I haven’t seen anything on this mailing list, or on the Best Practical web site, that discusses the Heartbleed vulnerability.
Does RT use OpenSSL in any way?
My server had a vulnerable version of OpenSSL installed at the time RT was compiled. I would like to know if RT needs to be recompiled/upgraded now that OpenSSL has been patched.
The information contained in this message is privileged and confidential. It is intended only for the recipient or entity listed above. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution, or copying of this message is strictly prohibited. If you have received this message in error, please notify the sender immediately by replying to the message and promptly deleting it from your computer.
NOTICE TO RECIPIENT(S) OF INFORMATION:
Information disclosed to you pertaining to certain conditions, such as treatment for alcohol or drug abuse, HIV/AIDS and other sexually transmitted diseases, behavioral health, and genetic marker information is protected by various federal and state laws which prohibit any further disclosure of this information by you without the express written consent of the person to whom it pertains or as otherwise permitted by such laws. Any unauthorized further disclosure in violation of state or federal law may result in a fine or jail sentence or both. A general authorization for the release of medical or other information is NOT sufficient consent for release of these types of information. The federal rule at 42 CFR Part 2 restricts use of the information disclosed to criminally investigate or prosecute any alcohol or drug abuse patient.
I haven’t seen anything on this mailing list, or on the Best Practical
web site, that discusses the Heartbleed vulnerability.
Does RT use OpenSSL in any way?
RT does not use OpenSSL in any way that is vulnerable. While RT 4.2
does use OpenSSL directly when decoding S/MIME encrypted mail, this
process does not involve TLS – hence the vulnerability in the Heartbeat
extension of TLS does not apply.
That being said, there are a number of external services that RT
interacts with which may use OpenSSL in an affected manner. Restarting
those services after updating your OpenSSL libraries is sufficient to
close the vulnerability. The ways in which RT may interact with
vulnerable services includes such things as:
- Your webserver (Apache, nginx, etc) may use OpenSSL to implement
TLS negotiation for HTTPS connection.
- Your database may use OpenSSL to implement TLS negotiation to
secure the connection that RT uses to speak to the database. This is
the case if the RT configuration option $DatabaseRequireSSL is set.
- Your LDAP server (OpenLDAP) may use OpenSSL to implement TLS
negotiation to secure the connection that RT::Authen::ExternalAuth or
RT::Extension::LDAPImport uses to acquire LDAP data.
- Your mail server (postfix, exim, etc) may use OpenSSL to implement
TLS negotiation over SMTP when speaking to remote mailservers.
In all of the above cases, restarting the affected server after updating
the OpenSSL libraries is sufficient to close the vulnerability. You may
wish to also generate new SSL certificates, in the light of the fact
that the vulnerability has been successfully used to acquire SSL private
keys, and multiple automated tools to do so have been released.
My server had a vulnerable version of OpenSSL installed at the time RT
was compiled. I would like to know if RT needs to be
recompiled/upgraded now that OpenSSL has been patched.
RT is written in perl; as such, it is not compiled, and no changes need
to be made to RT itself to close the vulnerability. See above
concerning other related services which may be affected, of course.