Fix for CVEs for RT 3.8.1


#1

Hi,

Are fixes available for back porting to RT 3.8.1 for below CVEs?

CVE-2011-5092
CVE-2011-1008
CVE-2011-1007
CVE-2009-4151
CVE-2009-3892

Do any of the above pose high risk?

Regards,
Ashwin.


#2

The 3.8 series of RT reached end of life in 2014. The CVEs you listed are not the only ones that 3.8.1 is vulnerable to; 3.8.0 through 3.8.11 are vulnerable to remote execution of code, as well as SQL injection to obtain arbitrary data, for instance. CVE-2011-5092, which you cite, is also an arbitrary execution of code vulnerability.

While Best Practical did release security patches which could be applied to 3.8.1 to resolve the issues you cite above (as well as many others), there are no patches for the 3.8 series for any of the vulnerabilities discovered after 3.8 reached end of life.

RT 3.8.1 was released ten years ago. Upgrade to a supported version of RT.


#3

Thanks for the reply! That helps!


#4

Hi,

Can someone please help with the links to patches for above CVEs? Couldn’t find them.

Regards,
Ashwin.


#5

Does the link to the patch sets in this posting linked to above not provide you with what you need?

Better yet, follow this link and get a completely up to date RT. :slight_smile:


#6

Can someone please help with the links to patches for above CVEs?

No.

Couldn’t find them.

Because, as I mentioned above, they don’t exist – because RT 3.8.1 has reached end of life, and there are published, known vulnerabilities for which there are not patches, because it was no longer supported when they were discovered.

I’ll say it again – upgrade to a supported version of RT. Upgrading will not be hard – Best Practical has worked hard to make upgrading as painless as possible.