We have discovered security vulnerabilities which affect both RT 4.0.x and RT 4.2.x. We are releasing RT versions 4.0.24 and 4.2.12 to resolve these vulnerabilities, as well as patches which apply atop all released versions of 4.0 and 4.2.
The vulnerabilities addressed by 4.0.24, 4.2.12, and the below patches include the following:
RT 4.0.0 and above are vulnerable to a cross-site scripting (XSS) attack via the user and group rights management pages. This vulnerability is assigned CVE-2015-5475. It was discovered and reported by Marcin Kopeć at Data Reliance Shared Service Center.
Patches for all releases of 4.0.x and 4.2.x are available (signature). Versions of RT older than 4.0.0 are unsupported and do not receive security patches; please contact email@example.com if you
need assistance with an older RT version.
The README in the tarball contains instructions for applying the patches. If you need help resolving this issue locally, we will provide discounted pricing for single-incident support; please contact us at firstname.lastname@example.org for more information.