Based on this:
http://lists.bestpractical.com/pipermail/rt-announce/2012-May/000202.html
Yes, the version in EPEL-5 (rt3-3.6.11-2) is vulnerable and needs a
patch/fix. I looked over the source rpm and the latest patches only
address CVE-2011-0009 and it has not been updated since CVE-2011-5092 came
out.
Will need an EPEL-5 tracking ticket for this. There aren't official
patches for 3.6, but there are patches to address these security issues
for 3.8, will require some backporting, If I can start work on getting
this taken care of (if someone would be so kind as to tag me in the
whiteboard).
Thanks,
David
On Fri, August 8, 2014 3:54 am, Tomas Hoger wrote:
On Thu, 7 Aug 2014 21:49:11 -0400 David Cafaro wrote:
> I took a look at Bug 828517
>
>
https://bugzilla.redhat.com/show_bug.cgi?id=828517
>
> And from what I can see this was fixed a while ago in version 3.8.12
> and it's now at 3.8.13 in the repos.
>
> I recommend closing, but will need someone else to take care of it
> until I get access figured out.
Closed. Have you looked at and/or been able to check if 3.6 in EPEL-5
is affected and needs fix (see 828512#c0)?
--
Tomas Hoger / Red Hat Product Security