Earlier today, I was alerted to a security vulnerability in RT’s command
line administration tool, rtadmin by Jay Kramer at Mojomole.com.
The vulnerability, as Jay discovered, allows local shell users to access
RT’s commandline administrative tool with RT superuser permissions. If you
have local shell users who have access to execute the RT binaries but who are
not trusted administrators, you MUST upgrade to RT 2.0.8_01 as soon as humanly
Until you upgrade, we recommend that you disable the rtadmin program by
executing the following command:
chmod 000 /path/to/rt/bin/rtadmin
RT 2.0.8_01 is immediately available from:
A diff between RT 2.0.8 and RT 2.0.8_01 is attached to this message.
Thanks very much to Jay Kramer for his quick and professional handling of
this vulnerability report.
Jesse Vincent Best Practical Solutions, LLC
http://www.bestpractical.com/products/rt – Trouble Ticketing. Free.
rt-2-0-8_01-security.diff (4.11 KB)