On Aug 8, 2014, at 9:37 AM, David A. Cafaro wrote:
On Fri, August 8, 2014 9:32 am, Tomas Hoger wrote:
>
> Are you referring to the CVE description? You usually can't assume
> that if CVE description says that e.g. 1.1.x is affected before 1.1.10
> and 1.2.x is affected before 1.2.5, that all pre-1.1 are unaffected.
> Descriptions are created based on vendor announcements. If 1.0 is no
> longer supported and fixes were only released for supported 1.1 and
> 1.2, you should expect to see this kind of CVE wording, which do not
> assume it implies anything about 1.0.
>
> Actually, the CVE bug says:
>
>
https://bugzilla.redhat.com/show_bug.cgi?id=828512#c0
>
> It's not specified as to whether 3.6.x is affected (which is what is
> shipped in EPEL5).
>
> So I looked at the CVE references to see if there's more info. I could
> not see the CVE mentioned in linked upstream announcements. This is
> what I believe what happened here:
>
> - Upstream released updates with fixes for multiple RCE issues for
> which they used CVE-2011-4458:
>
>
http://lists.bestpractical.com/pipermail/rt-announce/2012-May/000202.html
>
> RT versions 3.6.1 and above are vulnerable to a remote execution of code
> vulnerability if the optional VERP configuration options ($VERPPrefix
> and $VERPDomain) are enabled. RT 3.8.0 and higher are vulnerable to a
> limited remote execution of code which can be leveraged for privilege
> escalation. RT 4.0.0 and above contain a vulnerability in the global
> $DisallowExecuteCode option, allowing sufficiently privileged users to
> still execute code even if RT was configured to not allow it.
> CVE-2011-4458 is assigned to this set of vulnerabilities.
>
> - Per CVE assignment rules, different flaws must not be merged under
> single CVE even if they are of the same type, if they do not affect
> same versions. Hence Mitre did a CVE split:
>
> * Original CVE-2011-4458 for the VERP issue affecting 3.6.1+.
> * CVE-2011-5092 for the "limited RCE" in 3.8.0+.
> * CVE-2011-5093 for the DisallowExecuteCode issue in 4.0.0+.
>
> So your assumption about CVE-2011-5092 not affecting 3.6 seems correct,
> despite my explanation above. However, there is CVE-2011-4458 that
> affects 3.6 in EPEL-5 and that was never patched there (the last rt3
> build in EPEL-5 is from 2011 and pre-dates the above upstream fixes).
>
> --
> Tomas Hoger / Red Hat Product Security
Agreed, same conclusion I eventually came to as well, though I do believe
a tad more due diligence is required to be sure that the CVE-2011-5092
really doesn't apply to 3.6 if possible.
Cheers,
David
Just as a final wrap up of this one, looked at the relevant patches and read up on the CVE
further, and still conclude that this does not effect EPEL-5 version as we all guessed.
Cheers,
David