Hi All,
So apparently my FAS account is not linked to Bugzilla so I have no way to edit bugs to add myself to the Whiteboard or to change status of tickets.
I took a look at Bug 828517
https://bugzilla.redhat.com/show_bug.cgi?id=828517
And from what I can see this was fixed a while ago in version 3.8.12 and it's now at 3.8.13 in the repos.
I recommend closing, but will need someone else to take care of it until I get access figured out.
Cheers, David
On Thu, 7 Aug 2014 21:49:11 -0400 David Cafaro wrote:
I took a look at Bug 828517
https://bugzilla.redhat.com/show_bug.cgi?id=828517
And from what I can see this was fixed a while ago in version 3.8.12 and it's now at 3.8.13 in the repos.
I recommend closing, but will need someone else to take care of it until I get access figured out.
Closed. Have you looked at and/or been able to check if 3.6 in EPEL-5 is affected and needs fix (see 828512#c0)?
Based on this:
http://lists.bestpractical.com/pipermail/rt-announce/2012-May/000202.html
Yes, the version in EPEL-5 (rt3-3.6.11-2) is vulnerable and needs a patch/fix. I looked over the source rpm and the latest patches only address CVE-2011-0009 and it has not been updated since CVE-2011-5092 came out.
Will need an EPEL-5 tracking ticket for this. There aren't official patches for 3.6, but there are patches to address these security issues for 3.8, will require some backporting, If I can start work on getting this taken care of (if someone would be so kind as to tag me in the whiteboard).
Thanks, David
On Fri, August 8, 2014 3:54 am, Tomas Hoger wrote:
On Thu, 7 Aug 2014 21:49:11 -0400 David Cafaro wrote:
I took a look at Bug 828517
https://bugzilla.redhat.com/show_bug.cgi?id=828517
And from what I can see this was fixed a while ago in version 3.8.12 and it's now at 3.8.13 in the repos.
I recommend closing, but will need someone else to take care of it until I get access figured out.
Closed. Have you looked at and/or been able to check if 3.6 in EPEL-5 is affected and needs fix (see 828512#c0)?
-- Tomas Hoger / Red Hat Product Security
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
On Fri, Aug 08, 2014 at 08:55:41AM -0400, David A. Cafaro wrote:
Please don't top post.
Based on this:
http://lists.bestpractical.com/pipermail/rt-announce/2012-May/000202.html
Yes, the version in EPEL-5 (rt3-3.6.11-2) is vulnerable and needs a patch/fix. I looked over the source rpm and the latest patches only address CVE-2011-0009 and it has not been updated since CVE-2011-5092 came out.
Interesting that MITRE explicitly says 3.8.x and does not include the 3.6.x versions. From the announcement you pointed to it looks like >= 3.6.1 is only vulnerable if the the optional VERP configuration options ($VERPPrefix and $VERPDomain) are enabled. Can someone take a look at the SPEC and see if this is the case?
- -- Eric
- -------------------------------------------------- Eric "Sparks" Christensen Fedora Project
sparks@fedoraproject.org - sparks@redhat.com 097C 82C3 52DF C64A 50C2 E3A3 8076 ABDE 024B B3D1 - --------------------------------------------------
On Fri, August 8, 2014 9:01 am, Eric H. Christensen wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
On Fri, Aug 08, 2014 at 08:55:41AM -0400, David A. Cafaro wrote:
Please don't top post.
Based on this:
http://lists.bestpractical.com/pipermail/rt-announce/2012-May/000202.html
Yes, the version in EPEL-5 (rt3-3.6.11-2) is vulnerable and needs a patch/fix. I looked over the source rpm and the latest patches only address CVE-2011-0009 and it has not been updated since CVE-2011-5092 came out.
Interesting that MITRE explicitly says 3.8.x and does not include the 3.6.x versions. From the announcement you pointed to it looks like >= 3.6.1 is only vulnerable if the the optional VERP configuration options ($VERPPrefix and $VERPDomain) are enabled. Can someone take a look at the SPEC and see if this is the case?
- -- Eric
Well the mitre CVE is actually kinda vague and broad. It doesn't address a single vulnerability, it just address a vendor's update with security fixes . So that CVE might cover multiple vulnerabilities. You have to kinda dig deep into the meaning of the includes excludes they mention and the links provided.
If we take it as a whole, the EL5 version may not technically be part of that CVE-2011-5092 as when you filter it all down the BestPractices post seems to exclude the one remote vulnerability eluded too (via excludes) in mitre's CVE from the 3.6 branch. Still would require some patch comparisons and/or comms with upstream to confirm.
