Request security update for CVE-2011-0009 request-tracker3.6 request-tracker3.8

Bug #750339 reported by Sam Kong on 2011-04-04
276
This bug affects 3 people
Affects Status Importance Assigned to Milestone
request-tracker3.6 (Ubuntu)
Undecided
Unassigned
Hardy
Undecided
Unassigned
Lucid
Undecided
Unassigned
Maverick
Undecided
Unassigned
Natty
Undecided
Unassigned
Oneiric
Undecided
Unassigned
request-tracker3.8 (Ubuntu)
Medium
Unassigned
Hardy
Undecided
Unassigned
Lucid
Undecided
Unassigned
Maverick
Undecided
Unassigned
Natty
Undecided
Unassigned
Oneiric
Medium
Unassigned

Bug Description

Binary package hint: request-tracker3.8

All released versions of RT from 3.0.0 through 3.8.9rc1 use an
insecure hashing algorithm to store user passwords. If an attacker is
able to gain read access to RT's database, it would be possible for
the attacker to brute-force the hash and discover users' passwords.
CVE-2011-0009 has been assigned to this vulnerability.

http://lists.bestpractical.com/pipermail/rt-announce/2011-January/000185.html
http://www.debian.org/security/2011/dsa-2150.en.html

Sam Kong (ckongyc) on 2011-04-04
tags: added: cve-2011-0009 rt-extension-saltedpasswords-1.1
removed: cve-2011-0009rt-extension-saltedpasswords-1.1
Marc Deslauriers (mdeslaur) wrote :

Thanks for taking the time to report this bug and helping to make Ubuntu better. Since the package referred to in this bug is in universe or multiverse, it is community maintained. If you are able, I suggest posting a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures

visibility: private → public
tags: removed: cve-2011-0009 request-tracker3.6 request-tracker3.8 rt-extension-saltedpasswords-1.1
Changed in request-tracker3.8 (Ubuntu):
status: New → Confirmed
importance: Undecided → Medium
Dominic Hargreaves (dom) wrote :

Here's my proposed fix for maverick. This fixes the more recent bunch of issues too. It's a straightforward port of my updates for Debian. Not test-built on Ubuntu or tested (I don't have Ubuntu machines to hand).

If this is any use, I can look at preparing similar updates for previous versions.

Marc Deslauriers (mdeslaur) wrote :

I'm subscribing ubuntu-security-sponsors, so the debdiff gets processed.

Scott Kitterman (kitterman) wrote :

Bug 766386 covers Natty.

Changed in request-tracker3.8 (Ubuntu):
status: Confirmed → Won't Fix
Jamie Strandboge (jdstrand) wrote :

Thanks for the debdiff!

ACK

Changed in request-tracker3.8 (Ubuntu Maverick):
status: New → Confirmed
Jamie Strandboge (jdstrand) wrote :

Uploaded to maverick-security. I'll push this to the archive once it is finished building.

Changed in request-tracker3.8 (Ubuntu Maverick):
status: Confirmed → Fix Committed
Jamie Strandboge (jdstrand) wrote :

Natty and Oneiric have 3.8.10-1.

Changed in request-tracker3.8 (Ubuntu Natty):
status: New → Fix Released
Changed in request-tracker3.8 (Ubuntu Oneiric):
status: Won't Fix → Fix Released

On Wed, May 04, 2011 at 09:27:54PM -0000, Jamie Strandboge wrote:
> Thanks for the debdiff!

No problem. I take it you'd be interested in updates for lucid, and
hardy (and dapper-backports?) too?

Dominic.

--
Dominic Hargreaves | http://www.larted.org.uk/~dom/
PGP key 5178E2A5 from the.earth.li (keyserver,web,email)

Jamie Strandboge (jdstrand) wrote :

Yes, very much so, though Dapper is going EOL in a few weeks, so feel free to skip that.

Dominic Hargreaves (dom) wrote :

Here's my proposed fix for lucid. This fixes the more recent bunch of issues too. It's a straightforward port of my updates for Debian. Not test-built on Ubuntu or tested (I don't have Ubuntu machines to hand).

Dominic Hargreaves (dom) wrote :

The last patch missed out the installation of the vulnerable-passwords script. Please use this one instead.

Dominic Hargreaves (dom) wrote :

Here's my proposed fix for hardy. This fixes some other old security issues as well as the more recent ones. This probably needs more testing than the other updates.

Changed in request-tracker3.8 (Ubuntu Hardy):
status: New → Confirmed
Changed in request-tracker3.8 (Ubuntu Lucid):
status: New → Confirmed
Jamie Strandboge (jdstrand) wrote :

Maverick was fixed on 2011-05-05.

Changed in request-tracker3.8 (Ubuntu Maverick):
status: Fix Committed → Fix Released
Changed in request-tracker3.6 (Ubuntu Hardy):
status: New → Triaged
Changed in request-tracker3.6 (Ubuntu Lucid):
status: New → Invalid
Changed in request-tracker3.6 (Ubuntu Maverick):
status: New → Invalid
Changed in request-tracker3.6 (Ubuntu Natty):
status: New → Invalid
Changed in request-tracker3.6 (Ubuntu Oneiric):
status: New → Invalid
Jamie Strandboge (jdstrand) wrote :

Overall, Lucid looks good with these exceptions:
* the version should be 3.8.7-1ubuntu2.1, not 3.8.7-1ubuntu3
* this bug was not referenced in the changelog
* the changelog does not conform to https://wiki.ubuntu.com/SecurityTeam/UpdatePreparation#Packaging.

