[SECURITY] [DLA 988-1] rt-authen-externalauth security update

2017-06-1610:40:19

lists.debian.org

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:N/A:N

CVSS3

5.9

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

AI Score

7.7

Confidence

High

EPSS

0.003

Percentile

66.1%

JSON

Package : rt-authen-externalauth
Version : 0.10-4+deb7u1
CVE ID : CVE-2017-5361

It was discovered that RT::Authen::ExternalAuth, an external
authentication module for Request Tracker, is vulnerable to timing
side-channel attacks for user passwords. Only ExternalAuth in DBI
(database) mode is vulnerable.

For Debian 7 "Wheezy", these problems have been fixed in version
0.10-4+deb7u1.

We recommend that you upgrade your rt-authen-externalauth packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
Attachment:
signature.asc
Description: Digital signature

OSVersionArchitecturePackageVersionFilename
Debian7allrt4-clients< 4.0.7-5+deb7u5rt4-clients_4.0.7-5+deb7u5_all.deb
Debian7armelrt4-extension-authenexternalauth< 0.10-4+deb7u1rt4-extension-authenexternalauth_0.10-4+deb7u1_armel.deb
Debian7allrt-authen-externalauth< 0.10-4+deb7u1rt-authen-externalauth_0.10-4+deb7u1_all.deb
Debian8allrt4-clients< 4.2.8-3+deb8u2rt4-clients_4.2.8-3+deb8u2_all.deb
Debian9allrt4-db-postgresql< 4.4.1-3+deb9u1rt4-db-postgresql_4.4.1-3+deb9u1_all.deb
Debian9allrequest-tracker4< 4.4.1-3+deb9u1request-tracker4_4.4.1-3+deb9u1_all.deb
Debian8allrt4-db-mysql< 4.2.8-3+deb8u2rt4-db-mysql_4.2.8-3+deb8u2_all.deb
Debian9allrt4-db-mysql< 4.4.1-3+deb9u1rt4-db-mysql_4.4.1-3+deb9u1_all.deb
Debian7allrt4-db-postgresql< 4.0.7-5+deb7u5rt4-db-postgresql_4.0.7-5+deb7u5_all.deb
Debian7armhfrt4-extension-authenexternalauth< 0.10-4+deb7u1rt4-extension-authenexternalauth_0.10-4+deb7u1_armhf.deb

OS	Version	Architecture	Package	Version	Filename
Debian	7	all	rt4-clients	< 4.0.7-5+deb7u5	rt4-clients_4.0.7-5+deb7u5_all.deb
Debian	7	armel	rt4-extension-authenexternalauth	< 0.10-4+deb7u1	rt4-extension-authenexternalauth_0.10-4+deb7u1_armel.deb
Debian	7	all	rt-authen-externalauth	< 0.10-4+deb7u1	rt-authen-externalauth_0.10-4+deb7u1_all.deb
Debian	8	all	rt4-clients	< 4.2.8-3+deb8u2	rt4-clients_4.2.8-3+deb8u2_all.deb
Debian	9	all	rt4-db-postgresql	< 4.4.1-3+deb9u1	rt4-db-postgresql_4.4.1-3+deb9u1_all.deb
Debian	9	all	request-tracker4	< 4.4.1-3+deb9u1	request-tracker4_4.4.1-3+deb9u1_all.deb
Debian	8	all	rt4-db-mysql	< 4.2.8-3+deb8u2	rt4-db-mysql_4.2.8-3+deb8u2_all.deb
Debian	9	all	rt4-db-mysql	< 4.4.1-3+deb9u1	rt4-db-mysql_4.4.1-3+deb9u1_all.deb
Debian	7	all	rt4-db-postgresql	< 4.0.7-5+deb7u5	rt4-db-postgresql_4.0.7-5+deb7u5_all.deb
Debian	7	armhf	rt4-extension-authenexternalauth	< 0.10-4+deb7u1	rt4-extension-authenexternalauth_0.10-4+deb7u1_armhf.deb