Request security update for CVE-2011-0009 request-tracker3.6 request-tracker3.8

Bug #750339 reported by Sam Kong
276
This bug affects 3 people
Affects Status Importance Assigned to Milestone
request-tracker3.6 (Ubuntu)
Invalid
Undecided
Unassigned
Hardy
Won't Fix
Undecided
Unassigned
Lucid
Invalid
Undecided
Unassigned
Maverick
Invalid
Undecided
Unassigned
Natty
Invalid
Undecided
Unassigned
Oneiric
Invalid
Undecided
Unassigned
request-tracker3.8 (Ubuntu)
Won't Fix
Medium
Unassigned
Hardy
Invalid
Undecided
Unassigned
Lucid
Fix Released
Undecided
Unassigned
Maverick
Fix Released
Undecided
Unassigned
Natty
Fix Released
Undecided
Unassigned
Oneiric
Fix Released
Medium
Unassigned

Bug Description

Binary package hint: request-tracker3.8

All released versions of RT from 3.0.0 through 3.8.9rc1 use an
insecure hashing algorithm to store user passwords. If an attacker is
able to gain read access to RT's database, it would be possible for
the attacker to brute-force the hash and discover users' passwords.
CVE-2011-0009 has been assigned to this vulnerability.

http://lists.bestpractical.com/pipermail/rt-announce/2011-January/000185.html
http://www.debian.org/security/2011/dsa-2150.en.html

Sam Kong (ckongyc)
tags: added: cve-2011-0009 rt-extension-saltedpasswords-1.1
removed: cve-2011-0009rt-extension-saltedpasswords-1.1
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Thanks for taking the time to report this bug and helping to make Ubuntu better. Since the package referred to in this bug is in universe or multiverse, it is community maintained. If you are able, I suggest posting a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures

visibility: private → public
tags: removed: cve-2011-0009 request-tracker3.6 request-tracker3.8 rt-extension-saltedpasswords-1.1
Changed in request-tracker3.8 (Ubuntu):
status: New → Confirmed
importance: Undecided → Medium
Revision history for this message
Dominic Hargreaves (dom) wrote :

Here's my proposed fix for maverick. This fixes the more recent bunch of issues too. It's a straightforward port of my updates for Debian. Not test-built on Ubuntu or tested (I don't have Ubuntu machines to hand).

If this is any use, I can look at preparing similar updates for previous versions.

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

I'm subscribing ubuntu-security-sponsors, so the debdiff gets processed.

Revision history for this message
Scott Kitterman (kitterman) wrote :

Bug 766386 covers Natty.

Changed in request-tracker3.8 (Ubuntu):
status: Confirmed → Won't Fix
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Thanks for the debdiff!

ACK

Changed in request-tracker3.8 (Ubuntu Maverick):
status: New → Confirmed
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Uploaded to maverick-security. I'll push this to the archive once it is finished building.

Changed in request-tracker3.8 (Ubuntu Maverick):
status: Confirmed → Fix Committed
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Natty and Oneiric have 3.8.10-1.

Changed in request-tracker3.8 (Ubuntu Natty):
status: New → Fix Released
Changed in request-tracker3.8 (Ubuntu Oneiric):
status: Won't Fix → Fix Released
Revision history for this message
Dominic Hargreaves (dom) wrote : Re: [Bug 750339] Re: Request security update for CVE-2011-0009 request-tracker3.6 request-tracker3.8

On Wed, May 04, 2011 at 09:27:54PM -0000, Jamie Strandboge wrote:
> Thanks for the debdiff!

No problem. I take it you'd be interested in updates for lucid, and
hardy (and dapper-backports?) too?

Dominic.

--
Dominic Hargreaves | http://www.larted.org.uk/~dom/
PGP key 5178E2A5 from the.earth.li (keyserver,web,email)

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Yes, very much so, though Dapper is going EOL in a few weeks, so feel free to skip that.

Revision history for this message
Dominic Hargreaves (dom) wrote :

Here's my proposed fix for lucid. This fixes the more recent bunch of issues too. It's a straightforward port of my updates for Debian. Not test-built on Ubuntu or tested (I don't have Ubuntu machines to hand).

Revision history for this message
Dominic Hargreaves (dom) wrote :

The last patch missed out the installation of the vulnerable-passwords script. Please use this one instead.

Revision history for this message
Dominic Hargreaves (dom) wrote :

Here's my proposed fix for hardy. This fixes some other old security issues as well as the more recent ones. This probably needs more testing than the other updates.

Changed in request-tracker3.8 (Ubuntu Hardy):
status: New → Confirmed
Changed in request-tracker3.8 (Ubuntu Lucid):
status: New → Confirmed
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Maverick was fixed on 2011-05-05.

Changed in request-tracker3.8 (Ubuntu Maverick):
status: Fix Committed → Fix Released
Changed in request-tracker3.6 (Ubuntu Hardy):
status: New → Triaged
Changed in request-tracker3.6 (Ubuntu Lucid):
status: New → Invalid
Changed in request-tracker3.6 (Ubuntu Maverick):
status: New → Invalid
Changed in request-tracker3.6 (Ubuntu Natty):
status: New → Invalid
Changed in request-tracker3.6 (Ubuntu Oneiric):
status: New → Invalid
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Overall, Lucid looks good with these exceptions:
* the version should be 3.8.7-1ubuntu2.1, not 3.8.7-1ubuntu3
* this bug was not referenced in the changelog
* the changelog does not conform to https://wiki.ubuntu.com/SecurityTeam/UpdatePreparation#Packaging.

See https://wiki.ubuntu.com/SecurityTeam/SponsorsQueue for details. I took the liberty of adjust the first 2, and a bit of the 3rd and am uploading to the security queue now.

Changed in request-tracker3.8 (Ubuntu Lucid):
status: Confirmed → Fix Committed
Changed in request-tracker3.8 (Ubuntu Hardy):
status: Confirmed → Invalid
tags: added: security-verification
Changed in request-tracker3.8 (Ubuntu Lucid):
status: Fix Committed → In Progress
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Overall, Hardy looks good too with these exceptions:
* the distribution name should be 'hardy-security'
* this bug was not referenced in the changelog
* the changelog does not conform to https://wiki.ubuntu.com/SecurityTeam/UpdatePreparation#Packaging.

See https://wiki.ubuntu.com/SecurityTeam/SponsorsQueue for details. Again, I took the liberty of adjust the first 2, and a bit of the 3rd and am uploading to the security queue now.

Thanks so much for the debdiffs! :)

Changed in request-tracker3.6 (Ubuntu Hardy):
status: Triaged → In Progress
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Pocket copied request-tracker3.8 to lucid-proposed. Please test and give feedback here. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Thank you in advance!

tags: added: verification-needed
removed: security-verification
Changed in request-tracker3.8 (Ubuntu Lucid):
status: In Progress → Fix Committed
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

To ubuntu-sru: if this passes the verification process, please also pocket copy to security. Thanks!

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Pocket copied request-tracker3.6 to hardy-proposed. Please test and give feedback here. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Thank you in advance!

To ubuntu-sru: if this passes the verification process, please also pocket copy to security. Thanks!

Revision history for this message
Thomas Sibley (thomas-sibley) wrote :

Are there any updates on getting this package from lucid-proposed to lucid-security?

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Thomas,

Someone just needs to test the package in proposed, then comment here on whether or not is it working and free of regressions.

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Can someone affected by this bug test the package in -proposed on hardy and lucid and comment here?

Changed in request-tracker3.6 (Ubuntu Hardy):
status: In Progress → Fix Committed
Revision history for this message
Mark Foster (fostermarkd) wrote :

Please release the fix!

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Mark, have you tested the packages as requested in comment #18? If so, on what release?

Revision history for this message
Martin Pitt (pitti) wrote :

Is anyone still interested in the hardy update? It's been sitting in -proposed for half a year. We'll remove the -proposed version soon.

Revision history for this message
Thomas Sibley (thomas-sibley) wrote :

Martin— RT 3.6 has since been EOLd by us: http://blog.bestpractical.com/2011/06/end-of-life-for-rt-36.html

We'll try to get the lucid-proposed package tested soon.

Revision history for this message
Thomas Sibley (thomas-sibley) wrote :

Best Practical tested the lucid-proposed package and we uncovered an error in the package that causes users to be unable to login. The error is not present in upstream but in the Ubuntu patched version.

Once we manually patched the error in the installed code (described by the attached diff), RT functioned normally as expected.

I guess the lucid-proposed package needs to get updated and the new package needs to go through another test round, and then it can be pushed to lucid-security?

Revision history for this message
Dominic Hargreaves (dom) wrote :

I can confirm that the fix looks correct and that it was a mistake in my previous fix. Attached is the fix incorporated as a debdiff against 3.8.7-1ubuntu2.1

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

ACK on the debdiff, looks good. I'm getting it pocket-copied into the -proposed pocket now.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package request-tracker3.8 - 3.8.7-1ubuntu2.2

---------------
request-tracker3.8 (3.8.7-1ubuntu2.2) lucid-security; urgency=low

  * Fix error in previous patch application which broke logins.
    Thanks to Best Practical for the testing and fix. (LP: #750339)
 -- Dominic Hargreaves <email address hidden> Thu, 24 Nov 2011 14:37:00 +0000

Changed in request-tracker3.8 (Ubuntu Lucid):
status: Fix Committed → Fix Released
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Actually, since it was tested except for the simple fix, I've pushed it to -security directly. It should appear in a few hours. Thanks!

tags: removed: verification-needed
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Whoops, adding verification-needed tag back for hardy package in -proposed.

tags: added: verification-needed
Revision history for this message
Clint Byrum (clint-fewbar) wrote :

It has been another half year, and no activity on the hardy-proposed packages. Given that hardy only has about 9 more months to live, I suppose we should just leave them there, I'd hope affected users have started their migrations to at least lucid by now.

tags: added: bot-stop-nagging
Changed in request-tracker3.6 (Ubuntu Hardy):
status: Fix Committed → Won't Fix
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.