CVE-2012-6581

Name	CVE-2012-6581
Description	Best Practical Solutions RT 3.8.x before 3.8.15 and 4.0.x before 4.0.8, when GnuPG is enabled, allows remote attackers to bypass intended restrictions on reading keys in the product's keyring, and trigger outbound e-mail messages signed by an arbitrary stored secret key, by leveraging a UI e-mail signing privilege.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SuSE, Mageia, GitHub code/issues, web search, more)
References	DSA-2567-1
NVD severity	medium (attack range: remote)

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
request-tracker4 (PTS)	wheezy (security), wheezy	4.0.7-5+deb7u4	fixed
	jessie (security), jessie	4.2.8-3+deb8u1	fixed
	stretch, sid	4.2.13-2	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Urgency	Origin
request-tracker3.8	source	(unstable)	(unfixed)	medium
request-tracker3.8	source	squeeze	3.8.8-7+squeeze6	medium	DSA-2567-1
request-tracker4	source	(unstable)	4.0.7-2	medium

https://bugzilla.redhat.com/show_bug.cgi?id=870406#c3