[SECURITY] [DSA 5542-1] request-tracker4 security update

2023-10-3020:44:36

lists.debian.org

request tracker4

debian

information leakage

cve-2023-41260

security update

cve-2023-41259

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

AI Score

7.3

Confidence

Low

EPSS

0.001

Percentile

28.1%

JSON

Debian Security Advisory DSA-5542-1 [email protected]
https://www.debian.org/security/ Salvatore Bonaccorso
October 30, 2023 https://www.debian.org/security/faq

Package : request-tracker4
CVE ID : CVE-2023-41259 CVE-2023-41260
Debian Bug : 1054516

Multiple vulnerabilities have been discovered in Request Tracker, an
extensible trouble-ticket tracking system.

CVE-2023-41259

Tom Wolters reported that Request Tracker is vulnerable to accepting
unvalidated RT email headers in incoming email and the mail-gateway
REST interface.

CVE-2023-41260

Tom Wolters reported that Request Tracker is vulnerable to
information leakage via response messages returned from requests
sent via the mail-gateway REST interface.

For the oldstable distribution (bullseye), these problems have been fixed
in version 4.4.4+dfsg-2+deb11u3.

For the stable distribution (bookworm), these problems have been fixed in
version 4.4.6+dfsg-1.1+deb12u1.

We recommend that you upgrade your request-tracker4 packages.

For the detailed security status of request-tracker4 please refer to its
security tracker page at:
https://security-tracker.debian.org/tracker/request-tracker4

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: [email protected]

OSVersionArchitecturePackageVersionFilename
Debian12allrt5-standalone< 5.0.3+dfsg-3~deb12u2rt5-standalone_5.0.3+dfsg-3~deb12u2_all.deb
Debian10allrequest-tracker4< 4.4.3-2+deb10u3request-tracker4_4.4.3-2+deb10u3_all.deb
Debian12allrt5-db-postgresql< 5.0.3+dfsg-3~deb12u2rt5-db-postgresql_5.0.3+dfsg-3~deb12u2_all.deb
Debian11allrt4-doc-html< 4.4.4+dfsg-2+deb11u3rt4-doc-html_4.4.4+dfsg-2+deb11u3_all.deb
Debian11allrt4-clients< 4.4.4+dfsg-2+deb11u3rt4-clients_4.4.4+dfsg-2+deb11u3_all.deb
Debian10allrt4-standalone< 4.4.3-2+deb10u3rt4-standalone_4.4.3-2+deb10u3_all.deb
Debian11allrequest-tracker4< 4.4.4+dfsg-2+deb11u3request-tracker4_4.4.4+dfsg-2+deb11u3_all.deb
Debian10allrt4-db-sqlite< 4.4.3-2+deb10u3rt4-db-sqlite_4.4.3-2+deb10u3_all.deb
Debian11allrt4-db-postgresql< 4.4.4+dfsg-2+deb11u3rt4-db-postgresql_4.4.4+dfsg-2+deb11u3_all.deb
Debian11allrt4-fcgi< 4.4.4+dfsg-2+deb11u3rt4-fcgi_4.4.4+dfsg-2+deb11u3_all.deb

OS	Version	Architecture	Package	Version	Filename
Debian	12	all	rt5-standalone	< 5.0.3+dfsg-3~deb12u2	rt5-standalone_5.0.3+dfsg-3~deb12u2_all.deb
Debian	10	all	request-tracker4	< 4.4.3-2+deb10u3	request-tracker4_4.4.3-2+deb10u3_all.deb
Debian	12	all	rt5-db-postgresql	< 5.0.3+dfsg-3~deb12u2	rt5-db-postgresql_5.0.3+dfsg-3~deb12u2_all.deb
Debian	11	all	rt4-doc-html	< 4.4.4+dfsg-2+deb11u3	rt4-doc-html_4.4.4+dfsg-2+deb11u3_all.deb
Debian	11	all	rt4-clients	< 4.4.4+dfsg-2+deb11u3	rt4-clients_4.4.4+dfsg-2+deb11u3_all.deb
Debian	10	all	rt4-standalone	< 4.4.3-2+deb10u3	rt4-standalone_4.4.3-2+deb10u3_all.deb
Debian	11	all	request-tracker4	< 4.4.4+dfsg-2+deb11u3	request-tracker4_4.4.4+dfsg-2+deb11u3_all.deb
Debian	10	all	rt4-db-sqlite	< 4.4.3-2+deb10u3	rt4-db-sqlite_4.4.3-2+deb10u3_all.deb
Debian	11	all	rt4-db-postgresql	< 4.4.4+dfsg-2+deb11u3	rt4-db-postgresql_4.4.4+dfsg-2+deb11u3_all.deb
Debian	11	all	rt4-fcgi	< 4.4.4+dfsg-2+deb11u3	rt4-fcgi_4.4.4+dfsg-2+deb11u3_all.deb