Common Vulnerabilities and Exposures assigned an identifier CVE-2011-5092 to the following vulnerability: Name: CVE-2011-5092 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-5092 Assigned: 20120604 Reference: http://lists.bestpractical.com/pipermail/rt-announce/2012-May/000203.html Reference: http://lists.bestpractical.com/pipermail/rt-announce/2012-May/000204.html Reference: http://lists.bestpractical.com/pipermail/rt-announce/2012-May/000202.html Best Practical Solutions RT 3.8.x before 3.8.12 and 4.x before 4.0.6 allows remote attackers to execute arbitrary code and gain privileges via unspecified vectors, a different vulnerability than CVE-2011-4458 and CVE-2011-5093. Current Fedora has 3.8.12 (3.8.13 in testing), however EPEL6 currently provides 3.8.10 and requires an update. It's not specified as to whether 3.6.x is affected (which is what is shipped in EPEL5).
Created rt3 tracking bugs for this issue Affects: epel-6 [bug 828517]
rt3-3.8.13-1.el6.2 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.
(In reply to Vincent Danen from comment #0) > It's not specified as to whether 3.6.x is affected (which is what is > shipped in EPEL5). This CVE is not mentioned in upstream announcements at all, andis apparently a split off from CVE-2011-4458 mentioned by upstream: RT versions 3.6.1 and above are vulnerable to a remote execution of code vulnerability if the optional VERP configuration options ($VERPPrefix and $VERPDomain) are enabled. RT 3.8.0 and higher are vulnerable to a limited remote execution of code which can be leveraged for privilege escalation. RT 4.0.0 and above contain a vulnerability in the global $DisallowExecuteCode option, allowing sufficiently privileged users to still execute code even if RT was configured to not allow it. CVE-2011-4458 is assigned to this set of vulnerabilities. As CVE-2011-4458 was used for 3 separate issues, each affecting different versions, it got split by Mitre as: - CVE-2011-4458 for the VERP issue, affecting 3.6.1+ - CVE-2011-5092 for the limited code execution issue in 3.8.0+ - CVE-2011-5093 for the DisallowExecuteCode issue in 4.0.0+ Hence this CVE-2011-5092 should not apply to 3.6.x in EPEL-5, but the CVE-2011-4458 (bug 824082) should, and remains unfixed.