-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 We have discovered security vulnerabilities which affect both RT 4.0.x and RT 4.2.x. We are releasing RT versions 4.0.23 and 4.2.10 to resolve these vulnerabilities, as well as patches which apply atop all released versions of 4.0 and 4.2.
The vulnerabilities addressed by 4.0.23, 4.2.10, and the below patches include the following: RT 3.0.0 and above, if running on Perl 5.14.0 or higher, are vulnerable to a remote denial-of-service via the email gateway; any installation which accepts mail from untrusted sources is vulnerable, regardless of the permissions configuration inside RT. This denial-of-service may encompass both CPU and disk usage, depending on RT's logging configuration. This vulnerability is assigned CVE-2014-9472. RT 3.8.8 and above are vulnerable to an information disclosure attack which may reveal RSS feeds URLs, and thus ticket data; this vulnerability is assigned CVE-2015-1165. RSS feed URLs can also be leveraged to perform session hijacking, allowing a user with the URL to log in as the user that created the feed; this vulnerability is assigned CVE-2015-1464. We would like to thank Christian Loos <[email protected]> for reporting CVE-2014-9472 and CVE-2015-1165; CVE-2015-1464 was found by internal review. Patches for all releases of 4.0.x and 4.2.x are available for download below. Versions of RT older than 4.0.0 are unsupported and do not receive security patches; please contact [email protected] if you need assistance with an older RT version. https://download.bestpractical.com/pub/rt/release/security-2015-02-26.tar.gz https://download.bestpractical.com/pub/rt/release/security-2015-02-26.tar.gz.asc aac58bf3aa6d918dbefbaa2b27a9694f27b32d58 security-2015-02-26.tar.gz 6abe9a58400db3ee2cdbdf17704f0d881d90d744 security-2015-02-26.tar.gz.asc The README in the tarball contains instructions for applying the patches. If you need help resolving this issue locally, we will provide discounted pricing for single-incident support; please contact us at [email protected] for more information. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iEYEARECAAYFAlTvSZMACgkQMflWJZZAbqCj5gCgwmXReEL+TIUYrAzfTl0aj0rr +ZIAn2Uq8K12j3r+se6yZlg/B6myoJSM =kSeJ -----END PGP SIGNATURE----- _______________________________________________ rt-announce mailing list [email protected] http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-announce
