This is a notification of a security vulnerability, not in RT, but inperl itself. That vulnerability, CVE-2013-1667, affects all production versions of perl from 5.8.2 to 5.16.x.

From perl5-porters:

In order to prevent an algorithmic complexity attack against its
hashing mechanism, perl will sometimes recalculate keys and
redistribute the contents of a hash.  This mechanism has made perl
robust against attacks that have been demonstrated against other
systems.
Research by Yves Orton has recently uncovered a flaw in the
rehashing code which can result in pathological behavior.  This flaw
could be exploited to carry out a denial of service attack against
code that uses arbitrary user input as hash keys.

Vendors, including RedHat, Debian, and Ubuntu, were informed of this problem two weeks ago. Debian has pushed updated packages, and others are expected to do so soon. We encourage you to take these updates as soon as they are available.

We are aware that taking updated versions of some vendor perl packages (particularly with older releases of RedHat) may downgrade some modules that RT requires to run, causing breakages when RT is restarted. This is particularly known to be an issue with Scalar::Util, Sys::Syslog, and File::Temp.

For this reason, we suggest re-running rt-test-dependencies after you upgrade perl, to ensure that this has not occured. You can do this via running /opt/rt4/bin/rt-test-dependencies, and passing it one of --with-mysql, --with-pg, or --with-oracle, as well as --with-fastcgi or --with-modperl2 as suits your current deployment. If unmet dependencies are found, you should immediately upgrade them; this can be done by re-running rt-test-dependencies with the additional --install option.

The vendor upgrades of perl may not be sufficient if you are running a locally-compiled version of perl. You can determine if this is the case by examining the first line of /opt/rt4/bin/rt (or /opt/rt3/bin/rt). If that line contains:

#!/usr/bin/perl

...then you are running the vendor-supplied version of perl, and need take no further steps. Otherwise, you will need to upgrade your locally installed perl, or re-install it after applying security patches. Perl 5.16.3 and 5.14.4 have now been released, and we strongly we recommend upgrading to those.

If you need help resolving this issue, please contact us at sales@bestpractical.com for more information.

We have determined a number of security vulnerabilities which affectboth RT 3.8.x and RT 4.0.x. We are releasing RT versions 3.8.15 and 4.0.8, and RTFM version 2.4.5, to resolve these vulnerabilities, as well as patches which apply atop all released versions of 3.8 and 4.0.

The vulnerabilities addressed by 3.8.15, 4.0.8, and the patches include the following:

All versions of RT are vulnerable to an email header injection attack. Users with ModifySelf or AdminUser can cause RT to add arbitrary headers or content to outgoing mail. Depending on the scrips that are configured, this may be be leveraged for information leakage or phishing. We have been assigned CVE-2012-4730 for this vulnerability; we would like to thank Scott MacVicar for bringing this matter to our attention.

RT 4.0.0 and above and RTFM 2.0.0 and above contain a vulnerability due to lack of proper rights checking, allowing any privileged user to create Articles in any class. We have been assigned CVE-2012-4731 for this vulnerability.

All versions of RT with cross-site-request forgery (CSRF) protection (RT 3.8.12 and above, RT 4.0.6 and above, and any instances running the security patches released 2012-05-22) contain a vulnerability which incorrectly allows though CSRF requests which toggle ticket bookmarks. We have been assigned CVE-2012-4732 for this vulnerability; we would like to thank Matthew Astley for bringing this to our attention.

Additionally, all versions of RT are vulnerable to a confused deputy attack on the user. While not strictly a CSRF attack, users who are not logged in who are tricked into following a malicious link may, after supplying their credentials, be subject to an attack which leverages their credentials to modify arbitrary state. While users who were logged in would have observed the CSRF protection page, users who were not logged in receive no such warning due to the intervening login process. RT has been extended to notify users of pending actions during the login process. We have been assigned CVE-2012-4734 for this vulnerability; we would like to thank Matthew Astley for bringing this to our attention.

RT 3.8.0 and above are susceptible to a number of vulnerabilities concerning improper signing or encryption of messages using GnuPG; if GnuPG is not enabled, none of the following affect you. We have been assigned CVE-2012-4735 for the following related vulnerabilities:

• When using GnuPG, RT now clarifies the concepts of signing for integrity and signing for authentication, which are separate (and exclusive) concepts. Previously, enabling the "Sign by default" queue configuration began signing automatically-generated messages with the queue's key, in addition to defaulting emails sent from the web UI to being signed. This provides integrity, but causes emails signed with that key to no longer possess authenticity; no individual email is guaranteed to have come from an actor designated to act for that key, in the case of automatically-generated emails.

  RT has now changed the "Sign by default" checkbox to merely provide a default in the web UI when composing messages; it no longer affects automatically-generated outgoing messages. Thus the "Sign by default" option helps to provide authenticity. A separate queue configuration option, "Sign all auto-generated mail" (defaulting to off) now controls the signing of automatically- generated emails, which (when used in combination with the previous option) helps provide integrity of all outgoing messages.

  Users who had previously checked "Sign by default" and who wish to maintain the previous effect of integrity but not authenticity will need to enable the new option as well.

  We would like to thank Matthijs Melissen (University of Luxembourg) for bringing this matter to our attention.

• RT 3.8.0 and above contain a vulnerability which allows incoming emails to force all triggered outgoing mail to be signed and/or encrypted.

• RT 3.8.0 and above contain a vulnerability which allows incoming emails to incorrectly appear in the UI to have been encrypted when they had not been. This vulnerability only applies to encryption, not signing.

• RT 3.8.0 and above contain a vulnerability which allows any user who is capable of sending signed email in the UI to do so using any secret key stored in RT's keyring.

Additionally, RT 3.8.0 and above contain a vulnerability which allows a user to pass arbitrary arguments to the command-line GnuPG client, which could be leveraged to create arbitrary files on disk with the permissions of the webserver. This vulnerability only applies if GnuPG is enabled, and does not allow for execution of programs other than the command-line GnuPG client. We have been assigned CVE-2012-4884 for this vulnerability.

If you are running 3.8.x and RTFM, you will need to install RTFM 2.4.5 to resolve CVE-2012-4731. Patches for all releases of 3.8.x and 4.0.x are available for download; The README within it contains instructions for applying the patches. Otherwise, we recommend upgrading to RT 4.0.8, which resolves the above vulnerabilities.

If you are using RT::Authen::ExternalAuth, you also need to upgrade it to version 0.12 for compatibility with the security fixes in RT 4.0.8, 3.8.15, and the patches.