ELA-996-1 request-tracker4 security update
Package : request-tracker4
Version : 4.4.1-3+deb9u6 (stretch)
Related CVEs :
CVE-2023-41259
CVE-2023-41260
Multiple vulnerabilities have been discovered in Request Tracker, an extensible trouble-ticket tracking system.
CVE-2023-41259
Tom Wolters reported that Request Tracker is vulnerable to accepting
unvalidated RT email headers in incoming email and the mail-gateway REST
interface.
CVE-2023-41260
Tom Wolters reported that Request Tracker is vulnerable to information
leakage via response messages returned from requests sent via the
mail-gateway REST interface
Even if these issues have been fixed, it is strongly recommended to ensure
that .../REST/1.0/NoAuth is only accessible for host(s) that run rt-mailgate
for submitting email to RT. This is often the system which has
request-tracker4 installed. The sample configurations supplied by these
packages for Apache2 and Nginx restrict access to localhost only.
A request-tracker4 security update has been released for Debian GNU/Linux 9 Extended LTS to address multiple vulnerabilities.