Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 3 Mar 2015 21:00:53 -0500
From: Galen Charlton <>
Subject: Re: CVE request - Evergreen


On Tue, Mar 3, 2015 at 8:08 PM,  <> wrote:
>> Both bugs had permitted remote unauthenticated access of confidential
>> application configuration settings.
> but says:
>> Any user who can authenticate to Evergreen and make the proper
>> open-ils.pcrud calls can view the history of any setting ... once
>> anonymous pcrud goes in, no login would be required either.
> Was there a released version of Evergreen in which an unauthenticated
> attacker could view a setting's history by exploiting this bug?

Yes, there was -- the comment in the bug report does not take into
account the fact that the open-ils.pcrud endpoint supports anonymous,
unauthenticated retrieval of database objects under pcrud's purview if
a user permission for retrieval is not explicitly specified in

>  - in version 2.7.3, there is a major vulnerability in which a
>    setting's history can be viewed by any authenticated user,
>    including users with the "patron" role

Almost -- per my response above, unauthenticated users could also gain
access to a setting's history as, prior to the patch, anonymous
retrieval was possible via open-ils.pcrud.

>  - in version 2.7.4, there is a minor vulnerability in which a
>    setting's history can be viewed by all persons with the staff role,
>    which would include unauthorized staff in many realistic
>    deployments. This might be fixed in a future release by forcing all
>    access to use cstore, or by some other undetermined change.
> ?

Correct, and I agree with the implication that bug 1206589 would
therefore warrant two CVE numbers.


Galen Charlton
Infrastructure and Added Services Manager
Equinox Software, Inc. / The Open Source Experts
direct: +1 770-709-5581
cell:   +1 404-984-4366
skype:  gmcharlt
Supporting Koha and Evergreen: &

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