A security flaw was found in the way the RT3 ticketing system handled logging of SQL queries during performing of user account transition. A remote, authenticated RT3 user could use this flaw to obtain sensitive information. References: [1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=614576 [2] http://lists.bestpractical.com/pipermail/rt-announce/2011-February/000186.html Upstream changeset (needs confirmation from upstream if it's real fix for the issue yet): [3] https://github.com/bestpractical/rt/commit/56e20b874e8d67ab93aa80c2c00155110a27e764
CVE Request: [4] http://www.openwall.com/lists/oss-security/2011/02/22/6
This was assigned CVE-2011-1008: http://www.openwall.com/lists/oss-security/2011/02/22/12 Upstream indicated that the above changeset is not the fix, but this one is: https://github.com/bestpractical/rt/commit/2338cd19ed7a7f4c1e94f639ab2789d6586d01f3 This is fixed in upstream version 3.8.9.
Created rt3 tracking bugs for this issue Affects: fedora-all [bug 680218] Affects: epel-6 [bug 680217]
rt3-3.6.11-2.el5 has been pushed to the Fedora EPEL 5 stable repository. If problems still persist, please make note of it in this bug report.