[Bug 828512] CVE-2011-5092 rt3: remote arbitrary code execution and privilege elevation flaw
bugzilla at redhat.com
bugzilla at redhat.com
Fri Aug 8 15:24:38 UTC 2014
https://bugzilla.redhat.com/show_bug.cgi?id=828512
--- Comment #3 from Tomas Hoger <thoger at redhat.com> ---
(In reply to Vincent Danen from comment #0)
> It's not specified as to whether 3.6.x is affected (which is what is
> shipped in EPEL5).
This CVE is not mentioned in upstream announcements at all, andis apparently a
split off from CVE-2011-4458 mentioned by upstream:
RT versions 3.6.1 and above are vulnerable to a remote execution of code
vulnerability if the optional VERP configuration options ($VERPPrefix
and $VERPDomain) are enabled. RT 3.8.0 and higher are vulnerable to a
limited remote execution of code which can be leveraged for privilege
escalation. RT 4.0.0 and above contain a vulnerability in the global
$DisallowExecuteCode option, allowing sufficiently privileged users to
still execute code even if RT was configured to not allow it.
CVE-2011-4458 is assigned to this set of vulnerabilities.
As CVE-2011-4458 was used for 3 separate issues, each affecting different
versions, it got split by Mitre as:
- CVE-2011-4458 for the VERP issue, affecting 3.6.1+
- CVE-2011-5092 for the limited code execution issue in 3.8.0+
- CVE-2011-5093 for the DisallowExecuteCode issue in 4.0.0+
Hence this CVE-2011-5092 should not apply to 3.6.x in EPEL-5, but the
CVE-2011-4458 (bug 824082) should, and remains unfixed.
--
You are receiving this mail because:
You are on the CC list for the bug.
Unsubscribe from this bug https://bugzilla.redhat.com/token.cgi?t=Q4LqQPJLdl&a=cc_unsubscribe
More information about the perl-devel
mailing list