Common Vulnerabilities and Exposures assigned an identifier CVE-2009-3585 to the following vulnerability: Session fixation vulnerability in html/Elements/SetupSessionCookie in Best Practical Solutions RT 3.0.0 through 3.6.9 and 3.8.x through 3.8.5 allows remote attackers to hijack web sessions by setting the session identifier via a manipulation that leverages a second web server within the same domain. References: ----------- http://lists.bestpractical.com/pipermail/rt-announce/2009-November/000177.html http://lists.bestpractical.com/pipermail/rt-announce/2009-November/000176.html http://bestpractical.typepad.com/files/rt-3.0.0-session_fixation.v3.patch http://bestpractical.typepad.com/files/rt-3.0.1-3.0.6-session_fixation.v3.patch http://bestpractical.typepad.com/files/rt-3.0.7-3.6.1-session_fixation.v3.patch http://bestpractical.typepad.com/files/rt-3.6.2-3.6.3-session_fixation.v3.patch http://bestpractical.typepad.com/files/rt-3.6.4-3.6.9-session_fixation.v2.patch http://bestpractical.typepad.com/files/rt-3.8-session_fixation.patch http://blog.bestpractical.com/2009/11/session-fixation-vulnerability.html http://www.securityfocus.com/bid/37162 http://secunia.com/advisories/37546 http://xforce.iss.net/xforce/xfdb/54472
This issue affects the versions of the rt3 package, as shipped with Fedora release of 10, 11, and 12. This issue affects the versions of the rt3 package, as shipped within Extra Packages for Enterprise Linux 5 (EPEL-5) project. Please fix.
rt3-3.8.4-7.fc12 has been submitted as an update for Fedora 12. http://admin.fedoraproject.org/updates/rt3-3.8.4-7.fc12
rt3-3.8.2-12.fc10 has been submitted as an update for Fedora 10. http://admin.fedoraproject.org/updates/rt3-3.8.2-12.fc10
rt3-3.8.2-12.fc11 has been submitted as an update for Fedora 11. http://admin.fedoraproject.org/updates/rt3-3.8.2-12.fc11
*** Bug 543984 has been marked as a duplicate of this bug. ***
rt3-3.6.10-1.el5 has been submitted as an update for Fedora EPEL 5. http://admin.fedoraproject.org/updates/rt3-3.6.10-1.el5
rt3-3.8.4-7.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report.
rt3-3.8.2-12.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report.
rt3-3.8.2-12.fc11 has been pushed to the Fedora 11 stable repository. If problems still persist, please make note of it in this bug report.
rt3-3.6.10-1.el5 has been pushed to the Fedora EPEL 5 stable repository. If problems still persist, please make note of it in this bug report.
Closing. This bug has been addressed long time ago.