Regarding the VERP issue that's under http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4458 (mentioned in CVE-2011-5092), does need to be addressed, but I didn't find a ticket for EL5 for that. Best I found was this:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-4458
Cheers, David
PS. Sorry for the top posting, adjustment made.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
On Fri, Aug 08, 2014 at 09:54:30AM +0200, Tomas Hoger wrote:
On Thu, 7 Aug 2014 21:49:11 -0400 David Cafaro wrote:
I took a look at Bug 828517
https://bugzilla.redhat.com/show_bug.cgi?id=828517
And from what I can see this was fixed a while ago in version 3.8.12 and it's now at 3.8.13 in the repos.
I recommend closing, but will need someone else to take care of it until I get access figured out.
Closed. Have you looked at and/or been able to check if 3.6 in EPEL-5 is affected and needs fix (see 828512#c0)?
I just checked EPEL-5[0] and see that the version of rt3 there is 3.6.11. According to the CVE tracker this CVE only affects versions 3.8.x < 3.8.12 and 4.x < 4.0.6 so it looks like EPEL-5 is okay.
[0] https://dl.fedoraproject.org/pub/epel/5/x86_64/repoview/rt3.html
- -- Eric
- -------------------------------------------------- Eric "Sparks" Christensen Fedora Project
sparks@fedoraproject.org - sparks@redhat.com 097C 82C3 52DF C64A 50C2 E3A3 8076 ABDE 024B B3D1 - --------------------------------------------------
On Fri, 8 Aug 2014 08:56:54 -0400 Eric H. Christensen wrote:
Closed. Have you looked at and/or been able to check if 3.6 in EPEL-5 is affected and needs fix (see 828512#c0)?
I just checked EPEL-5[0] and see that the version of rt3 there is 3.6.11. According to the CVE tracker this CVE only affects versions 3.8.x < 3.8.12 and 4.x < 4.0.6 so it looks like EPEL-5 is okay.
Are you referring to the CVE description? You usually can't assume that if CVE description says that e.g. 1.1.x is affected before 1.1.10 and 1.2.x is affected before 1.2.5, that all pre-1.1 are unaffected. Descriptions are created based on vendor announcements. If 1.0 is no longer supported and fixes were only released for supported 1.1 and 1.2, you should expect to see this kind of CVE wording, which do not assume it implies anything about 1.0.
Actually, the CVE bug says:
https://bugzilla.redhat.com/show_bug.cgi?id=828512#c0
It's not specified as to whether 3.6.x is affected (which is what is shipped in EPEL5).
So I looked at the CVE references to see if there's more info. I could not see the CVE mentioned in linked upstream announcements. This is what I believe what happened here:
- Upstream released updates with fixes for multiple RCE issues for which they used CVE-2011-4458:
http://lists.bestpractical.com/pipermail/rt-announce/2012-May/000202.html
RT versions 3.6.1 and above are vulnerable to a remote execution of code vulnerability if the optional VERP configuration options ($VERPPrefix and $VERPDomain) are enabled. RT 3.8.0 and higher are vulnerable to a limited remote execution of code which can be leveraged for privilege escalation. RT 4.0.0 and above contain a vulnerability in the global $DisallowExecuteCode option, allowing sufficiently privileged users to still execute code even if RT was configured to not allow it. CVE-2011-4458 is assigned to this set of vulnerabilities.
- Per CVE assignment rules, different flaws must not be merged under single CVE even if they are of the same type, if they do not affect same versions. Hence Mitre did a CVE split:
* Original CVE-2011-4458 for the VERP issue affecting 3.6.1+. * CVE-2011-5092 for the "limited RCE" in 3.8.0+. * CVE-2011-5093 for the DisallowExecuteCode issue in 4.0.0+.
So your assumption about CVE-2011-5092 not affecting 3.6 seems correct, despite my explanation above. However, there is CVE-2011-4458 that affects 3.6 in EPEL-5 and that was never patched there (the last rt3 build in EPEL-5 is from 2011 and pre-dates the above upstream fixes).
On Fri, August 8, 2014 9:32 am, Tomas Hoger wrote:
Are you referring to the CVE description? You usually can't assume that if CVE description says that e.g. 1.1.x is affected before 1.1.10 and 1.2.x is affected before 1.2.5, that all pre-1.1 are unaffected. Descriptions are created based on vendor announcements. If 1.0 is no longer supported and fixes were only released for supported 1.1 and 1.2, you should expect to see this kind of CVE wording, which do not assume it implies anything about 1.0.
