Bug#487718: libdevel-stacktrace-perl: Security vulnerability in RT 3.0 and up

Thijs Kinkhorst thijs at debian.org
Tue Jun 24 06:58:21 UTC 2008


On Mon, June 23, 2008 21:29, Niko Tyni wrote:
>> All versions of RT from 3.0.0 to 3.6.6 (including some, but not all RT
>> 3.7 development releases) are vulnerable to a potential remote denial
>> of service attack which could exhaust virtual memory or consume all
>> available CPU resources.  After a detailed analysis, we believe that an
>> attacker would need to be a 'Privileged' RT user in order to perform an
>> attack.

> The big question is whether this needs an Etch update. I'm leaving the
> severity at 'important' for now, as the security impact seems to be
> quite low.

I agree - I wouldn't update this for Etch. You need to be a privileged
user already and denial of service isn't the worst class of problems. It
seems unlikely that privileged users would find it desirable to DoS their
RT, and if they would really want that, there's nothing stopping them now
e.g. by automatically making many requests or filing extreme number of
tickets.


Thijs






More information about the pkg-perl-maintainers mailing list