It was discovered that users with a valid agent login could use crafted URLs to bypass access control restrictions and read tickets to which they should not have access. The oldstable distribution is not affected by this problem.