Executive Summary

Summary
Title request-tracker3.6 security update
Informations
Name DSA-2150 First vendor Publication 2011-01-22
Vendor Debian Last vendor Modification 2011-01-22
Severity (Vendor) N/A Revision 1

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:M/Au:N/C:P/I:N/A:N)
Cvss Base Score 4.3 Attack Range Network
Cvss Impact Score 2.9 Attack Complexity Medium
Cvss Expoit Score 8.6 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

It was discovered that Request Tracker, an issue tracking system, stored passwords in its database by using an insufficiently strong hashing method. If an attacker would have access to the password database, he could decode the passwords stored in it.

For the stable distribution (lenny), this problem has been fixed in version 3.6.7-5+lenny5.

The testing distribution (squeeze) will be fixed soon.

For the unstable distribution (sid), this problem has been fixed in version 3.8.8-7 of the request-tracker3.8 package.

We recommend that you upgrade your Request Tracker packages.

Original Source

Url : http://www.debian.org/security/2011/dsa-2150

CWE : Common Weakness Enumeration

% Id Name
100 % CWE-310 Cryptographic Issues

OVAL Definitions

Definition Id: oval:org.mitre.oval:def:12633
 
Oval ID: oval:org.mitre.oval:def:12633
Title: DSA-2150-1 request-tracker3.6 -- unsalted password hashing
Description: It was discovered that Request Tracker, an issue tracking system, stored passwords in its database by using an insufficiently strong hashing method. If an attacker would have access to the password database, he could decode the passwords stored in it.
Family: unix Class: patch
Reference(s): DSA-2150-1
CVE-2011-0009
 Version: 5
Platform(s): Debian GNU/Linux 5.0
 Product(s): request-tracker3.6
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:18079
 
Oval ID: oval:org.mitre.oval:def:18079
Title: DSA-2480-4 request-tracker3.8 - regression
Description: Several vulnerabilities were discovered in Request Tracker, an issue tracking system:
Family: unix Class: patch
Reference(s): DSA-2480-4
CVE-2011-2082
CVE-2011-2083
CVE-2011-2084
CVE-2011-2085
CVE-2011-4458
CVE-2011-4459
CVE-2011-4460
CVE-2011-0009
 Version: 7
Platform(s): Debian GNU/Linux 6.0
Debian GNU/kFreeBSD 6.0
 Product(s): request-tracker3.8
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:18606
 
Oval ID: oval:org.mitre.oval:def:18606
Title: DSA-2480-2 request-tracker3.8 - regression
Description: Several vulnerabilities were discovered in Request Tracker, an issue tracking system:
Family: unix Class: patch
Reference(s): DSA-2480-2
CVE-2011-2082
CVE-2011-2083
CVE-2011-2084
CVE-2011-2085
CVE-2011-4458
CVE-2011-4459
CVE-2011-4460
CVE-2011-0009
 Version: 7
Platform(s): Debian GNU/Linux 6.0
Debian GNU/kFreeBSD 6.0
 Product(s): request-tracker3.8
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:19217
 
Oval ID: oval:org.mitre.oval:def:19217
Title: DSA-2480-1 request-tracker3.8 - several
Description: Several vulnerabilities were discovered in Request Tracker, an issue tracking system.
Family: unix Class: patch
Reference(s): DSA-2480-1
CVE-2011-2082
CVE-2011-2083
CVE-2011-2084
CVE-2011-2085
CVE-2011-4458
CVE-2011-4459
CVE-2011-4460
CVE-2011-0009
 Version: 5
Platform(s): Debian GNU/Linux 6.0
Debian GNU/kFreeBSD 6.0
 Product(s): request-tracker3.8
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:19743
 
Oval ID: oval:org.mitre.oval:def:19743
Title: DSA-2480-3 request-tracker3.8 - regression
Description: Several vulnerabilities were discovered in Request Tracker, an issue tracking system.
Family: unix Class: patch
Reference(s): DSA-2480-3
CVE-2011-2082
CVE-2011-2083
CVE-2011-2084
CVE-2011-2085
CVE-2011-4458
CVE-2011-4459
CVE-2011-4460
CVE-2011-0009
 Version: 5
Platform(s): Debian GNU/Linux 6.0
Debian GNU/kFreeBSD 6.0
 Product(s): request-tracker3.8
Definition Synopsis:

CPE : Common Platform Enumeration

TypeDescriptionCount
Application 185

OpenVAS Exploits

Date Description
2012-05-31 Name : Debian Security Advisory DSA 2480-1 (request-tracker3.8)
File : nvt/deb_2480_1.nasl
2012-05-31 Name : FreeBSD Ports: rt40
File : nvt/freebsd_rt40.nasl
2011-03-07 Name : Debian Security Advisory DSA 2150-1 (request-tracker3.6)
File : nvt/deb_2150_1.nasl
2011-01-24 Name : Request Tracker Password Information Disclosure Vulnerability
File : nvt/gb_rt_45959.nasl

Open Source Vulnerability Database (OSVDB)

Id Description
70661 RT MD5 Password Hash Storage Brute-force Weakness

Best Practical Solutions RT contains a flaw related to the MD5 algorithm for password hashes. This may allow disclose cleartext passwords to a context-dependent attacker via a brute-force attack.

Nessus® Vulnerability Scanner

Date Description
2012-06-29 Name : The remote Debian host is missing a security-related update.
File : debian_DSA-2480.nasl - Type : ACT_GATHER_INFO
2012-05-29 Name : The remote FreeBSD host is missing one or more security-related updates.
File : freebsd_pkg_e0a969e4a51211e190b4e0cb4e266481.nasl - Type : ACT_GATHER_INFO
2011-03-03 Name : The remote Fedora host is missing a security update.
File : fedora_2011-1677.nasl - Type : ACT_GATHER_INFO
2011-01-25 Name : The remote Debian host is missing a security-related update.
File : debian_DSA-2150.nasl - Type : ACT_GATHER_INFO

Alert History

If you want to see full details history, please login or register.
0
Date Informations
2014-02-17 11:29:49
  • Multiple Updates