Request security update for CVE-2011-0009 request-tracker3.6 request-tracker3.8
Bug #750339 reported by
Sam Kong
This bug affects 3 people
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
request-tracker3.6 (Ubuntu) |
Invalid
|
Undecided
|
Unassigned | ||
Hardy |
Won't Fix
|
Undecided
|
Unassigned | ||
Lucid |
Invalid
|
Undecided
|
Unassigned | ||
Maverick |
Invalid
|
Undecided
|
Unassigned | ||
Natty |
Invalid
|
Undecided
|
Unassigned | ||
Oneiric |
Invalid
|
Undecided
|
Unassigned | ||
request-tracker3.8 (Ubuntu) |
Won't Fix
|
Medium
|
Unassigned | ||
Hardy |
Invalid
|
Undecided
|
Unassigned | ||
Lucid |
Fix Released
|
Undecided
|
Unassigned | ||
Maverick |
Fix Released
|
Undecided
|
Unassigned | ||
Natty |
Fix Released
|
Undecided
|
Unassigned | ||
Oneiric |
Fix Released
|
Medium
|
Unassigned |
Bug Description
Binary package hint: request-tracker3.8
All released versions of RT from 3.0.0 through 3.8.9rc1 use an
insecure hashing algorithm to store user passwords. If an attacker is
able to gain read access to RT's database, it would be possible for
the attacker to brute-force the hash and discover users' passwords.
CVE-2011-0009 has been assigned to this vulnerability.
http://
http://
CVE References
tags: |
added: cve-2011-0009 rt-extension-saltedpasswords-1.1 removed: cve-2011-0009rt-extension-saltedpasswords-1.1 |
Changed in request-tracker3.8 (Ubuntu Maverick): | |
status: | New → Confirmed |
Changed in request-tracker3.8 (Ubuntu Hardy): | |
status: | New → Confirmed |
Changed in request-tracker3.8 (Ubuntu Lucid): | |
status: | New → Confirmed |
tags: | added: security-verification |
Changed in request-tracker3.8 (Ubuntu Lucid): | |
status: | Fix Committed → In Progress |
tags: | added: bot-stop-nagging |
Changed in request-tracker3.6 (Ubuntu Hardy): | |
status: | Fix Committed → Won't Fix |
To post a comment you must log in.
Thanks for taking the time to report this bug and helping to make Ubuntu better. Since the package referred to in this bug is in universe or multiverse, it is community maintained. If you are able, I suggest posting a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https:/ /wiki.ubuntu. com/SecurityTea m/UpdateProcedu res