Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Tue, 22 Feb 2011 16:34:32 -0500
From: Thomas Sibley <trs@...tpractical.com>
To: Jan Lieskovsky <jlieskov@...hat.com>
CC: "Steven M. Christey" <coley@...us.mitre.org>, 
 Shawn M Moore <sartak@...tpractical.com>,
 Ralf Corsépius <rc040203@...enet.de>, 
 security@...tpractical.com, oss-security@...ts.openwall.com
Subject: Re: CVE Request -- rt3 -- two issues: 1) Improper management of form
 data resubmittion upon user log out 2) SQL queries information leak by user
 account transition

Hi folks,

Is Redhat packaging RT now, or are you just handling the CVEs?

In all future security mail, please use our security contact address
security@...tpractical.com, not developer email addresses pulled from
commits.  Details for our security contact are at:
http://bestpractical.com/security/

We have no context for Redhat's (and Debian's?) involvement here.  Can
you bring us up to speed on your plans regarding CVEs and/or security
releases in your distributions?

On 22 Feb 2011 09:37, Jan Lieskovsky wrote:
>   2) * Redirect users to their desired pages after login.
[snip]
>      Upstream bug report:
>      [c] http://issues.bestpractical.com/Ticket/Display.html?id=15804
> 
>      Upstream changeset:
>      [d]
> https://github.com/bestpractical/rt/commit/917c211820590950f7eb0521f7f43b31aeed44c4
> 
> 
>      Thomas, could you please confirm [d] is the proper fix for 2)
> issue? Thank you.
>      (* Redirect users to their desired pages after login.)

The commit you linked to is not the full fix.  As noted in our own bug
report you also link to above, the fix was merged into 3.8-trunk with
commit 057552287159e801535e59b8fbd5bd98d1322069.

That said, what are your plans for the diffset?  The commit itself can't
be used as a standalone patch for the issue.  It introduced a few other
bugs in core RT and broke the current stable versions of
RT-Authen-ExternalAuth (a very popular, critical extension).  The bugs
have been fixed by other commits and there are development releases of a
fixed ExternalAuth.

Are you trying to package a patch in a security update?

>   3) * Clone Scrip's TicketObj since we change the CurrentUser and it
> can leak
>      information (Custom field values, etc)
> 
[snip]
>      Upstream changeset (needs confirmation from upstream if it's
>      real fix for the issue yet):
>      [iii]
> https://github.com/bestpractical/rt/commit/56e20b874e8d67ab93aa80c2c00155110a27e764
> 
> 
>      Shawn, could you please confirm [iii] is the proper fix for 3) issue?
>      (* Clone Scrip's TicketObj since we change the CurrentUser and it
> can leak)

The above commit is an unrelated bug fix.  The correct commit is
2338cd19ed7a7f4c1e94f639ab2789d6586d01f3, however we've never tested it
as a standalone fix.  Again, what are your plans?

Thomas, for Best Practical

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.