Common Vulnerabilities and Exposures assigned an identifier CVE-2008-1475 to the following vulnerability: The xml-rpc server in Roundup 1.4.4 does not check property permissions, which allows attackers to bypass restrictions and edit or read restricted properties via the (1) list, (2) display, and (3) set methods. Upstream bug report: http://sourceforge.net/tracker/index.php?func=detail&aid=1907211&group_id=31577&atid=402788 Aditional refences: http://www.securityfocus.com/bid/28238 http://www.frsirt.com/english/advisories/2008/0891 http://secunia.com/advisories/29336 http://xforce.iss.net/xforce/xfdb/41240
CVE description also references our bug for CVE-2008-1474 (bug bug #436546) and Fedora updates to 1.4.4. Even though the patch for this issue was applied in upstream CVS on the same day as patches for CVE-2008-1474, it is not available in upstream 1.4.4 tarball and according to upstream CHANGES.txt, will be included in the future 1.4.5 version: http://roundup.cvs.sourceforge.net/roundup/roundup/CHANGES.txt?revision=1.939&view=markup Patch proposed by the reporter: http://sourceforge.net/tracker/download.php?group_id=31577&atid=402788&file_id=269102&aid=1907211 Changes applied to upstream CVS: http://roundup.cvs.sourceforge.net/roundup/roundup/CHANGES.txt?r1=1.938&r2=1.939 http://roundup.cvs.sourceforge.net/roundup/roundup/roundup/xmlrpc.py?r1=1.5&r2=1.6 http://roundup.cvs.sourceforge.net/roundup/roundup/test/test_xmlrpc.py?r1=1.4&r2=1.5 http://roundup.cvs.sourceforge.net/roundup/roundup/test/db_test_base.py?r1=1.96&r2=1.97 http://roundup.cvs.sourceforge.net/roundup/roundup/test/test_dates.py?r1=1.44&r2=1.45 (some changes may be unrelated) Commit list: http://sourceforge.net/mailarchive/forum.php?forum_name=roundup-checkins&max_rows=25&style=ultimate&viewmonth=200803&viewday=7
Correction: xmlrpc fix was committed to upstream CVS about a week after security fixes in 1.4.4, CHANGES.txt just list an incorrect date. Sorry about the confusion.
roundup-1.4.6-1.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.
roundup-1.4.6-1.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report.
Can this ticket be closed?
I guess...