.4 through 2.4.3, inclusive, are vulnerable to
multiple cross-site scripting (XSS) attacks in the topic administration
page. CVE-2012-2768 has been assigned to this vulnerability. This
release also includes updates for compatibility with RT 3.8.12. As RT
4.0 and above bundle RT::FM's functionality, and resolved this
vulnerability in RT 4.0.6, this update is only applicable to
installations of RT 3.8.
----
Regards,
--
Yves-Alexis
-- System Information:
Debian Release: wheezy/sid
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 3.2.0-3-grsec-amd64 (SMP w/4 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Added tag(s) pending.
Request was from Dominic Hargreaves <dom@earth.li>
to control@bugs.debian.org.
(Sat, 04 Aug 2012 23:33:03 GMT) (full text, mbox, link).
Reply sent
to Dominic Hargreaves <dom@earth.li>:
You have taken responsibility.
(Fri, 31 Aug 2012 19:21:06 GMT) (full text, mbox, link).
Notification sent
to Yves-Alexis Perez <corsac@debian.org>:
Bug acknowledged by developer.
(Fri, 31 Aug 2012 19:21:06 GMT) (full text, mbox, link).
Message #12 received at 683290-close@bugs.debian.org (full text, mbox, reply):
Source: rtfm
Source-Version: 2.4.2-4+squeeze1
We believe that the bug you reported is fixed in the latest version of
rtfm, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 683290@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Dominic Hargreaves <dom@earth.li> (supplier of updated rtfm package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Tue, 07 Aug 2012 19:43:13 +0100
Source: rtfm
Binary: rt3.8-rtfm
Architecture: source all
Version: 2.4.2-4+squeeze1
Distribution: stable-security
Urgency: high
Maintainer: Debian Request Tracker Group <pkg-request-tracker-maintainers@lists.alioth.debian.org>
Changed-By: Dominic Hargreaves <dom@earth.li>
Description:
rt3.8-rtfm - FAQ Manager for Request Tracker 3.8
Closes: 682765 683290
Changes:
rtfm (2.4.2-4+squeeze1) stable-security; urgency=high
.
* [CVE-2012-2768] Fix multiple XSS vulnerabilities (Closes: #682765,
#683290)
Checksums-Sha1:
f1c4433a8e5f014e1a0a772061d1428592276329 1281 rtfm_2.4.2-4+squeeze1.dsc
a2d3a7f6c2f086488e8c8af849bdda398252849e 144389 rtfm_2.4.2.orig.tar.gz
27df497b889f5be5746bcb7fc696eccd64124286 28387 rtfm_2.4.2-4+squeeze1.diff.gz
bcd04c0898a2b83cd4c110bda96b343d4ab83e39 120678 rt3.8-rtfm_2.4.2-4+squeeze1_all.deb
Checksums-Sha256:
660d1958b5d81bdbd546277526dd41ee226639e59895bfae2341e0cea61eb449 1281 rtfm_2.4.2-4+squeeze1.dsc
2a96912e5fffd01762acd84004eff54e71c6ca3a37bfe4fd71ed7e7184257600 144389 rtfm_2.4.2.orig.tar.gz
e73712348e7ff1e77fe766feae36193eec76b85320353ba27762afa85795bf3d 28387 rtfm_2.4.2-4+squeeze1.diff.gz
9a080cac6ff06d6d26654abc2a077f94799606d52a150ecf2f124f0fd725bc91 120678 rt3.8-rtfm_2.4.2-4+squeeze1_all.deb
Files:
975e6924eb510175faeb73de77584956 1281 misc optional rtfm_2.4.2-4+squeeze1.dsc
d4a8af8591f09e739d0a14c669b444f0 144389 misc optional rtfm_2.4.2.orig.tar.gz
b62bb7202a2525e953b00b3a1e9cfc67 28387 misc optional rtfm_2.4.2-4+squeeze1.diff.gz
9e75afdadfbe80c50bf060e7b0981791 120678 misc optional rt3.8-rtfm_2.4.2-4+squeeze1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iD8DBQFQIWIhYzuFKFF44qURAgQGAJ9MRyMTgwkZHy7ZzjAU4nzRY7xLxQCfTwfW
WOs1tMDXUZZnkYKItNYLve4=
=JiIE
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sat, 29 Sep 2012 07:30:37 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 14:57:50 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon