Bug 824082 (CVE-2011-2082, CVE-2011-2083, CVE-2011-2084, CVE-2011-2085, CVE-2011-4458, CVE-2011-4459, CVE-2011-4460)

Summary: rt3: Multiple security flaws fixed in upstream v3.8.12 and v4.0.6 versions
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: alexmv, mmahut, perl-devel, rc040203, tremble, xavier
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=moderate,public=20120522,reported=20120522,source=upstream,cvss2=6.8/AV:N/AC:M/Au:N/C:P/I:P/A:P,fedora-all/rt3=affected,epel-all/rt3=affected
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Bug Depends On: 824089, 824088    
Bug Blocks:    

Description Jan Lieskovsky 2012-05-22 13:11:14 EDT
Request Tracker (RT) upstream has announced upstream v3.8.12 and v4.0.6 versions:
http://blog.bestpractical.com/2012/05/security-vulnerabilities-in-rt.html

correcting the following security flaws:
=======================================

The previously released tool to upgrade weak password hashes as part of CVE-2011-0009 was an incomplete fix and failed to upgrade passwords of disabled users. This release includes an updated version of the vulnerable-passwords tool, which should be run again to upgrade the remaining password hashes. CVE-2011-2082 is assigned to this vulnerability.

RT versions 3.0 and above contain a number of cross-site scripting (XSS) vulnerabilities which allow an attacker to run JavaScript with the user's credentials. CVE-2011-2083 is assigned to this vulnerability.

RT versions 3.0 and above are vulnerable to multiple information disclosure vulnerabilities. This includes the ability for privileged users to expose users' previous password hashes -- this vulnerability is particularly dangerous given RT's weak hashing previous to the fix in CVE-2011-0009. A separate vulnerability allows privileged users to obtain correspondence history for any ticket in RT. CVE-2011-2084 is assigned to this vulnerability.

All publicly released versions of RT are vulnerable to cross-site request forgery (CSRF), in which a malicious website causes the browser to make a request to RT as the currently logged in user. This attack vector could be used for information disclosure, privilege escalation, and arbitrary execution of code. Because some external integrations may rely on RT's previously permissive functionality, we have included a configuration option ($RestrictReferrer) to disable CSRF protection. We have also added an additional configuration parameter ($ReferrerWhitelist) to aid in exempting certain originating sites from CSRF protections. CVE-2011-2085 is assigned to this vulnerability.

We have also added a separate configuration option ($RestrictLoginReferrer) to prevent login CSRF, a different class of CSRF attack where the user is silently logged in using the attacker's credentials. $RestrictLoginReferrer defaults to disabled, because this functionality's benign usage is more commonly relied upon and presents less of a threat vector for RT than many other types of online applications.

RT versions 3.6.1 and above are vulnerable to a remote execution of code vulnerability if the optional VERP configuration options ($VERPPrefix and $VERPDomain) are enabled. RT 3.8.0 and higher are vulnerable to a limited remote execution of code which can be leveraged for privilege escalation. RT 4.0.0 and above contain a vulnerability in the global $DisallowExecuteCode option, allowing sufficiently privileged users to still execute code even if RT was configured to not allow it. CVE-2011-4458 is assigned to this set of vulnerabilities.

RT versions 3.0 and above may, under some circumstances, still respect rights that a user only has by way of a currently-disabled group. CVE-2011-4459 is assigned to this vulnerability.

RT versions 2.0 and above are vulnerable to a SQL injection attack, which allow privileged users to obtain arbitrary information from the database. CVE-2011-4460 is assigned to this vulnerability.

Upstream patches for all releases of 3.8 and 4.0 are available for download at:
-------------------------------------------------------------------------------
http://download.bestpractical.com/pub/rt/release/security-2012-05-22.tar.gz
Comment 1 Jan Lieskovsky 2012-05-22 13:19:57 EDT
These issues affect the versions of the rt3 package, as shipped with Fedora release of 15 and 16. Please schedule an update / rebase.

--

These issues affect the versions of the rt3 package, as shipped with Fedora EPEL 5 and 6. Please schedule an update.
Comment 2 Jan Lieskovsky 2012-05-22 13:21:08 EDT
Created rt3 tracking bugs for this issue

Affects: fedora-all [bug 824088]
Affects: epel-all [bug 824089]
Comment 3 Alex Vandiver 2012-05-24 23:33:09 EDT
To anyone readying a release based on the above, please also note the two follow-up messages addressing problems with sending mail caused by the security patches:

http://lists.bestpractical.com/pipermail/rt-announce/2012-May/000205.html
http://lists.bestpractical.com/pipermail/rt-announce/2012-May/000206.html

As the latter mentions, 3.8.13 should be released in the next couple days to address the issue with mod_perl deployments.

 - Alex
Comment 4 Ralf Corsepius 2012-05-24 23:49:07 EDT
Hmm, I am confused about
 http://lists.bestpractical.com/pipermail/rt-announce/2012-May/000205.html

There, you say: "RT 3.8.11 and 4.0.5 already require version (FCGI) 0.75 or higher".

However, the latest version of FCGI.pm in CPAN is 0.74 as well as does rt-3.8.12/sbin/rt-test-dependencies check for FCGI 0.74?

Could you elaborate?
Comment 5 Alex Vandiver 2012-05-24 23:51:20 EDT
Gah -- simple typo.  Please read that as 0.74, as you confirmed by looking at sbin/rt-test-dependencies.in
 - Alex
Comment 6 Ralf Corsepius 2012-05-25 00:13:48 EDT
Thanks for clarifying this. 

Fedora already ships 0.74, but ... CentOS6 is still at 0.71 ;)
Comment 7 Fedora Update System 2012-06-01 12:53:29 EDT
rt3-3.8.12-1.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 8 Fedora Update System 2012-06-01 23:52:07 EDT
rt3-3.8.12-1.fc15 has been pushed to the Fedora 15 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 9 Fedora Update System 2012-06-01 23:58:16 EDT
rt3-3.8.12-1.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.