Patches for CVE-2011-0009

Xavier Bachelot xavier at bachelot.org
Thu Jan 27 11:31:48 UTC 2011 

> On 01/27/2011 12:43 AM, Xavier Bachelot wrote:
>> On 01/26/2011 09:16 PM, Xavier Bachelot wrote:
>>> On 01/26/2011 12:00 AM, Xavier Bachelot wrote:
>>>> Hi,
>>>>
>>>> I've been looking at the issue for both rt 3.6 and 3.8.
>>>> I have a rather full featured patch for 3.8 and I took the Debian
>>>> patch
>>>> for 3.6. However, I'm not happy with 3.6, it's lacking the script to
>>>> fix
>>>> all the passwords. I'll try to come up with something better in the
>>>> next
>>>> few days. Here's my WIP for reference.
>>>>
>>>> Regards,
>>>> Xavier
>>>
>>> Here are the updated patches against master and el5 branches. I only
>>> have an rt 3.6 to test against, so the 3.8 patch is not run time
>>> tested,
>>> but I'm confident.
>>> The only missing bit is a paragraph about the password mass-update
>>> script in the UPGRADING file for 3.6.
>>>
>> Sorry, slightly wrong patches, it was missing the patch to the UPGRADING
>> file. Here is a fixed one for 3.8. I've pushed the 3.6 patch to el5.
>>
>> http://koji.fedoraproject.org/koji/taskinfo?taskID=2744662
>> https://admin.fedoraproject.org/updates/rt3-3.6.10-2.el5
>>
>> Ralf, Mark, I let you give a test at 3.8 on Rawhide/F14/F13 and EL6,
>> respectively.
>
> Xavier, please don't try to rush it.
>
I'm not trying to rush anything. I'm satisfied with the patches I have, so
I've built the rpms for the OS release I'm running in production. I've
indeed tested it locally. However I can't test against rawhide, F13, F14
and EL6, because I don't have any RT instance with this releases. I
obviously won't commit anything to this branches and let this for people
that can actually test the patches.

> So far, from visual inspection only, I am not necessarily opposed to
> your patch but I like the debian patches more.
>
Imho, the Debian patches are incomplete. It only fixes password hashes
upon user login, which is not enough to fix the security issue. You can't
expect to force all users to log in and all hashes that have not been
updated are still vulnerable to a brute force attack. The only real
solution is to use the vulnerable-passwords script to mass update them.
This script is missing with the Debian patches.
My own patches were created using the commits from the 3.8-salted_password
branch from RT's git repository, that I then adapted to target 3.6.

Regards,
Xavier

More information about the perl-devel mailing list