Bug 864566 (CVE-2012-4545)
| Summary: | CVE-2012-4545 elinks: Improper delegation of client credentials during GSS negotiation | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Jan Lieskovsky <jlieskov> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | jrusnack, kdudka, myllynen, ovasik, security-response-team |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2013-02-12 06:22:25 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 863066, 891566, 891692, 891693, 891694, 891695 | ||
| Bug Blocks: | 864574 | ||
| Attachments: | |||
|
Description
Jan Lieskovsky
2012-10-09 15:20:09 UTC
This issue affects the versions of the elinks package, as shipped with Red Hat Enterprise Linux 5 and 6. -- This issue affects the versions of the elinks package, as shipped with Fedora release of 16 and 17. This issue was discovered by Marko Myllynen of Red Hat. Created attachment 624175 [details]
Proposed patch from Kamil Dudka to disable credentials delegation during GSS negotiation
I am working on a new version of the patch, will provide some update shortly. Created attachment 632061 [details]
[PATCH] http_negotiate: do not delegate GSSAPI credentials by default
I have proposed a new version of the patch upstream.
Created attachment 633270 [details]
fixes supposed to go out with the security advisory
An upstream patch allowing to configure trusted servers is going to be applied later, together with some other fixes related to the HTTP authentication.
Created attachment 635073 [details]
RHEL-5 backport of the upstream security fixes
Created attachment 635074 [details]
RHEL-6 backport of the upstream security fixes
References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4545 http://bugzilla.elinks.cz/show_bug.cgi?id=1124 http://repo.or.cz/w/elinks.git/commitdiff/da18694ff7dd0b67dfcb3c417fb0579b1e7d02d7 http://www.debian.org/security/2012/dsa-2592 http://www.securityfocus.com/bid/57065 http://secunia.com/advisories/51569 http://xforce.iss.net/xforce/xfdb/80882 Created elinks tracking bugs for this issue Affects: fedora-all [bug 891566] elinks-0.12-0.32.pre5.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report. elinks-0.12-0.29.pre5.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report. Acknowledgements: This issue was discovered by Marko Myllynen of Red Hat. This issue has been addressed in following products: Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 5 Via RHSA-2013:0250 https://rhn.redhat.com/errata/RHSA-2013-0250.html |