Summary: | <www-apps/rt-4.2.11: multiple vulnerabilities (CVE-2014-9472,CVE-2015-{1165,1464}) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | trivial | CC: | eric.joshua.martin, proxy-maint, titanofold, web-apps |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://bestpractical.com/release-notes/rt/4.2.10 | ||
Whiteboard: | ~3 [noglsa/cve] | ||
Package list: | Runtime testing required: | --- |
Description
Agostino Sarubbo
2015-03-11 08:04:12 UTC
I'm working on this now and it will be addressed soon. This package has been updated with insecure version(s) removed. *rt-4.2.11 (19 May 2015) 19 May 2015; Aaron W. Swenson <titanofold@gentoo.org> -rt-4.2.9-r1.ebuild, +rt-4.2.11.ebuild, +files/rt-makefile-serialize-install-prereqs.patch, -files/rt_apache2_fcgi.conf, -files/rt_apache2.conf: Address security bug 542882. Add patch fixing bug 540014 to serialize primary build targets while still allowing parallel building on subtargets. Remove outdated Apache configuration examples fixing bug 544566. Users should follow the online guide. CVE-2015-1464 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-1464): RT (aka Request Tracker) before 4.0.23 and 4.2.x before 4.2.10 allows remote attackers to hijack sessions via an RSS feed URL. CVE-2015-1165 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-1165): RT (aka Request Tracker) 3.8.8 through 4.x before 4.0.23 and 4.2.x before 4.2.10 allows remote attackers to obtain sensitive RSS feed URLs and ticket data via unspecified vectors. CVE-2014-9472 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9472): The email gateway in RT (aka Request Tracker) 3.0.0 through 4.x before 4.0.23 and 4.2.x before 4.2.10 allows remote attackers to cause a denial of service (CPU and disk consumption) via a crafted email. Thank you all. Closing as noglsa. |