Debian Bug report logs -
#683288
rt-authen-externalauth: privilege escalation
Reported by: Yves-Alexis Perez <corsac@debian.org>
Date: Mon, 30 Jul 2012 14:57:01 UTC
Severity: grave
Tags: security
Fixed in version rt-authen-externalauth/0.10-2
Done: Tom Jampen <tom@cryptography.ch>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Tom Jampen <tom@cryptography.ch>:
Bug#683288; Package rt-authen-externalauth.
(Mon, 30 Jul 2012 14:57:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Yves-Alexis Perez <corsac@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Tom Jampen <tom@cryptography.ch>.
(Mon, 30 Jul 2012 14:57:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: rt-authen-externalauth
Severity: grave
Tags: security
Justification: user security hole
Hi,
a security issue has been found in rt-authen-externalauth package. From
http://blog.bestpractical.com/2012/07/security-vulnerabilities-in-three-commonly-deployed-rt-extensions.html:
----
RT::Authen::ExternalAuth 0.10 and below (for all versions of RT) are
vulnerable to an escalation of privilege attack where the URL of a RSS
feed of the user can be used to acquire a fully logged-in session as
that user. CVE-2012-2770 has been assigned to this vulnerability.
----
For Wheezy, please fix this with an isolated fix instead of updating to a
new upstream release (since the freeze is in effect)
Regards,
--
Yves-Alexis
-- System Information:
Debian Release: wheezy/sid
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 3.2.0-3-grsec-amd64 (SMP w/4 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Information forwarded
to debian-bugs-dist@lists.debian.org, Tom Jampen <tom@cryptography.ch>:
Bug#683288; Package rt-authen-externalauth.
(Fri, 10 Aug 2012 20:36:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Tom Jampen <jampen@cryptography.ch>:
Extra info received and forwarded to list. Copy sent to Tom Jampen <tom@cryptography.ch>.
(Fri, 10 Aug 2012 20:36:03 GMT) (full text, mbox, link).
Message #10 received at submit@bugs.debian.org (full text, mbox, reply):
tag 683288 pending
thanks
On 30.07.2012 16:55, Yves-Alexis Perez wrote:
> For Wheezy, please fix this with an isolated fix instead of updating to a
> new upstream release (since the freeze is in effect)
Fixed in git.
Tom
Information forwarded
to debian-bugs-dist@lists.debian.org, Tom Jampen <tom@cryptography.ch>:
Bug#683288; Package rt-authen-externalauth.
(Fri, 10 Aug 2012 20:36:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Tom Jampen <jampen@cryptography.ch>:
Extra info received and forwarded to list. Copy sent to Tom Jampen <tom@cryptography.ch>.
(Fri, 10 Aug 2012 20:36:05 GMT) (full text, mbox, link).
Reply sent
to Tom Jampen <tom@cryptography.ch>:
You have taken responsibility.
(Tue, 21 Aug 2012 10:36:06 GMT) (full text, mbox, link).
Notification sent
to Yves-Alexis Perez <corsac@debian.org>:
Bug acknowledged by developer.
(Tue, 21 Aug 2012 10:36:06 GMT) (full text, mbox, link).
Message #20 received at 683288-close@bugs.debian.org (full text, mbox, reply):
Source: rt-authen-externalauth
Source-Version: 0.10-2
We believe that the bug you reported is fixed in the latest version of
rt-authen-externalauth, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 683288@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Tom Jampen <tom@cryptography.ch> (supplier of updated rt-authen-externalauth package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Thu, 10 Aug 2012 21:53:49 +0200
Source: rt-authen-externalauth
Binary: rt4-extension-authenexternalauth
Architecture: source i386
Version: 0.10-2
Distribution: unstable
Urgency: low
Maintainer: Tom Jampen <tom@cryptography.ch>
Changed-By: Tom Jampen <tom@cryptography.ch>
Description:
rt4-extension-authenexternalauth - External authentication module for request tracker 4
Closes: 683288
Changes:
rt-authen-externalauth (0.10-2) unstable; urgency=low
.
* Fixing typos in README.Debian.
* Adding patch from Alex Vandiver <alex@chmrr.net> to fix privilege escalation
bug (Closes: #683288).
Checksums-Sha1:
a7713698f2a20662208849b36b9425609e02a0d3 1316 rt-authen-externalauth_0.10-2.dsc
8818bfc4e5f5ae98652d5decb9a89ca3e65e1b5e 3436 rt-authen-externalauth_0.10-2.debian.tar.xz
62ed48372a8c7d9f894418d52af17a9b4c7ae7ef 28980 rt4-extension-authenexternalauth_0.10-2_i386.deb
Checksums-Sha256:
9ad9e308f51e678c0afba82168a5ce998602ba19e543d4f23ffaded82a6ca1dd 1316 rt-authen-externalauth_0.10-2.dsc
4772862609b3a56fb90ee86b11817422509147f101f2b90d5e7fd78b0b6f7e72 3436 rt-authen-externalauth_0.10-2.debian.tar.xz
26038ae6e6422ef8b19427946c638570af6d86419062a8863fcbd272af355b2f 28980 rt4-extension-authenexternalauth_0.10-2_i386.deb
Files:
b409f7ca00627c865ceaa9b51682c358 1316 perl optional rt-authen-externalauth_0.10-2.dsc
029173eddfa1f2d92947b7df4974097d 3436 perl optional rt-authen-externalauth_0.10-2.debian.tar.xz
2adf4e47a32cc25c22ae18bdb79414ec 28980 perl optional rt4-extension-authenexternalauth_0.10-2_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAlAzYEQACgkQ+C5cwEsrK540ygCfZqSMRcMpQpbPBV+F8F5X1T7f
roMAn03PTsS96ISr7rPsUwxJEzlpUQQ/
=BNyu
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sat, 29 Sep 2012 07:30:23 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 17:36:20 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon