Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 558424 (CVE-2015-5475) - <www-apps/rt-4.2.12: cross-site scripting in cryptography interface (CVE-2015-{5475,6506})
Summary: <www-apps/rt-4.2.12: cross-site scripting in cryptography interface (CVE-2015...
Status: RESOLVED FIXED
Alias: CVE-2015-5475
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial (vote)
Assignee: Gentoo Security
URL: http://www.openwall.com/lists/oss-sec...
Whiteboard: ~4 [noglsa/cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2015-08-22 12:20 UTC by Agostino Sarubbo
Modified: 2015-11-18 22:47 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2015-08-22 12:20:14 UTC
From ${URL} :

> RT 4.2.0 and above are vulnerable to a cross-site scripting (XSS)
> attack via the cryptography interface.  This vulnerability could
> allow an attacker with a carefully-crafted key to inject JavaScript
> into RT's user interface. Installations which use neither GnuPG nor
> S/MIME are unaffected.

Fixed by:
https://github.com/bestpractical/rt/commit/36a461947b00b105336adb4997d1c7767d8484c4



@maintainer(s): since the package or the affected version has never been marked as stable, we don't need to stabilize it. After the bump, please remove the affected versions from the tree.
Comment 1 Ian Delaney (RETIRED) gentoo-dev 2015-09-04 10:11:52 UTC
Almost 2 weeks now/ Awaiting maintainer to acquire patch from commit/36a461947b00b105336adb4997d1c7767d8484c4 and runtest.
Comment 2 Aaron W. Swenson gentoo-dev 2015-11-18 18:03:18 UTC
commit 30c18705dcfa3ee3f51ffa025e45a89f402d5677
Author: Aaron W. Swenson <titanofold@gentoo.org>
Date:   Wed Nov 18 13:02:33 2015 -0500

    www-apps/rt: Remove Insecure Version
    
    Susceptible to cross-site scripting in cryptography interface security
    issue.
    
    Bug: 558424
    
    Package-Manager: portage-2.2.20.1

commit 5c322ee493f1c3dd6c14d0370e2f5fb891da996c
Author: Aaron W. Swenson <titanofold@gentoo.org>
Date:   Wed Nov 18 13:01:02 2015 -0500

    www-apps/rt: Version Bump
    
    Fixes cross-site scripting in cryptography interface security issue.
    
    Bug: 558424
    
    Package-Manager: portage-2.2.20.1
Comment 3 Yury German Gentoo Infrastructure gentoo-dev 2015-11-18 22:45:13 UTC
Maintainer(s), Thank you for your work.

Closing noglsa.