-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
On Fri, Aug 08, 2014 at 08:55:41AM -0400, David A. Cafaro wrote:
Please don't top post.
Based on this:
http://lists.bestpractical.com/pipermail/rt-announce/2012-May/000202.html
Yes, the version in EPEL-5 (rt3-3.6.11-2) is vulnerable and needs a
patch/fix. I looked over the source rpm and the latest patches only
address CVE-2011-0009 and it has not been updated since CVE-2011-5092 came
out.
Interesting that MITRE explicitly says 3.8.x and does not include the 3.6.x versions.
From the announcement you pointed to it looks like >= 3.6.1 is only vulnerable if the
the optional VERP configuration options ($VERPPrefix and $VERPDomain) are enabled. Can
someone take a look at the SPEC and see if this is the case?
- -- Eric
- --------------------------------------------------
Eric "Sparks" Christensen
Fedora Project
sparks(a)fedoraproject.org - sparks(a)redhat.com
097C 82C3 52DF C64A 50C2 E3A3 8076 ABDE 024B B3D1
- --------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQGcBAEBCgAGBQJT5MomAAoJEB/kgVGp2CYvoGYMAIcWwgU7DCxOSJT0inLb4yyz
Da55ropgCG8ITCZvev11BattFs0f+gO0/xXbu97RNd1cvxduaeWCarZ4cwFPAcRP
2hnhm00/7mgnb/0kZWM6o5QlY/WMTn8yxHfyfcy92Y9gwzZo1Gd26UsFdJ6E0w8j
jMmORhGHDZTgJnBpKz01wShnCwY1pOswBk7UGeSRnHqF+sFMlph7Xlk3Sbk7ICC2
ra1aV03+sKBhfKJ16va8m6LA9GXPEnJVNBg0UXXeqE9llMOTaVaws66bXz8/+OJj
zUIr1LJs69W5kk7q3rPEUIDIEh9kd8oB++vuoIOSDfKrSH3gjNgbBqo4mTJTibtw
19YgpqmutvJVjwwGhgVHro2E/W4+69KsVkfsPPK18QD8545/wmnMaiPfICp/OrpS
UyVMJgb1LmgaSudbvugt5L/NyI1ikRlrSaMUn+rfJSTmpYcAdrqn7AFzqfxhaSgT
grrYKbFHzUZ0J+h7ExVjXrF47qQAIAlEtZbEg1ebSQ==
=mSrg
-----END PGP SIGNATURE-----