[request-tracker-maintainers] Fixes for RT 3.x issue CVE-2011-0009

[Dominic Hargreaves]

On Thu, Jan 20, 2011 at 12:03:31PM +0100, Thijs Kinkhorst wrote:
> On Thu, January 20, 2011 09:28, Dominic Hargreaves wrote:

> > This issue has now been released:
> > <http://lists.bestpractical.com/pipermail/rt-announce/2011-January/000185.html>
> >
> > An proposed update for lenny is now sitting at
> > svn+ssh://svn.debian.org/svn/pkg-request-tracker/packages/request-tracker3.6/branches/lenny-security
> > and I'd like to get this fixed in lenny. The security team isn't sure
> > whether they can fix this in a DSA or not at this stage, and suggested
> > a stable update as a possibility.
> >
> > Please can either DSA or SRM let me know of their preferred option?
> > The fix is ready to upload either way.
> 
> Thanks for your work on this. The issue boils down to the fact that
> passwords are now hashed in md5 and they switched to sha256 with salt.
> This is of course a good development but I don't think it's a security
> issue directly, since you need to have some way obtain those hashes in the
> first place.
> 
> I would say that we update this through stable update, as it's a useful
> hardening but current installations aren't in immediate danger.

Okay, this is different to Raphael's earlier assessment. I suspect
different people will have different opinions on this. It is being
treated as a security issue upstream.

SRM, could you advise on whether this can be included in Saturday's
point release?

Dominic.

-- 
Dominic Hargreaves | http://www.larted.org.uk/~dom/
PGP key 5178E2A5 from the.earth.li (keyserver,web,email)