[request-tracker-maintainers] Bug#546778: Bug#546778: request-tracker3.6: XSS vulnerability when displaying Custom Field values

[Dominic Hargreaves]

On Tue, Sep 15, 2009 at 06:18:56PM +0100, Dominic Hargreaves wrote:
> Package: request-tracker3.6
> Version: 3.6.7-5+lenny1
> Severity: important
> Tags: security patch
> 
> According to
> 
> http://lists.bestpractical.com/pipermail/rt-announce/2009-September/000172.html
> 
> RT 3.6 contains a security problem which affects configurations
> populating Custom Fields using untrusted data. A patch is provided.

Hi security team,

I have prepared an updated package to fix this issue according to the
minimal patch included in the announcment. It's at

http://svn.debian.org/wsvn/pkg-request-tracker/packages/request-tracker3.6/branches/lenny/#_packages_request-tracker3.6_branches_lenny_

Would you like to persue a DSA for this or should I send it to
debian-release for a stable update?

Thanks,
Dominic.

-- 
Dominic Hargreaves | http://www.larted.org.uk/~dom/
PGP key 5178E2A5 from the.earth.li (keyserver,web,email)