Security vulnerability in RT 4.2.x - CVE-2014-7227

Alex_Vandiver · October 2, 2014, 4:00pm

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

We have discovered a security vulnerability in RT 4.2.x, detailed below.
We are releasing RT version 4.2.8 to resolve this vulnerability, as well
as patches which apply atop all released versions of 4.2.

RT 4.2.0 and above may be vulnerable to arbitrary execution of code by
way of CVE-2014-7169, CVE-2014-7186, CVE-2014-7187, CVE-2014-6277, or
CVE-2014-6271 – collectively known as “Shellshock.” This vulnerability
requires a privileged user with access to an RT instance running with
SMIME integration enabled; it applies to both mod_perl and fastcgi
deployments. If you have already taken upgrades to bash to resolve
“Shellshock,” you are protected from this vulnerability in RT, and there
is no need to apply this patch. This vulnerability has been assigned
CVE-2014-7227.

As there is no SMIME integration available for RT 4.0, it is not
vulnerable to this attack. The RT-Crypt-SMIME extension for RT 3.6.0,
while also vulnerable, is no longer supported.

Patches for all releases of 4.2.x are available for download below.
Versions of RT older than 4.0.0 are unsupported and do not receive
security patches; please contact sales@bestpractical.com if you need
assistance with an older RT version.

http://download.bestpractical.com/pub/rt/release/security-2014-10-02.tar.gz
http://download.bestpractical.com/pub/rt/release/security-2014-10-02.tar.gz.asc

694483fe6595bdbb8d98285d7e2f9eeafeb511da security-2014-10-02.tar.gz
0f7c1baa0262833dbed6549e43d2554abd3c2e77 security-2014-10-02.tar.gz.asc

The README in the tarball contains instructions for applying the
patches. If you need help resolving this issue locally, we will provide
discounted pricing for single-incident support; please contact us at
sales@bestpractical.com for more information.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iEYEARECAAYFAlQtdqcACgkQMflWJZZAbqDJ/wCgjaP6qbP0wdgGGYyvMWJDSKb7
FWcAniXypUZ+fMni2yc+96HAgCpnU62+
=EHkb
-----END PGP SIGNATURE-----
rt-announce mailing list
rt-announce@lists.bestpractical.com
http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-announce