Bug 481165

Summary: Update rt3 to 3.6.7
Product: [Fedora] Fedora EPEL Reporter: Xavier Bachelot <xavier>
Component: rt3Assignee: Xavier Bachelot <xavier>
Status: CLOSED CURRENTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: high    
Version: el5CC: mmahut, perl-devel, rc040203, xavier
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-02-16 17:21:41 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 481163    
Bug Blocks:    

Description Xavier Bachelot 2009-01-22 15:13:53 UTC 
rt3 <= 3.6.6 is vulnerable to a DoS attack thru the perl-Devel-StackTrace < 1.19 vector. This and rt 3.6.7 is needed to fully fix the security issue. 

See 
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3502 and http://lists.bestpractical.com/pipermail/rt-announce/2008-June/000158.html for details.
Comment 1 Ralf Corsepius 2009-01-22 16:03:13 UTC 
If I understand correctly, the vulnerability is in perl-Devel-StackTrace.

Fedora 9-11 already come with Devel-StackTrace-1.20
=> should not be affected by this vulnerability.

Fedora 10 and 11's rt3 currently is at 3.8.x => should also not be affected.

Leaves Fedora 9's rt3, which is at 3.6.6. Upgrading FC9's rt3 to rt-3.8.x is hardly possible due to rt once again changed having its database format and because there is no known way to automatically reformat the database from inside of rpm.

Whether upgrading it to 3.6.7 is possible, needs to be analyzed. I'd rather avoid doing so.
Comment 2 Xavier Bachelot 2009-01-22 16:16:01 UTC 
(In reply to comment #1)
> If I understand correctly, the vulnerability is in perl-Devel-StackTrace.
> 
> Fedora 9-11 already come with Devel-StackTrace-1.20
> => should not be affected by this vulnerability.

The vulnerability is in Devel::StackTrace, the bells and whistles are in rt3 3.6.7.

> 
> Fedora 10 and 11's rt3 currently is at 3.8.x => should also not be affected.
>
That's why I filed a bug against rt3 F9 too.
 
> Leaves Fedora 9's rt3, which is at 3.6.6. Upgrading FC9's rt3 to rt-3.8.x is
> hardly possible due to rt once again changed having its database format and
> because there is no known way to automatically reformat the database from
> inside of rpm.
> 
yes, upgrading between major rt3 releases is not possible, at least not automagically, so no way to do that in a stable release.

> Whether upgrading it to 3.6.7 is possible, needs to be analyzed. I'd rather
> avoid doing so.

There's no database change nor any caveat mentioned in the changelog and we've successfully done some basic update tests. We've yet to try with a production database though.
Comment 3 Xavier Bachelot 2009-02-16 17:21:41 UTC 
Pushed to EPEL stable, as well as a fixed perl-Devel-StackTrace.