Bug 506885 - rt3: privilege to edit 'RT at a Glance' unintentionally granted by "ShowConfigTab" right
rt3: privilege to edit 'RT at a Glance' unintentionally granted by "ShowConfi...
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: rt3 (Show other bugs)
10
All Linux
medium Severity medium
: ---
: ---
Assigned To: Ralf Corsepius
Fedora Extras Quality Assurance
: Security
Depends On: 506236
Blocks:
  Show dependency treegraph
 
Reported: 2009-06-19 02:33 EDT by Ralf Corsepius
Modified: 2009-06-24 15:32 EDT (History)
3 users (show)

See Also:
Fixed In Version: 3.8.2-8.fc10
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 506236
Environment:
Last Closed: 2009-06-24 15:29:46 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Ralf Corsepius 2009-06-19 02:33:10 EDT
+++ This bug was initially created as a clone of Bug #506236 +++

New RT upstream versions 3.6.8 and 3.8.4 were released, mentioning following security fix:

  The most important fix is that RT now requires the SuperUser
  right to edit global RT at a Glance.  In all previous 3.8
  releases, the "ShowConfigTab" right unintentionally enabled this.
  If you have not granted this right to any non-administrative user,
  then this issue should not affect you.

References:
http://lists.bestpractical.com/pipermail/rt-announce/2009-June/000169.html
http://lists.bestpractical.com/pipermail/rt-announce/2009-June/000170.html

Upstream announcements contain patches that can be used with older versions instead of moving to new upstream version.


As a "quick fix", I am going to apply the patch from
http://lists.bestpractical.com/pipermail/rt-announce/2009-June/000170.html
to the FC10 and FC11 packages (both currently at rt-3.8.2), because the side-effects of upgrading to rt-3.8.4 currently are not sufficently clear to me and appear as to seems too risky (at least for now).
Comment 1 Fedora Update System 2009-06-19 03:22:07 EDT
rt3-3.8.2-8.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/rt3-3.8.2-8.fc11
Comment 2 Fedora Update System 2009-06-19 03:25:43 EDT
rt3-3.8.2-8.fc10 has been submitted as an update for Fedora 10.
http://admin.fedoraproject.org/updates/rt3-3.8.2-8.fc10
Comment 3 Fedora Update System 2009-06-24 15:29:42 EDT
rt3-3.8.2-8.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 4 Fedora Update System 2009-06-24 15:32:09 EDT
rt3-3.8.2-8.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.