|Main Archive Page > Month Archives > oss-security archives|
Is Redhat packaging RT now, or are you just handling the CVEs?
In all future security mail, please use our security contact address
firstname.lastname@example.org, not developer email addresses pulled from
commits. Details for our security contact are at:
We have no context for Redhat's (and Debian's?) involvement here. Can
you bring us up to speed on your plans regarding CVEs and/or security
releases in your distributions?
On 22 Feb 2011 09:37, Jan Lieskovsky wrote:
> 2) * Redirect users to their desired pages after login.
> Upstream bug report:
> [c] http://issues.bestpractical.com/Ticket/Display.html?id=15804
> Upstream changeset:
> Thomas, could you please confirm [d] is the proper fix for 2)
> issue? Thank you.
> (* Redirect users to their desired pages after login.)
The commit you linked to is not the full fix. As noted in our own bug
report you also link to above, the fix was merged into 3.8-trunk with
That said, what are your plans for the diffset? The commit itself can't
be used as a standalone patch for the issue. It introduced a few other
bugs in core RT and broke the current stable versions of
RT-Authen-ExternalAuth (a very popular, critical extension). The bugs
have been fixed by other commits and there are development releases of a
Are you trying to package a patch in a security update?
> 3) * Clone Scrip's TicketObj since we change the CurrentUser and it
> can leak
> information (Custom field values, etc)
> Upstream changeset (needs confirmation from upstream if it's
> real fix for the issue yet):
> Shawn, could you please confirm [iii] is the proper fix for 3) issue?
> (* Clone Scrip's TicketObj since we change the CurrentUser and it
> can leak)
The above commit is an unrelated bug fix. The correct commit is
2338cd19ed7a7f4c1e94f639ab2789d6586d01f3, however we've never tested it
as a standalone fix. Again, what are your plans?
Thomas, for Best Practical