https://bugzilla.redhat.com/show_bug.cgi?id=828512 --- Comment #3 from Tomas Hoger <thoger@xxxxxxxxxx> --- (In reply to Vincent Danen from comment #0) > It's not specified as to whether 3.6.x is affected (which is what is > shipped in EPEL5). This CVE is not mentioned in upstream announcements at all, andis apparently a split off from CVE-2011-4458 mentioned by upstream: RT versions 3.6.1 and above are vulnerable to a remote execution of code vulnerability if the optional VERP configuration options ($VERPPrefix and $VERPDomain) are enabled. RT 3.8.0 and higher are vulnerable to a limited remote execution of code which can be leveraged for privilege escalation. RT 4.0.0 and above contain a vulnerability in the global $DisallowExecuteCode option, allowing sufficiently privileged users to still execute code even if RT was configured to not allow it. CVE-2011-4458 is assigned to this set of vulnerabilities. As CVE-2011-4458 was used for 3 separate issues, each affecting different versions, it got split by Mitre as: - CVE-2011-4458 for the VERP issue, affecting 3.6.1+ - CVE-2011-5092 for the limited code execution issue in 3.8.0+ - CVE-2011-5093 for the DisallowExecuteCode issue in 4.0.0+ Hence this CVE-2011-5092 should not apply to 3.6.x in EPEL-5, but the CVE-2011-4458 (bug 824082) should, and remains unfixed. -- You are receiving this mail because: You are on the CC list for the bug. Unsubscribe from this bug https://bugzilla.redhat.com/token.cgi?t=Q4LqQPJLdl&a=cc_unsubscribe -- Fedora Extras Perl SIG http://www.fedoraproject.org/wiki/Extras/SIGs/Perl perl-devel mailing list perl-devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/perl-devel
