[request-tracker-maintainers] Bug#614576: CVE IDs etc.

[Niko Tyni]

package request-tracker3.8
retitle 614575 request-tracker3.8: CVE-2011-1007: Back button attacks
retitle 614576 request-tracker3.8: CVE-2011-1008: Scrip information leakage
forwarded 614575 http://issues.bestpractical.com/Ticket/Display.html?id=15804
thanks

Just filling in some administrivia based on
 http://permalink.gmane.org/gmane.comp.security.oss.general/4243
 http://permalink.gmane.org/gmane.comp.security.oss.general/4247

On Tue, Feb 22, 2011 at 11:44:03AM +0000, Dominic Hargreaves wrote:
> Package: request-tracker3.8
> Version: 3.8.8-7
> Severity: important
> Tags: security
>
> The following appears in the changelog of 3.8.9:
>
>  * Redirect users to their desired pages after login.
>     This prevents possible back button attacks after a user logs out.
>

This has been assigned CVE-2011-1007. 

The base patch was
 https://github.com/bestpractical/rt/commit/917c211820590950f7eb0521f7f43b31aeed44c4
but, as discussed in
 http://permalink.gmane.org/gmane.comp.security.oss.general/4247
this breaks RT-Authen-ExternalAuth and was augmented by other changes on
the same branch later.

A targeted fix should be discussed with <security at bestpractical.com>,
as requested by Thomas Sibley in the above message.

On Tue, Feb 22, 2011 at 11:46:04AM +0000, Dominic Hargreaves wrote:
> Package: request-tracker3.8
> Version: 3.8.8-7
> Severity: important
> Tags: security
> 
> The following appears in the changelog of 3.8.9:
> 
>  * Clone Scrip's TicketObj since we change the CurrentUser and it can leak
>     information (Custom field values, etc)

This has been assigned CVE-2011-1008.
A patch is
 https://github.com/bestpractical/rt/commit/2338cd19ed7a7f4c1e94f639ab2789d6586d01f3
but again, upstream requests coordination for targeted fixes in
 http://permalink.gmane.org/gmane.comp.security.oss.general/4247

I don't have the time to drive this further myself, just noticed the
thread at oss-security.
-- 
Niko Tyni   ntyni at debian.org