See https://wiki.ubuntu.com/SecurityTeam/SponsorsQueue for details. I took the liberty of adjust the first 2, and a bit of the 3rd and am uploading to the security queue now.

Changed in request-tracker3.8 (Ubuntu Lucid):
status: Confirmed → Fix Committed
Changed in request-tracker3.8 (Ubuntu Hardy):
status: Confirmed → Invalid
tags: added: security-verification
Changed in request-tracker3.8 (Ubuntu Lucid):
status: Fix Committed → In Progress
Jamie Strandboge (jdstrand) wrote :

Overall, Hardy looks good too with these exceptions:
* the distribution name should be 'hardy-security'
* this bug was not referenced in the changelog
* the changelog does not conform to https://wiki.ubuntu.com/SecurityTeam/UpdatePreparation#Packaging.

See https://wiki.ubuntu.com/SecurityTeam/SponsorsQueue for details. Again, I took the liberty of adjust the first 2, and a bit of the 3rd and am uploading to the security queue now.

Thanks so much for the debdiffs! :)

Changed in request-tracker3.6 (Ubuntu Hardy):
status: Triaged → In Progress
Jamie Strandboge (jdstrand) wrote :

Pocket copied request-tracker3.8 to lucid-proposed. Please test and give feedback here. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Thank you in advance!

tags: added: verification-needed
removed: security-verification
Changed in request-tracker3.8 (Ubuntu Lucid):
status: In Progress → Fix Committed
Jamie Strandboge (jdstrand) wrote :

To ubuntu-sru: if this passes the verification process, please also pocket copy to security. Thanks!

Jamie Strandboge (jdstrand) wrote :

Pocket copied request-tracker3.6 to hardy-proposed. Please test and give feedback here. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Thank you in advance!

To ubuntu-sru: if this passes the verification process, please also pocket copy to security. Thanks!

Thomas Sibley (thomas-sibley) wrote :

Are there any updates on getting this package from lucid-proposed to lucid-security?

Jamie Strandboge (jdstrand) wrote :

Thomas,

Someone just needs to test the package in proposed, then comment here on whether or not is it working and free of regressions.

Jamie Strandboge (jdstrand) wrote :

Can someone affected by this bug test the package in -proposed on hardy and lucid and comment here?

Changed in request-tracker3.6 (Ubuntu Hardy):
status: In Progress → Fix Committed
Mark Foster (fostermarkd) wrote :

Please release the fix!

Jamie Strandboge (jdstrand) wrote :

Mark, have you tested the packages as requested in comment #18? If so, on what release?

Martin Pitt (pitti) wrote :

Is anyone still interested in the hardy update? It's been sitting in -proposed for half a year. We'll remove the -proposed version soon.

Thomas Sibley (thomas-sibley) wrote :

Martin— RT 3.6 has since been EOLd by us: http://blog.bestpractical.com/2011/06/end-of-life-for-rt-36.html

We'll try to get the lucid-proposed package tested soon.

Thomas Sibley (thomas-sibley) wrote :

Best Practical tested the lucid-proposed package and we uncovered an error in the package that causes users to be unable to login. The error is not present in upstream but in the Ubuntu patched version.

Once we manually patched the error in the installed code (described by the attached diff), RT functioned normally as expected.

I guess the lucid-proposed package needs to get updated and the new package needs to go through another test round, and then it can be pushed to lucid-security?

Dominic Hargreaves (dom) wrote :

I can confirm that the fix looks correct and that it was a mistake in my previous fix. Attached is the fix incorporated as a debdiff against 3.8.7-1ubuntu2.1

Marc Deslauriers (mdeslaur) wrote :

ACK on the debdiff, looks good. I'm getting it pocket-copied into the -proposed pocket now.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package request-tracker3.8 - 3.8.7-1ubuntu2.2

---------------
request-tracker3.8 (3.8.7-1ubuntu2.2) lucid-security; urgency=low

  * Fix error in previous patch application which broke logins.
    Thanks to Best Practical for the testing and fix. (LP: #750339)
 -- Dominic Hargreaves <email address hidden> Thu, 24 Nov 2011 14:37:00 +0000

Changed in request-tracker3.8 (Ubuntu Lucid):
status: Fix Committed → Fix Released
Marc Deslauriers (mdeslaur) wrote :

Actually, since it was tested except for the simple fix, I've pushed it to -security directly. It should appear in a few hours. Thanks!

tags: removed: verification-needed
Marc Deslauriers (mdeslaur) wrote :

Whoops, adding verification-needed tag back for hardy package in -proposed.

tags: added: verification-needed
Clint Byrum (clint-fewbar) wrote :

It has been another half year, and no activity on the hardy-proposed packages. Given that hardy only has about 9 more months to live, I suppose we should just leave them there, I'd hope affected users have started their migrations to at least lucid by now.

tags: added: bot-stop-nagging
Changed in request-tracker3.6 (Ubuntu Hardy):
status: Fix Committed → Won't Fix
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers