Red Hat Bugzilla – Bug 450246
CVE-2008-1475 roundup: xmlrpc-server not checking property permissions
Last modified: 2010-02-21 13:07:34 EST
Common Vulnerabilities and Exposures assigned an identifier CVE-2008-1475 to the following vulnerability:
The xml-rpc server in Roundup 1.4.4 does not check property permissions, which allows attackers to bypass restrictions and edit or read restricted properties via the (1) list, (2) display, and (3) set methods.
Upstream bug report:
CVE description also references our bug for CVE-2008-1474 (bug bug #436546) and
Fedora updates to 1.4.4. Even though the patch for this issue was applied in
upstream CVS on the same day as patches for CVE-2008-1474, it is not available
in upstream 1.4.4 tarball and according to upstream CHANGES.txt, will be
included in the future 1.4.5 version:
Patch proposed by the reporter:
Changes applied to upstream CVS:
(some changes may be unrelated)
Correction: xmlrpc fix was committed to upstream CVS about a week after security
fixes in 1.4.4, CHANGES.txt just list an incorrect date. Sorry about the confusion.
roundup-1.4.6-1.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.
roundup-1.4.6-1.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report.
Can this ticket be closed?