Security vulnerabilities in RT

Alex_Vandiver · February 26, 2015, 4:28pm

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

We have discovered security vulnerabilities which affect both RT 4.0.x
and RT 4.2.x. We are releasing RT versions 4.0.23 and 4.2.10 to resolve
these vulnerabilities, as well as patches which apply atop all released
versions of 4.0 and 4.2.

The vulnerabilities addressed by 4.0.23, 4.2.10, and the below patches
include the following:

RT 3.0.0 and above, if running on Perl 5.14.0 or higher, are vulnerable
to a remote denial-of-service via the email gateway; any installation
which accepts mail from untrusted sources is vulnerable, regardless of
the permissions configuration inside RT. This denial-of-service may
encompass both CPU and disk usage, depending on RT’s logging
configuration. This vulnerability is assigned CVE-2014-9472.

RT 3.8.8 and above are vulnerable to an information disclosure attack
which may reveal RSS feeds URLs, and thus ticket data; this
vulnerability is assigned CVE-2015-1165. RSS feed URLs can also be
leveraged to perform session hijacking, allowing a user with the URL to
log in as the user that created the feed; this vulnerability is assigned
CVE-2015-1464.

We would like to thank Christian Loos cloos@netcologne.de for
reporting CVE-2014-9472 and CVE-2015-1165; CVE-2015-1464 was found by
internal review.

Patches for all releases of 4.0.x and 4.2.x are available for download
below. Versions of RT older than 4.0.0 are unsupported and do not
receive security patches; please contact sales@bestpractical.com if you
need assistance with an older RT version.

https://download.bestpractical.com/pub/rt/release/security-2015-02-26.tar.gz
https://download.bestpractical.com/pub/rt/release/security-2015-02-26.tar.gz.asc

aac58bf3aa6d918dbefbaa2b27a9694f27b32d58 security-2015-02-26.tar.gz
6abe9a58400db3ee2cdbdf17704f0d881d90d744 security-2015-02-26.tar.gz.asc

The README in the tarball contains instructions for applying the
patches. If you need help resolving this issue locally, we will provide
discounted pricing for single-incident support; please contact us at
sales@bestpractical.com for more information.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)

iEYEARECAAYFAlTvSZMACgkQMflWJZZAbqCj5gCgwmXReEL+TIUYrAzfTl0aj0rr
+ZIAn2Uq8K12j3r+se6yZlg/B6myoJSM
=kSeJ
-----END PGP SIGNATURE-----
rt-announce mailing list
rt-announce@lists.bestpractical.com
http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-announce

shawn · August 12, 2015, 7:38pm

rt-announce mailing list
rt-announce@lists.bestpractical.com
http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-announce

signature.asc (801 Bytes)

Alex_Vandiver · April 14, 2011, 1:59pm

RT-Announce mailing list
RT-Announce@lists.bestpractical.com
http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-announce

signature.asc (198 Bytes)

Alex_Vandiver · May 22, 2012, 2:34pm

rt-announce mailing list
rt-announce@lists.bestpractical.com
http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-announce

signature.asc (198 Bytes)

Emmanuel_Lacour · May 22, 2012, 2:46pm

http://download.bestpractical.com/rt/release/security-2012-05-22.tar.gz

I get: Not Found

Emmanuel_Lacour · May 22, 2012, 2:47pm

http://download.bestpractical.com/rt/release/security-2012-05-22.tar.gz

I get: Not Found

the url need “/pub” before “/rt”.

Alex_Vandiver · May 22, 2012, 2:55pm

the url need “/pub” before “/rt”.

We’ve adjusted the server to accommodate for the missing /pub – thank
you for the quick catch.

Alex

Alex_Vandiver · May 22, 2012, 3:48pm

In addition to releasing RT versions 3.8.12 and 4.0.6 which address
these issues, we have also collected patches for all releases of 3.8 and 4.0
into a distribution available for download at this link:

http://download.bestpractical.com/rt/release/security-2012-05-22.tar.gz
http://download.bestpractical.com/rt/release/security-2012-05-22.tar.gz.asc

It has been brought to our attention that the patchset requires version
0.68 or higher of FCGI.pm if you are running a FastCGI deployment. A
too-low version of this module will manifest as outgoing mail failing to
be sent, and errors in the logs resembling:

Could not send mail with command [...]:
Can’t locate object method “FILENO” via package “FCGI::Stream”

RT 3.8.11 and 4.0.5 already require version 0.75 or higher, to ensure
that you are protected from CVE-2011-2766, which affects mod_fastcgi:
http://lists.bestpractical.com/pipermail/rt-announce/2011-October/000196.html

Alex

rt-announce mailing list
rt-announce@lists.bestpractical.com
http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-announce

Alex_Vandiver · May 24, 2012, 9:24pm

rt-announce mailing list
rt-announce@lists.bestpractical.com
http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-announce

signature.asc (198 Bytes)

Alex_Vandiver · October 25, 2012, 9:44pm

rt-announce mailing list
rt-announce@lists.bestpractical.com
http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-announce

signature.asc (198 Bytes)

Thomas_Sibley · May 22, 2013, 6:06pm

rt-announce mailing list
rt-announce@lists.bestpractical.com
http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-announce

signature.asc (255 Bytes)

Alex_Vandiver · April 14, 2011, 2:47pm

Just to clarify: after applying the patch to 3.8.9, do I have 3.8.10?
The page footer and system configuration page still say 3.8.9 and
don’t mention the patch.

No. The security patchsets are a minimal set of security patches which
do not include the other bugfixes in 3.8.10.

Alex