Date: Tue, 3 Mar 2015 20:08:28 -0500 (EST) From: cve-assign@...re.org To: gmc@...library.com Cc: cve-assign@...re.org, oss-security@...ts.openwall.com Subject: Re: CVE request - Evergreen -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > http://evergreen-ils.org/security-releases-evergreen-2-7-4-2-6-7-and-2-5-9/ We have these initial questions, in part to determine whether there should be a total of two CVE IDs or three CVE IDs. http://openwall.com/lists/oss-security/2015/03/03/11 says: > Both bugs had permitted remote unauthenticated access of confidential > application configuration settings. but https://bugs.launchpad.net/evergreen/+bug/1206589 says: > Any user who can authenticate to Evergreen and make the proper > open-ils.pcrud calls can view the history of any setting ... once > anonymous pcrud goes in, no login would be required either. Was there a released version of Evergreen in which an unauthenticated attacker could view a setting's history by exploiting this bug? https://bugs.launchpad.net/evergreen/+bug/1206589 also says: > An immediate fix for this would be to add a permission, just about any > permission that a patron would not have ... The > collab/dyrcona/lp1206589-quick-fix branch in the security repo adds a > retrieve permission of STAFF_LOGIN ... That leaves us pretty much > where the initial bug reports assumes we were with settings exposed > only to unauthorized staff ... Since I have suggested removing the > open-ils.pcrud controller, leaving cstore as the only mode of access > to these settings, new API calls would need to be added to search and > retrieve the settings history. and http://git.evergreen-ils.org/?p=Evergreen.git;a=commit;h=ac588e879cf73ff1b65617e0bd273361d3529063 says: > Temporary Fix for Org. Unit Settings History Bug > 1. It adds a retrieve permission of STAFF_LOGIN. This at least > requires someone with staff permission to be able to view settings > history. Does this mean that: - in version 2.7.3, there is a major vulnerability in which a setting's history can be viewed by any authenticated user, including users with the "patron" role - in version 2.7.4, there is a minor vulnerability in which a setting's history can be viewed by all persons with the staff role, which would include unauthorized staff in many realistic deployments. This might be fixed in a future release by forcing all access to use cstore, or by some other undetermined change. ? > https://bugs.launchpad.net/evergreen/+bug/1424755 This seems to be a much simpler case that was completely fixed by http://git.evergreen-ils.org/?p=Evergreen.git;a=commit;h=3a0f1cc7b2efa517ee4cd4c6a682237554fed307 and had allowed unauthenticated access. It will have only one CVE ID. - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (SunOS) iQEcBAEBAgAGBQJU9lpzAAoJEKllVAevmvmsbdQH/22bw/68/mpyxJ6cOvlw7e1M QSfNIO+feS9aS9c7k7y2g6yV0KEC7b261gSLQlJFpPVYq7sBh/Y9jLcQhINOWb1j 8m5DP8lqHF4iiCXxxxwJsG5MM2AxvKnk0KXcfGu8qnd6OOmuO4xC+hM5P3XdpRFQ RJeQU8lSDYHD3yb9D+lfvybr/2ceUVAVTuJCeCLDBj0yr7Gvn3+R0as/mqTt6jyU EQqciiLFntiucwSOAFQDD0rA0/9JP+ORDC47BcIyDgi0Xca/T+36NbeIsskMXEjO liBCap+fLIuFWQ0dx5zS+9YQjYwaWyTeaXOFTfjhPUVkgao2CF5aoRSL0qL1zIg= =3sHe -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.