A session hijaking flaw was found in Request Tracker's (RT) processed RSS feed handler. A remote attacker could use an RSS feed URL to hijack a session of a different user. This flaw is fixed in 4.2.10: https://bestpractical.com/release-notes/rt/4.2.10
Created rt tracking bugs for this issue: Affects: fedora-21 [bug 1200070]
So, I'm playing with a rebase to 4.2.10 and pretty much none of the patches apply. I think several of them are upstream so I'll start tracking them down. But, Ralf, do let me know if you'd rather take care of this yourself. Otherwise I'll start committing stuff to rawhide.
(In reply to Jason Tibbitts from comment #2) > So, I'm playing with a rebase to 4.2.10 and pretty much none of the patches > apply. I think several of them are upstream so I'll start tracking them down. > > But, Ralf, do let me know if you'd rather take care of this yourself. Patience, please. I already had an update candidate pending, but as you noticed rebasing the patches isn't trivial and requires testing.
(In reply to Ralf Corsepius from comment #3) > (In reply to Jason Tibbitts from comment #2) > > So, I'm playing with a rebase to 4.2.10 and pretty much none of the patches > > apply. I think several of them are upstream so I'll start tracking them down. > > > > But, Ralf, do let me know if you'd rather take care of this yourself. > Patience, please. I already had an update candidate pending, but as you > noticed rebasing the patches isn't trivial and requires testing. Grumble. Tibbs - Would you please take timezones into account before killing my work? This CVE churn started at 16-17:00 local time, you sent your notice ~20:00 and commited your patches ~01:00 local-time. What am I supposed to think of this?
Revert if you like. Big deal. What you're supposed to think of this is that "hey, he did some work, and that's nice; isn't it great to have a community of people working on things". Or, I guess, whatever you like. It's in git. You can roll it back if you like. I didn't kill your work in the least. That's kind of the point of having a proper version control system. Stash your changes, commit a revert, pop your stash, bump the release and commit. Should take you, what, not even an extra minute? I didn't change anything in the package that didn't need to be changed to get things to build, except for the adjusting of the chmod +x list near the end. You could perhaps disagree with using a bunch of rm statements to delete files instead of a patch, because frankly using a patch just means it's one additional thing you absolutely have to rebase when even one byte of one of those files changes, but hey, it's up for discussion. I didn't push anything anywhere other than rawhide. Not sure how else you believe collaboration is supposed to work, honestly.
rt-4.2.10-2.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.
rt-4.2.10-2.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.