[request-tracker-maintainers] Bug#546778: Bug#546778: request-tracker3.6: XSS vulnerability when displaying Custom Field values
Moritz Muehlenhoff
jmm at inutil.org
Wed Sep 16 20:23:06 UTC 2009
On Tue, Sep 15, 2009 at 07:26:32PM +0100, Dominic Hargreaves wrote:
> On Tue, Sep 15, 2009 at 06:18:56PM +0100, Dominic Hargreaves wrote:
> > Package: request-tracker3.6
> > Version: 3.6.7-5+lenny1
> > Severity: important
> > Tags: security patch
> >
> > According to
> >
> > http://lists.bestpractical.com/pipermail/rt-announce/2009-September/000172.html
> >
> > RT 3.6 contains a security problem which affects configurations
> > populating Custom Fields using untrusted data. A patch is provided.
>
> Hi security team,
>
> I have prepared an updated package to fix this issue according to the
> minimal patch included in the announcment. It's at
>
> http://svn.debian.org/wsvn/pkg-request-tracker/packages/request-tracker3.6/branches/lenny/#_packages_request-tracker3.6_branches_lenny_
>
> Would you like to persue a DSA for this or should I send it to
> debian-release for a stable update?
Please update this through a point update, we're swamped in more severe
issues right now.
Cheers,
Moritz
More information about the pkg-request-tracker-maintainers
mailing list