Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 542882 (CVE-2014-9472) - <www-apps/rt-4.2.11: multiple vulnerabilities (CVE-2014-9472,CVE-2015-{1165,1464})
Summary: <www-apps/rt-4.2.11: multiple vulnerabilities (CVE-2014-9472,CVE-2015-{1165,1...
Status: RESOLVED FIXED
Alias: CVE-2014-9472
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial (vote)
Assignee: Gentoo Security
URL: https://bestpractical.com/release-not...
Whiteboard: ~3 [noglsa/cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2015-03-11 08:04 UTC by Agostino Sarubbo
Modified: 2015-11-03 17:23 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2015-03-11 08:04:12 UTC
From ${URL} :

This release is primarily a security release; it addresses CVE-2014-9472,
a denial-of-service via RT's email gateway, as well as CVE-2015-1165 and
CVE-2015-1464, which allow for information disclosure and session
hijacking via RT's RSS feeds.


@maintainer(s): since the package or the affected version has never been marked as stable, we don't need to stabilize it. After the bump, please remove the affected versions from the tree.
Comment 1 Aaron W. Swenson gentoo-dev 2015-05-14 18:44:28 UTC
I'm working on this now and it will be addressed soon.
Comment 2 Aaron W. Swenson gentoo-dev 2015-05-19 15:50:24 UTC
This package has been updated with insecure version(s) removed.

*rt-4.2.11 (19 May 2015)

  19 May 2015; Aaron W. Swenson <titanofold@gentoo.org> -rt-4.2.9-r1.ebuild,
  +rt-4.2.11.ebuild, +files/rt-makefile-serialize-install-prereqs.patch,
  -files/rt_apache2_fcgi.conf, -files/rt_apache2.conf:
  Address security bug 542882. Add patch fixing bug 540014 to serialize
  primary build targets while still allowing parallel building on
  subtargets. Remove outdated Apache configuration examples fixing bug
  544566. Users should follow the online guide.
Comment 3 GLSAMaker/CVETool Bot gentoo-dev 2015-06-15 00:36:00 UTC
CVE-2015-1464 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-1464):
  RT (aka Request Tracker) before 4.0.23 and 4.2.x before 4.2.10 allows remote
  attackers to hijack sessions via an RSS feed URL.

CVE-2015-1165 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-1165):
  RT (aka Request Tracker) 3.8.8 through 4.x before 4.0.23 and 4.2.x before
  4.2.10 allows remote attackers to obtain sensitive RSS feed URLs and ticket
  data via unspecified vectors.

CVE-2014-9472 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9472):
  The email gateway in RT (aka Request Tracker) 3.0.0 through 4.x before
  4.0.23 and 4.2.x before 4.2.10 allows remote attackers to cause a denial of
  service (CPU and disk consumption) via a crafted email.
Comment 4 Yury German Gentoo Infrastructure gentoo-dev 2015-11-03 17:03:44 UTC
Thank you all. Closing as noglsa.