Bug 1200069 (CVE-2015-1464) - CVE-2015-1464 rt: session hijaking flaw in RSS feed handler
Summary: CVE-2015-1464 rt: session hijaking flaw in RSS feed handler
Keywords:
Status: CLOSED UPSTREAM
Alias: CVE-2015-1464
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1200070
Blocks:
TreeView+ depends on / blocked
 
Reported: 2015-03-09 15:44 UTC by Martin Prpič
Modified: 2019-09-29 13:29 UTC (History)
3 users (show)

Fixed In Version: rt 4.2.10
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-06-08 02:39:33 UTC


Attachments (Terms of Use)

Description Martin Prpič 2015-03-09 15:44:11 UTC
A session hijaking flaw was found in Request Tracker's (RT) processed RSS feed handler. A remote attacker could use an RSS feed URL to hijack a session of a different user.

This flaw is fixed in 4.2.10:

https://bestpractical.com/release-notes/rt/4.2.10

Comment 1 Martin Prpič 2015-03-09 15:45:00 UTC
Created rt tracking bugs for this issue:

Affects: fedora-21 [bug 1200070]

Comment 2 Jason Tibbitts 2015-03-09 18:44:51 UTC
So, I'm playing with a rebase to 4.2.10 and pretty much none of the patches apply. I think several of them are upstream so I'll start tracking them down.

But, Ralf, do let me know if you'd rather take care of this yourself.  Otherwise I'll start committing stuff to rawhide.

Comment 3 Ralf Corsepius 2015-03-10 03:35:04 UTC
(In reply to Jason Tibbitts from comment #2)
> So, I'm playing with a rebase to 4.2.10 and pretty much none of the patches
> apply. I think several of them are upstream so I'll start tracking them down.
> 
> But, Ralf, do let me know if you'd rather take care of this yourself. 
Patience, please. I already had an update candidate pending, but as you noticed rebasing the patches isn't trivial and requires testing.

Comment 4 Ralf Corsepius 2015-03-10 03:40:54 UTC
(In reply to Ralf Corsepius from comment #3)
> (In reply to Jason Tibbitts from comment #2)
> > So, I'm playing with a rebase to 4.2.10 and pretty much none of the patches
> > apply. I think several of them are upstream so I'll start tracking them down.
> > 
> > But, Ralf, do let me know if you'd rather take care of this yourself. 
> Patience, please. I already had an update candidate pending, but as you
> noticed rebasing the patches isn't trivial and requires testing.

Grumble. Tibbs - Would you please take timezones into account before killing my work?

This CVE churn started at 16-17:00 local time, you sent your notice ~20:00 
and commited your patches ~01:00 local-time. What am I supposed to think of this?

Comment 5 Jason Tibbitts 2015-03-10 05:22:00 UTC
Revert if you like.  Big deal.  What you're supposed to think of this is that "hey, he did some work, and that's nice; isn't it great to have a community of people working on things".  Or, I guess, whatever you like.  It's in git.  You can roll it back if you like.  I didn't kill your work in the least.  That's kind of the point of having a proper version control system.  Stash your changes, commit a revert, pop your stash, bump the release and commit.  Should take you, what, not even an extra minute?

I didn't change anything in the package that didn't need to be changed to get things to build, except for the adjusting of the chmod +x list near the end.  You could perhaps disagree with using a bunch of rm statements to delete files instead of a patch, because frankly using a patch just means it's one additional thing you absolutely have to rebase when even one byte of one of those files changes, but hey, it's up for discussion.  I didn't push anything anywhere other than rawhide.  Not sure how else you believe collaboration is supposed to work, honestly.

Comment 6 Fedora Update System 2015-03-31 21:48:25 UTC
rt-4.2.10-2.fc22 has been pushed to the Fedora 22 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 7 Fedora Update System 2015-04-04 07:20:31 UTC
rt-4.2.10-2.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 8 Product Security DevOps Team 2019-06-08 02:39:33 UTC
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.


Note You need to log in before you can comment on or make changes to this bug.