Date: Tue, 3 Mar 2015 20:08:28 -0500 (EST) From: cve-assign@...re.org To: gmc@...library.com Cc: cve-assign@...re.org, oss-security@...ts.openwall.com Subject: Re: CVE request - Evergreen -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > http://evergreen-ils.org/security-releases-evergreen-2-7-4-2-6-7-and-2-5-9/ We have these initial questions, in part to determine whether there should be a total of two CVE IDs or three CVE IDs. http://openwall.com/lists/oss-security/2015/03/03/11 says: > Both bugs had permitted remote unauthenticated access of confidential > application configuration settings. but https://bugs.launchpad.net/evergreen/+bug/1206589 says: > Any user who can authenticate to Evergreen and make the proper > open-ils.pcrud calls can view the history of any setting ... once > anonymous pcrud goes in, no login would be required either. Was there a released version of Evergreen in which an unauthenticated attacker could view a setting's history by exploiting this bug? https://bugs.launchpad.net/evergreen/+bug/1206589 also says: > An immediate fix for this would be to add a permission, just about any > permission that a patron would not have ... The > collab/dyrcona/lp1206589-quick-fix branch in the security repo adds a > retrieve permission of STAFF_LOGIN ... That leaves us pretty much > where the initial bug reports assumes we were with settings exposed > only to unauthorized staff ... Since I have suggested removing the > open-ils.pcrud controller, leaving cstore as the only mode of access > to these settings, new API calls would need to be added to search and > retrieve the settings history. and http://git.evergreen-ils.org/?p=Evergreen.git;a=commit;h=ac588e879cf73ff1b65617e0bd273361d3529063 says: > Temporary Fix for Org. Unit Settings History Bug > 1. It adds a retrieve permission of STAFF_LOGIN. This at least > requires someone with staff permission to be able to view settings > history. Does this mean that: - in version 2.7.3, there is a major vulnerability in which a setting's history can be viewed by any authenticated user, including users with the "patron" role - in version 2.7.4, there is a minor vulnerability in which a setting's history can be viewed by all persons with the staff role, which would include unauthorized staff in many realistic deployments. This might be fixed in a future release by forcing all access to use cstore, or by some other undetermined change. ? > https://bugs.launchpad.net/evergreen/+bug/1424755 This seems to be a much simpler case that was completely fixed by http://git.evergreen-ils.org/?p=Evergreen.git;a=commit;h=3a0f1cc7b2efa517ee4cd4c6a682237554fed307 and had allowed unauthenticated access. It will have only one CVE ID. - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (SunOS) iQEcBAEBAgAGBQJU9lpzAAoJEKllVAevmvmsbdQH/22bw/68/mpyxJ6cOvlw7e1M QSfNIO+feS9aS9c7k7y2g6yV0KEC7b261gSLQlJFpPVYq7sBh/Y9jLcQhINOWb1j 8m5DP8lqHF4iiCXxxxwJsG5MM2AxvKnk0KXcfGu8qnd6OOmuO4xC+hM5P3XdpRFQ RJeQU8lSDYHD3yb9D+lfvybr/2ceUVAVTuJCeCLDBj0yr7Gvn3+R0as/mqTt6jyU EQqciiLFntiucwSOAFQDD0rA0/9JP+ORDC47BcIyDgi0Xca/T+36NbeIsskMXEjO liBCap+fLIuFWQ0dx5zS+9YQjYwaWyTeaXOFTfjhPUVkgao2CF5aoRSL0qL1zIg= =3sHe -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