-----BEGIN PGP SIGNED MESSAGE-----
We have discovered security vulnerabilities which affect both RT 4.0.x
and RT 4.2.x. We are releasing RT versions 4.0.23 and 4.2.10 to resolve
these vulnerabilities, as well as patches which apply atop all released
versions of 4.0 and 4.2.
The vulnerabilities addressed by 4.0.23, 4.2.10, and the below patches
include the following:
RT 3.0.0 and above, if running on Perl 5.14.0 or higher, are vulnerable
to a remote denial-of-service via the email gateway; any installation
which accepts mail from untrusted sources is vulnerable, regardless of
the permissions configuration inside RT. This denial-of-service may
encompass both CPU and disk usage, depending on RT’s logging
configuration. This vulnerability is assigned CVE-2014-9472.
RT 3.8.8 and above are vulnerable to an information disclosure attack
which may reveal RSS feeds URLs, and thus ticket data; this
vulnerability is assigned CVE-2015-1165. RSS feed URLs can also be
leveraged to perform session hijacking, allowing a user with the URL to
log in as the user that created the feed; this vulnerability is assigned
We would like to thank Christian Loos firstname.lastname@example.org for
reporting CVE-2014-9472 and CVE-2015-1165; CVE-2015-1464 was found by
Patches for all releases of 4.0.x and 4.2.x are available for download
below. Versions of RT older than 4.0.0 are unsupported and do not
receive security patches; please contact email@example.com if you
need assistance with an older RT version.
The README in the tarball contains instructions for applying the
patches. If you need help resolving this issue locally, we will provide
discounted pricing for single-incident support; please contact us at
firstname.lastname@example.org for more information.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)
-----END PGP SIGNATURE-----
rt-announce mailing list