Bug 481165 - Update rt3 to 3.6.7
Update rt3 to 3.6.7
Status: CLOSED CURRENTRELEASE
Product: Fedora EPEL
Classification: Fedora
Component: rt3 (Show other bugs)
el5
All Linux
high Severity high
: ---
: ---
Assigned To: Xavier Bachelot
Fedora Extras Quality Assurance
:
Depends On: 481163
Blocks:
  Show dependency treegraph
 
Reported: 2009-01-22 10:13 EST by Xavier Bachelot
Modified: 2009-02-16 12:22 EST (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-02-16 12:21:41 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Xavier Bachelot 2009-01-22 10:13:53 EST
rt3 <= 3.6.6 is vulnerable to a DoS attack thru the perl-Devel-StackTrace < 1.19 vector. This and rt 3.6.7 is needed to fully fix the security issue. 

See 
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3502 and http://lists.bestpractical.com/pipermail/rt-announce/2008-June/000158.html for details.
Comment 1 Ralf Corsepius 2009-01-22 11:03:13 EST
If I understand correctly, the vulnerability is in perl-Devel-StackTrace.

Fedora 9-11 already come with Devel-StackTrace-1.20
=> should not be affected by this vulnerability.

Fedora 10 and 11's rt3 currently is at 3.8.x => should also not be affected.

Leaves Fedora 9's rt3, which is at 3.6.6. Upgrading FC9's rt3 to rt-3.8.x is hardly possible due to rt once again changed having its database format and because there is no known way to automatically reformat the database from inside of rpm.

Whether upgrading it to 3.6.7 is possible, needs to be analyzed. I'd rather avoid doing so.
Comment 2 Xavier Bachelot 2009-01-22 11:16:01 EST
(In reply to comment #1)
> If I understand correctly, the vulnerability is in perl-Devel-StackTrace.
> 
> Fedora 9-11 already come with Devel-StackTrace-1.20
> => should not be affected by this vulnerability.

The vulnerability is in Devel::StackTrace, the bells and whistles are in rt3 3.6.7.

> 
> Fedora 10 and 11's rt3 currently is at 3.8.x => should also not be affected.
>
That's why I filed a bug against rt3 F9 too.
 
> Leaves Fedora 9's rt3, which is at 3.6.6. Upgrading FC9's rt3 to rt-3.8.x is
> hardly possible due to rt once again changed having its database format and
> because there is no known way to automatically reformat the database from
> inside of rpm.
> 
yes, upgrading between major rt3 releases is not possible, at least not automagically, so no way to do that in a stable release.

> Whether upgrading it to 3.6.7 is possible, needs to be analyzed. I'd rather
> avoid doing so.

There's no database change nor any caveat mentioned in the changelog and we've successfully done some basic update tests. We've yet to try with a production database though.
Comment 3 Xavier Bachelot 2009-02-16 12:21:41 EST
Pushed to EPEL stable, as well as a fixed perl-Devel-StackTrace.

Note You need to log in before you can comment on or make changes to this bug.