Bug 543984 (CVE-2009-4151) - CVE-2009-4151 rt3: web sessions hijack
Summary: CVE-2009-4151 rt3: web sessions hijack
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2009-4151
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL: http://cve.mitre.org/cgi-bin/cvename....
Whiteboard:
Depends On: 543977
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-12-03 16:25 UTC by Jan Lieskovsky
Modified: 2019-09-29 12:33 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2009-12-04 15:43:29 UTC
Embargoed:


Attachments (Terms of Use)

Comment 1 Ralf Corsepius 2009-12-03 16:32:02 UTC
How many times more do you intend to submit this bug?

Within the last 1/2 hour I have receive 3 of them.

Comment 2 Jan Lieskovsky 2009-12-03 16:57:39 UTC
Just filed in relevant CVE identifiers, so you can reference them 
in Fedora updates. 

Don't want to unnecessarily spam your mailbox.

Comment 3 Ralf Corsepius 2009-12-04 10:35:02 UTC
Do you agree that this BZ is a duplicate of
https://bugzilla.redhat.com/show_bug.cgi?id=543962

and that 
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4151
and
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3585

are duplicates?

It's at least how I read this BZ
and 
https://bugzilla.redhat.com/show_bug.cgi?id=543962

Comment 4 Tomas Hoger 2009-12-04 11:57:10 UTC
It rather seems that the additional id was assigned for the "additional, related vulnerability" mentioned in the upstream advisory, which was described too vaguely for Mitre to be sure the original id should be used to cover both cases.  I don't really dare to guess the attack vector form the upstream description.

Comment 5 Ralf Corsepius 2009-12-04 14:25:07 UTC
Possibly, however, this leave me "standing in the rain".

No fix, no test case to reproduce, nothing to investigate ...
... just a vague report :-)

The only feasible option for me to handle this CVE seems to be
"sitting it out" and hope somebody will fix this CVE with life or close it.

Comment 6 Vincent Danen 2009-12-04 15:31:35 UTC
Well, the same patch seems to exist to fix both issues.  So there's nothing to sit out... if you apply the upstream patch, then both issues should be corrected, right?

The vulnerabilities are similar, but whether they are identical or not doesn't really matter.  Upstream provided a single patch to fix both issues (which isn't uncommon).

Comment 7 Ralf Corsepius 2009-12-04 15:43:29 UTC
(In reply to comment #6)
> Well, the same patch seems to exist to fix both issues.  So there's nothing to
> sit out... if you apply the upstream patch, then both issues should be
> corrected, right?
> 
> The vulnerabilities are similar, but whether they are identical or not doesn't
> really matter.  Upstream provided a single patch to fix both issues (which
> isn't uncommon).  

OK, fixes are applied, packages are pending.

=> closing as duplicate.

*** This bug has been marked as a duplicate of bug 543962 ***

Comment 8 Vincent Danen 2009-12-04 15:51:01 UTC
Closing this as a duplicate is wrong.  I've added this CVE to the issue in bodhi, so when the rt3 updates go through they'll note this CVE identifier as well.  Arbitrarily deciding this is a duplicate isn't something we should do unless we want to go through the actions of getting MITRE to reject this CVE (and I don't think it's worth the effort).  This bug should get closed as well as the other when the packages get pushed to stable.

Keeping it closed, but marking it ERRATA rather than DUPLICATE for correctness.

Comment 9 Ralf Corsepius 2009-12-04 16:00:25 UTC
You know what?

I have been wasting more time on copeing with this silly RH bureaucracy and what buttzilla had munched them into, than with applying patches.

Next time, please refrain from using this bureaucracy and submit an ordinary BZ.

Comment 10 Fedora Update System 2009-12-11 18:23:28 UTC
rt3-3.8.4-7.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 11 Fedora Update System 2009-12-11 18:29:31 UTC
rt3-3.8.2-12.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 12 Fedora Update System 2009-12-11 18:37:34 UTC
rt3-3.8.2-12.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 13 Fedora Update System 2009-12-31 06:54:55 UTC
rt3-3.6.10-1.el5 has been pushed to the Fedora EPEL 5 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.