Actually, the CVE bug says:
https://bugzilla.redhat.com/show_bug.cgi?id=828512#c0
It's not specified as to whether 3.6.x is affected (which is what is shipped in EPEL5).
So I looked at the CVE references to see if there's more info. I could not see the CVE mentioned in linked upstream announcements. This is what I believe what happened here:
- Upstream released updates with fixes for multiple RCE issues for which they used CVE-2011-4458:
http://lists.bestpractical.com/pipermail/rt-announce/2012-May/000202.html
RT versions 3.6.1 and above are vulnerable to a remote execution of code vulnerability if the optional VERP configuration options ($VERPPrefix and $VERPDomain) are enabled. RT 3.8.0 and higher are vulnerable to a limited remote execution of code which can be leveraged for privilege escalation. RT 4.0.0 and above contain a vulnerability in the global $DisallowExecuteCode option, allowing sufficiently privileged users to still execute code even if RT was configured to not allow it. CVE-2011-4458 is assigned to this set of vulnerabilities.
- Per CVE assignment rules, different flaws must not be merged under single CVE even if they are of the same type, if they do not affect same versions. Hence Mitre did a CVE split:
- Original CVE-2011-4458 for the VERP issue affecting 3.6.1+.
- CVE-2011-5092 for the "limited RCE" in 3.8.0+.
- CVE-2011-5093 for the DisallowExecuteCode issue in 4.0.0+.
So your assumption about CVE-2011-5092 not affecting 3.6 seems correct, despite my explanation above. However, there is CVE-2011-4458 that affects 3.6 in EPEL-5 and that was never patched there (the last rt3 build in EPEL-5 is from 2011 and pre-dates the above upstream fixes).
-- Tomas Hoger / Red Hat Product Security
Agreed, same conclusion I eventually came to as well, though I do believe a tad more due diligence is required to be sure that the CVE-2011-5092 really doesn't apply to 3.6 if possible.
Cheers, David
On Aug 8, 2014, at 9:37 AM, David A. Cafaro wrote:
On Fri, August 8, 2014 9:32 am, Tomas Hoger wrote:
Are you referring to the CVE description? You usually can't assume that if CVE description says that e.g. 1.1.x is affected before 1.1.10 and 1.2.x is affected before 1.2.5, that all pre-1.1 are unaffected. Descriptions are created based on vendor announcements. If 1.0 is no longer supported and fixes were only released for supported 1.1 and 1.2, you should expect to see this kind of CVE wording, which do not assume it implies anything about 1.0.
Actually, the CVE bug says:
https://bugzilla.redhat.com/show_bug.cgi?id=828512#c0
It's not specified as to whether 3.6.x is affected (which is what is shipped in EPEL5).
So I looked at the CVE references to see if there's more info. I could not see the CVE mentioned in linked upstream announcements. This is what I believe what happened here:
- Upstream released updates with fixes for multiple RCE issues for
which they used CVE-2011-4458:
http://lists.bestpractical.com/pipermail/rt-announce/2012-May/000202.html
RT versions 3.6.1 and above are vulnerable to a remote execution of code vulnerability if the optional VERP configuration options ($VERPPrefix and $VERPDomain) are enabled. RT 3.8.0 and higher are vulnerable to a limited remote execution of code which can be leveraged for privilege escalation. RT 4.0.0 and above contain a vulnerability in the global $DisallowExecuteCode option, allowing sufficiently privileged users to still execute code even if RT was configured to not allow it. CVE-2011-4458 is assigned to this set of vulnerabilities.
- Per CVE assignment rules, different flaws must not be merged under
single CVE even if they are of the same type, if they do not affect same versions. Hence Mitre did a CVE split:
- Original CVE-2011-4458 for the VERP issue affecting 3.6.1+.
- CVE-2011-5092 for the "limited RCE" in 3.8.0+.
- CVE-2011-5093 for the DisallowExecuteCode issue in 4.0.0+.
So your assumption about CVE-2011-5092 not affecting 3.6 seems correct, despite my explanation above. However, there is CVE-2011-4458 that affects 3.6 in EPEL-5 and that was never patched there (the last rt3 build in EPEL-5 is from 2011 and pre-dates the above upstream fixes).
-- Tomas Hoger / Red Hat Product Security
Agreed, same conclusion I eventually came to as well, though I do believe a tad more due diligence is required to be sure that the CVE-2011-5092 really doesn't apply to 3.6 if possible.
Cheers, David
Just as a final wrap up of this one, looked at the relevant patches and read up on the CVE further, and still conclude that this does not effect EPEL-5 version as we all guessed.
Cheers, David
security-team@lists.fedoraproject.org