| Package | request-tracker4 |
|---|---|
| Version | 4.4.1-3+deb9u6 (stretch) |
| Related CVEs | CVE-2023-41259 CVE-2023-41260 |
Multiple vulnerabilities have been discovered in Request Tracker, an extensible trouble-ticket tracking system.
CVE-2023-41259
Tom Wolters reported that Request Tracker is vulnerable to accepting
unvalidated RT email headers in incoming email and the mail-gateway REST
interface.
CVE-2023-41260
Tom Wolters reported that Request Tracker is vulnerable to information
leakage via response messages returned from requests sent via the
mail-gateway REST interface
Even if these issues have been fixed, it is strongly recommended to ensure
that .../REST/1.0/NoAuth is only accessible for host(s) that run rt-mailgate
for submitting email to RT. This is often the system which has
request-tracker4 installed. The sample configurations supplied by these
packages for Apache2 and Nginx restrict access to localhost only.
For Debian 9 stretch, these problems have been fixed in version 4.4.1-3+deb9u6.
We recommend that you upgrade your request-tracker4 packages.
Further information about Extended LTS security advisories can be found in the dedicated section of our website.