Debian 10261 Published by

A request-tracker4 security update has been released for Debian GNU/Linux 8 and 9 Extended LTS to address multiple vulnerabilities.



ELA-647-1 request-tracker4 security update

Package request-tracker4
Version 4.2.8-3+deb8u4 (jessie), 4.4.1-3+deb9u5 (stretch)
Related CVEs CVE-2021-38562 CVE-2022-25802

Multiple vulnerabilities have been discovered in Request Tracker, an extensible trouble-ticket tracking system.

CVE-2022-25802

It was discovered that Request Tracker is vulnerable to a cross-site
scripting (XSS) attack when displaying attachment content with fraudulent
content types.
Additionally it was discovered that Request Tracker did not perform full rights checks on accesses to file or image type custom fields, possibly allowing access to these custom fields by users without rights to access to the associated objects, resulting in information disclosure.

Furthermore the following vulnerability was addressed in Debian 8.

CVE-2021-38562

Sensitive information could have been revealed by way of a timing attack
on the authentication system.
For Debian 8 jessie, these problems have been fixed in version 4.2.8-3+deb8u4.

For Debian 9 stretch, these problems have been fixed in version 4.4.1-3+deb9u5.

We recommend that you upgrade your request-tracker4 packages.

Further information about Extended LTS security advisories can be found at: https://deb.freexian.com/extended-lts/

  ELA-647-1 request-tracker4 security update