Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Bug#1009786: request-tracker4: CVE-2021-38562 username enumeration via timing side-channel attack
795 views
Skip to first unread message
Dominic Hargreaves
Apr 17, 2022, 3:40:04 PM4/17/22
to
Source: request-tracker
Version: 4.4.4+dfsg-3
Severity: important
Per https://docs.bestpractical.com/release-notes/rt/4.4.5:
Security
* In previous versions, RT's native login system is vulnerable to user enumeration
through a timing side-channel attack. This means an external entity could try to
find valid usernames by attempting logins and comparing the time to evaluate each
login attempt for valid and invalid usernames. This vulnerability does not allow any
access to the RT system. This vulnerability is assigned CVE-2021-38562 and is fixed
in this release.
Version: 4.4.4+dfsg-3
Severity: important
Per https://docs.bestpractical.com/release-notes/rt/4.4.5:
Security
* In previous versions, RT's native login system is vulnerable to user enumeration
through a timing side-channel attack. This means an external entity could try to
find valid usernames by attempting logins and comparing the time to evaluate each
login attempt for valid and invalid usernames. This vulnerability does not allow any
access to the RT system. This vulnerability is assigned CVE-2021-38562 and is fixed
in this release.
0 new messages