Bug 459217 (CVE-2008-4313)
Summary: | CVE-2008-4313 tog-pegasus: WBEM services access not restricted to dedicated user after 2.7.0 rebase | ||||||
---|---|---|---|---|---|---|---|
Product: | [Other] Security Response | Reporter: | Tim Potter <tpot> | ||||
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> | ||||
Status: | CLOSED ERRATA | QA Contact: | |||||
Severity: | high | Docs Contact: | |||||
Priority: | high | ||||||
Version: | unspecified | CC: | adaora.onyia, doug.chapman, dwa, jlieskov, kreilly, kvolny, rick.hester, rvokal, security-response-team, tao, vcrhonek | ||||
Target Milestone: | --- | Keywords: | Security | ||||
Target Release: | --- | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
Whiteboard: | |||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2009-01-09 09:05:15 UTC | Type: | --- | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Bug Depends On: | 471370, 471371 | ||||||
Bug Blocks: | |||||||
Attachments: |
|
Description
Tim Potter
2008-08-15 02:52:59 UTC
I investigated it and your are right. It looks like mistake when rebasing to 2.7.x branch. As far as I know, local-or-remote-auth patch should be part of upstream code in near future, so I check or fix it. Created attachment 320192 [details]
fixed local-or-remote-patch
Proposed patch (NOT tested yet!)
Not very nice, but it's only provisional solution till this functionality will be part of upstream.
This issue affects all versions of the tog-pegasus package, as shipped with Red Hat Enterprise Linux 5 and within Fedora releases of 9 and 10. This issue does NOT affect the versions of the tog-pegasus package, as shipped with Red Hat Enterprise Linux 4 and within Fedora release of 8. tog-pegasus-2.7.1-3.fc10 has been submitted as an update for Fedora 10. http://admin.fedoraproject.org/updates/tog-pegasus-2.7.1-3.fc10 tog-pegasus-2.7.0-7.fc9 has been submitted as an update for Fedora 9. http://admin.fedoraproject.org/updates/tog-pegasus-2.7.0-7.fc9 This issue was addressed in: Red Hat Enterprise Linux: http://rhn.redhat.com/errata/RHSA-2008-1001.html Fedora: https://admin.fedoraproject.org/updates/F10/FEDORA-2008-10061 https://admin.fedoraproject.org/updates/F9/FEDORA-2008-9688 |