New vulnerability with FCKEditor, is RT effected

I’m unsure what version of FCKEditor is included with RT 3.8.4. Is
the version of FCKEditor less than 2.6.4.1?

There is a potential advisory out for FCKEditor 2.6.4.1 and less:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2265

Thanks

Mike

I’m unsure what version of FCKEditor is included with RT 3.8.4. Is
the version of FCKEditor less than 2.6.4.1?

There is a potential advisory out for FCKEditor 2.6.4.1 and less:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2265

We ship 2.6.4, but we haven’t included the filemanager directory
in 3.8.2, 3.8.3 or 3.8.4.

We don’t support any of the FCKEditor file management
code paths, so we disabled them.

Those versions of RT shouldn’t be affected by this security report,
and if you’re running 3.8.0 or 3.8.1 there have been a ton of bugfixes
in our FCKEditor support so an upgrade is recommended.

We’ll roll 2.6.4.1 in before we release 3.8.5, I’ve created
http://rt3.fsck.com/Ticket/Display.html?id=13665
to make sure it is tracked

-kevin

PGP.sig (194 Bytes)