672250 – (CVE-2011-0009) CVE-2011-0009 RT3: Insecure hashing algorithm used for storage of user passwords

Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.

Bug 672250 (CVE-2011-0009) - CVE-2011-0009 RT3: Insecure hashing algorithm used for storage of user passwords

Summary: CVE-2011-0009 RT3: Insecure hashing algorithm used for storage of user passwords

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2011-0009
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	672257 680217
Blocks:
TreeView+	depends on / blocked

Reported:	2011-01-24 15:35 UTC by Jan Lieskovsky
Modified:	2019-09-29 12:42 UTC (History)
CC List:	7 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2012-10-05 20:51:16 UTC
Embargoed:

Attachments	(Terms of Use)

Description Jan Lieskovsky 2011-01-24 15:35:48 UTC

It was found that Request Tracker, a ticket tracking and management
system, stored user passwords in its database by using insufficiently
secure hashing algorithm. A local attacker, able to gain read access
to the RT's database could use this flaw to conduct brute force
password guessing attacks, potentially leading to disclosure of
users' passwords.

References:
[1] http://lists.bestpractical.com/pipermail/rt-announce/2011-January/000185.html
[2] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=610850
[3] http://www.debian.org/security/2011/dsa-2150

RT Development Snapshots archive URL:
[4] http://download.bestpractical.com/pub/rt/devel/

Comment 1 Jan Lieskovsky 2011-01-24 15:41:54 UTC

This issue affects the versions of the rt3 package, as shipped
with Fedora release of 13 and 14.

--

This issue affects the versions of the rt3 package, as present
within EPEL-5 and EPEL-6 repositories.

Please schedule an upgrade to latest release candidates [1], [4].

Comment 2 Jan Lieskovsky 2011-01-24 15:43:14 UTC

Created rt3 tracking bugs for this issue

Affects: fedora-all [bug 672257]

Comment 3 Vincent Danen 2011-02-24 17:13:37 UTC

This has been fixed in upstream version 3.8.9:

http://lists.bestpractical.com/pipermail/rt-announce/2011-February/000186.html

Comment 4 Vincent Danen 2011-02-24 17:23:53 UTC

Created rt3 tracking bugs for this issue

Affects: fedora-all [bug 672257]
Affects: epel-6 [bug 680217]

Comment 5 Ralf Corsepius 2011-02-24 17:29:38 UTC

(In reply to comment #3)
> This has been fixed in upstream version 3.8.9:


Correct me if I'm wrong, but aren't 3.8.9 (mysql-) databases incompatible to 3.8.8's (Fedora 14) rsp. 3.8.7 (Fedora 13)? Fedora 15 and rawhide carry 3.8.9.


Or let me ask differently: Is it possible to upgrade from 3.8.7 rsp. 3.8.8
to 3.8.9 without manually reformating the databases?

As I read rt-3.8.9/UPGRADING, 
* upgrading 3.8.8->3.8.9 without reformating the databases is possible, 
while
* upgrading 3.8.7->3.8.9 without reformating the databases is not possible (Due to changes between 3.8.7 and 3.8.8).

Comment 6 Vincent Danen 2011-02-24 17:47:07 UTC

I don't use rt3 so I'm honestly not sure.   It looks like there are some manual steps that need to be taken for both upgrades, but I'm not sure about "reformatting the database" (I'm also unsure what that means).

Looking at the UPGRADING-3.8 file (https://github.com/bestpractical/rt/blob/master/docs/UPGRADING-3.8) it does seem that there needs to be some changes done to fix the vulnerable password hashes.

I suspect you need to log into the database, so I'm not sure if you can run the password fixing script in %post automatically; you may need to alert users that the changes to the db need to be done manually (although I don't know if it's _mandatory_ in order to run; it's possible the new version will run with the old hashes but simply will be as insecure as the old versions until the user upgrades -- that would require some testing I suspect or asking upstream).  I would think that the code changes are to make use of the new hashes, not necessarily reject the old ones (but again, I don't use rt3 so have no idea).

Comment 7 Fedora Update System 2011-10-27 19:06:01 UTC

rt3-3.6.11-2.el5 has been pushed to the Fedora EPEL 5 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.