On Fri, 8 Aug 2014 08:56:54 -0400 Eric H. Christensen wrote:
> Closed. Have you looked at and/or been able to check if 3.6 in
> EPEL-5 is affected and needs fix (see 828512#c0)?
I just checked EPEL-5[0] and see that the version of rt3 there is
3.6.11. According to the CVE tracker this CVE only affects versions
3.8.x < 3.8.12 and 4.x < 4.0.6 so it looks like EPEL-5 is okay.
Are you referring to the CVE description? You usually can't assume
that if CVE description says that e.g. 1.1.x is affected before 1.1.10
and 1.2.x is affected before 1.2.5, that all pre-1.1 are unaffected.
Descriptions are created based on vendor announcements. If 1.0 is no
longer supported and fixes were only released for supported 1.1 and
1.2, you should expect to see this kind of CVE wording, which do not
assume it implies anything about 1.0.
Actually, the CVE bug says:
https://bugzilla.redhat.com/show_bug.cgi?id=828512#c0
It's not specified as to whether 3.6.x is affected (which is what is
shipped in EPEL5).
So I looked at the CVE references to see if there's more info. I could
not see the CVE mentioned in linked upstream announcements. This is
what I believe what happened here:
- Upstream released updates with fixes for multiple RCE issues for
which they used CVE-2011-4458:
http://lists.bestpractical.com/pipermail/rt-announce/2012-May/000202.html
RT versions 3.6.1 and above are vulnerable to a remote execution of code
vulnerability if the optional VERP configuration options ($VERPPrefix
and $VERPDomain) are enabled. RT 3.8.0 and higher are vulnerable to a
limited remote execution of code which can be leveraged for privilege
escalation. RT 4.0.0 and above contain a vulnerability in the global
$DisallowExecuteCode option, allowing sufficiently privileged users to
still execute code even if RT was configured to not allow it.
CVE-2011-4458 is assigned to this set of vulnerabilities.
- Per CVE assignment rules, different flaws must not be merged under
single CVE even if they are of the same type, if they do not affect
same versions. Hence Mitre did a CVE split:
* Original CVE-2011-4458 for the VERP issue affecting 3.6.1+.
* CVE-2011-5092 for the "limited RCE" in 3.8.0+.
* CVE-2011-5093 for the DisallowExecuteCode issue in 4.0.0+.
So your assumption about CVE-2011-5092 not affecting 3.6 seems correct,
despite my explanation above. However, there is CVE-2011-4458 that
affects 3.6 in EPEL-5 and that was never patched there (the last rt3
build in EPEL-5 is from 2011 and pre-dates the above upstream fixes).
--
Tomas Hoger / Red Hat Product Security