thr3ads.net - Secure testing team - [Secure-testing-team] Bug#610850: request-tracker3.8: Weak password hash format in RT database [Jan 2011]

If this information is useful, please help other people find it:
Share via:

Twitter
Facebook
Email

Dominic Hargreaves

2011-Jan-23 11:22 UTC

[Secure-testing-team] Bug#610850: request-tracker3.8: Weak password hash format in RT database

Package: request-tracker3.8
Version: 3.8.8-6
Severity: grave
Tags: security
Justification: user security hole

Quoting from DSA 2150-1:

It was discovered that Request Tracker, an issue tracking system,
stored passwords in its database by using an insufficiently strong
hashing method. If an attacker would have access to the password
database, he could decode the passwords stored in it.

For the stable distribution (lenny), this problem has been fixed in
version 3.6.7-5+lenny5.

The testing distribution (squeeze) will be fixed soon.

For the unstable distribution (sid), this problem has been fixed in
version 3.8.8-7 of the request-tracker3.8 package.

More info at

http://lists.bestpractical.com/pipermail/rt-announce/2011-January/000185.html

Secure testing team - Jan 2011 - Bug#610850: request-tracker3.8: Weak password hash format in RT database

[Secure-testing-team] Bug#610850: request-tracker3.8: Weak password hash format in RT database