| Summary: | <www-apps/rt-4.2.12: cross-site scripting in cryptography interface (CVE-2015-{5475,6506}) | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED FIXED | ||
| Severity: | trivial | CC: | eric.joshua.martin, proxy-maint, titanofold, web-apps |
| Priority: | Normal | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | http://www.openwall.com/lists/oss-security/2015/08/13/8 | ||
| Whiteboard: | ~4 [noglsa/cve] | ||
| Package list: | Runtime testing required: | --- | |
Almost 2 weeks now/ Awaiting maintainer to acquire patch from commit/36a461947b00b105336adb4997d1c7767d8484c4 and runtest. commit 30c18705dcfa3ee3f51ffa025e45a89f402d5677 Author: Aaron W. Swenson <titanofold@gentoo.org> Date: Wed Nov 18 13:02:33 2015 -0500 www-apps/rt: Remove Insecure Version Susceptible to cross-site scripting in cryptography interface security issue. Bug: 558424 Package-Manager: portage-2.2.20.1 commit 5c322ee493f1c3dd6c14d0370e2f5fb891da996c Author: Aaron W. Swenson <titanofold@gentoo.org> Date: Wed Nov 18 13:01:02 2015 -0500 www-apps/rt: Version Bump Fixes cross-site scripting in cryptography interface security issue. Bug: 558424 Package-Manager: portage-2.2.20.1 Maintainer(s), Thank you for your work. Closing noglsa. |
From ${URL} : > RT 4.2.0 and above are vulnerable to a cross-site scripting (XSS) > attack via the cryptography interface. This vulnerability could > allow an attacker with a carefully-crafted key to inject JavaScript > into RT's user interface. Installations which use neither GnuPG nor > S/MIME are unaffected. Fixed by: https://github.com/bestpractical/rt/commit/36a461947b00b105336adb4997d1c7767d8484c4 @maintainer(s): since the package or the affected version has never been marked as stable, we don't need to stabilize it. After the bump, please remove the affected versions from the tree.