Red Hat Bugzilla – Bug 543984
CVE-2009-4151 rt3: web sessions hijack
Last modified: 2009-12-31 01:54:55 EST
Common Vulnerabilities and Exposures assigned an identifier CVE-2009-4151 to the following vulnerability: Session fixation vulnerability in html/Elements/SetupSessionCookie in Best Practical Solutions RT 3.0.0 through 3.6.9 and 3.8.x through 3.8.5 allows remote attackers to hijack web sessions by setting the session identifier via a manipulation that leverages "HTTP access to the RT server," a related issue to CVE-2009-3585. References: ----------- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4151 http://lists.bestpractical.com/pipermail/rt-announce/2009-November/000177.html http://lists.bestpractical.com/pipermail/rt-announce/2009-November/000176.html http://bestpractical.typepad.com/files/rt-3.0.0-session_fixation.v3.patch http://bestpractical.typepad.com/files/rt-3.0.1-3.0.6-session_fixation.v3.patch http://bestpractical.typepad.com/files/rt-3.0.7-3.6.1-session_fixation.v3.patch http://bestpractical.typepad.com/files/rt-3.6.2-3.6.3-session_fixation.v3.patch http://bestpractical.typepad.com/files/rt-3.6.4-3.6.9-session_fixation.v2.patch http://bestpractical.typepad.com/files/rt-3.8-session_fixation.patch http://blog.bestpractical.com/2009/11/session-fixation-vulnerability.html http://www.securityfocus.com/bid/37162 http://secunia.com/advisories/37546 http://xforce.iss.net/xforce/xfdb/54472
How many times more do you intend to submit this bug? Within the last 1/2 hour I have receive 3 of them.
Just filed in relevant CVE identifiers, so you can reference them in Fedora updates. Don't want to unnecessarily spam your mailbox.
Do you agree that this BZ is a duplicate of https://bugzilla.redhat.com/show_bug.cgi?id=543962 and that http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4151 and http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3585 are duplicates? It's at least how I read this BZ and https://bugzilla.redhat.com/show_bug.cgi?id=543962
It rather seems that the additional id was assigned for the "additional, related vulnerability" mentioned in the upstream advisory, which was described too vaguely for Mitre to be sure the original id should be used to cover both cases. I don't really dare to guess the attack vector form the upstream description.
Possibly, however, this leave me "standing in the rain". No fix, no test case to reproduce, nothing to investigate ... ... just a vague report :-) The only feasible option for me to handle this CVE seems to be "sitting it out" and hope somebody will fix this CVE with life or close it.
Well, the same patch seems to exist to fix both issues. So there's nothing to sit out... if you apply the upstream patch, then both issues should be corrected, right? The vulnerabilities are similar, but whether they are identical or not doesn't really matter. Upstream provided a single patch to fix both issues (which isn't uncommon).
(In reply to comment #6) > Well, the same patch seems to exist to fix both issues. So there's nothing to > sit out... if you apply the upstream patch, then both issues should be > corrected, right? > > The vulnerabilities are similar, but whether they are identical or not doesn't > really matter. Upstream provided a single patch to fix both issues (which > isn't uncommon). OK, fixes are applied, packages are pending. => closing as duplicate. *** This bug has been marked as a duplicate of bug 543962 ***
Closing this as a duplicate is wrong. I've added this CVE to the issue in bodhi, so when the rt3 updates go through they'll note this CVE identifier as well. Arbitrarily deciding this is a duplicate isn't something we should do unless we want to go through the actions of getting MITRE to reject this CVE (and I don't think it's worth the effort). This bug should get closed as well as the other when the packages get pushed to stable. Keeping it closed, but marking it ERRATA rather than DUPLICATE for correctness.
You know what? I have been wasting more time on copeing with this silly RH bureaucracy and what buttzilla had munched them into, than with applying patches. Next time, please refrain from using this bureaucracy and submit an ordinary BZ.
rt3-3.8.4-7.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report.
rt3-3.8.2-12.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report.
rt3-3.8.2-12.fc11 has been pushed to the Fedora 11 stable repository. If problems still persist, please make note of it in this bug report.
rt3-3.6.10-1.el5 has been pushed to the Fedora EPEL 5 stable repository. If problems still persist, please make note of it in this bug report.