Bug 506885

Summary: rt3: privilege to edit 'RT at a Glance' unintentionally granted by "ShowConfigTab" right
Product: [Fedora] Fedora Reporter: Ralf Corsepius <rc040203>
Component: rt3Assignee: Ralf Corsepius <rc040203>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: medium    
Version: 10CC: mmahut, rc040203, xavier
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: 3.8.2-8.fc10 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 506236 Environment:
Last Closed: 2009-06-24 19:29:46 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 506236    
Bug Blocks:    

Description Ralf Corsepius 2009-06-19 06:33:10 UTC 
+++ This bug was initially created as a clone of Bug #506236 +++

New RT upstream versions 3.6.8 and 3.8.4 were released, mentioning following security fix:

  The most important fix is that RT now requires the SuperUser
  right to edit global RT at a Glance.  In all previous 3.8
  releases, the "ShowConfigTab" right unintentionally enabled this.
  If you have not granted this right to any non-administrative user,
  then this issue should not affect you.

References:
http://lists.bestpractical.com/pipermail/rt-announce/2009-June/000169.html
http://lists.bestpractical.com/pipermail/rt-announce/2009-June/000170.html

Upstream announcements contain patches that can be used with older versions instead of moving to new upstream version.


As a "quick fix", I am going to apply the patch from
http://lists.bestpractical.com/pipermail/rt-announce/2009-June/000170.html
to the FC10 and FC11 packages (both currently at rt-3.8.2), because the side-effects of upgrading to rt-3.8.4 currently are not sufficently clear to me and appear as to seems too risky (at least for now).
Comment 1 Fedora Update System 2009-06-19 07:22:07 UTC 
rt3-3.8.2-8.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/rt3-3.8.2-8.fc11
Comment 2 Fedora Update System 2009-06-19 07:25:43 UTC 
rt3-3.8.2-8.fc10 has been submitted as an update for Fedora 10.
http://admin.fedoraproject.org/updates/rt3-3.8.2-8.fc10
Comment 3 Fedora Update System 2009-06-24 19:29:42 UTC 
rt3-3.8.2-8.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 4 Fedora Update System 2009-06-24 19:32:09 UTC 
rt3-3.8.2-8.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.