ELA-647-1 request-tracker4 security update
Package request-tracker4
ELA-647-1 request-tracker4 security update
Version 4.2.8-3+deb8u4 (jessie), 4.4.1-3+deb9u5 (stretch)
Related CVEs CVE-2021-38562 CVE-2022-25802
Multiple vulnerabilities have been discovered in Request Tracker, an extensible trouble-ticket tracking system.
CVE-2022-25802
It was discovered that Request Tracker is vulnerable to a cross-site
scripting (XSS) attack when displaying attachment content with fraudulent
content types.
Additionally it was discovered that Request Tracker did not perform full rights checks on accesses to file or image type custom fields, possibly allowing access to these custom fields by users without rights to access to the associated objects, resulting in information disclosure.
Furthermore the following vulnerability was addressed in Debian 8.
CVE-2021-38562
Sensitive information could have been revealed by way of a timing attack
on the authentication system.
For Debian 8 jessie, these problems have been fixed in version 4.2.8-3+deb8u4.
For Debian 9 stretch, these problems have been fixed in version 4.4.1-3+deb9u5.
We recommend that you upgrade your request-tracker4 packages.
Further information about Extended LTS security advisories can be found at: https://deb.freexian.com/extended-lts/
A request-tracker4 security update has been released for Debian GNU/Linux 8 and 9 Extended LTS to address multiple vulnerabilities.