Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 542882 (CVE-2014-9472)

Summary: <www-apps/rt-4.2.11: multiple vulnerabilities (CVE-2014-9472,CVE-2015-{1165,1464})
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: trivial CC: eric.joshua.martin, proxy-maint, titanofold, web-apps
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://bestpractical.com/release-notes/rt/4.2.10
Whiteboard: ~3 [noglsa/cve]
Package list:
Runtime testing required: ---

Description Agostino Sarubbo gentoo-dev 2015-03-11 08:04:12 UTC 
From ${URL} :

This release is primarily a security release; it addresses CVE-2014-9472,
a denial-of-service via RT's email gateway, as well as CVE-2015-1165 and
CVE-2015-1464, which allow for information disclosure and session
hijacking via RT's RSS feeds.


@maintainer(s): since the package or the affected version has never been marked as stable, we don't need to stabilize it. After the bump, please remove the affected versions from the tree.
Comment 1 Aaron W. Swenson gentoo-dev 2015-05-14 18:44:28 UTC 
I'm working on this now and it will be addressed soon.
Comment 2 Aaron W. Swenson gentoo-dev 2015-05-19 15:50:24 UTC 
This package has been updated with insecure version(s) removed.

*rt-4.2.11 (19 May 2015)

  19 May 2015; Aaron W. Swenson <titanofold@gentoo.org> -rt-4.2.9-r1.ebuild,
  +rt-4.2.11.ebuild, +files/rt-makefile-serialize-install-prereqs.patch,
  -files/rt_apache2_fcgi.conf, -files/rt_apache2.conf:
  Address security bug 542882. Add patch fixing bug 540014 to serialize
  primary build targets while still allowing parallel building on
  subtargets. Remove outdated Apache configuration examples fixing bug
  544566. Users should follow the online guide.
Comment 3 GLSAMaker/CVETool Bot gentoo-dev 2015-06-15 00:36:00 UTC 
CVE-2015-1464 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-1464):
  RT (aka Request Tracker) before 4.0.23 and 4.2.x before 4.2.10 allows remote
  attackers to hijack sessions via an RSS feed URL.

CVE-2015-1165 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-1165):
  RT (aka Request Tracker) 3.8.8 through 4.x before 4.0.23 and 4.2.x before
  4.2.10 allows remote attackers to obtain sensitive RSS feed URLs and ticket
  data via unspecified vectors.

CVE-2014-9472 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9472):
  The email gateway in RT (aka Request Tracker) 3.0.0 through 4.x before
  4.0.23 and 4.2.x before 4.2.10 allows remote attackers to cause a denial of
  service (CPU and disk consumption) via a crafted email.
Comment 4 Yury German Gentoo Infrastructure gentoo-dev 2015-11-03 17:03:44 UTC 
Thank you all. Closing as noglsa.