We have released RT version 4.2.10 to resolve CVE-2014-9472, CVE-2015-1165, and CVE-2015-1464, along with a number of bugfixes; see the release notes for a complete list.
RT 4.0.23 released
We have released RT version 4.0.23 to resolve CVE-2014-9472, CVE-2015-1165, and CVE-2015-1464, along with a number of bugfixes; see the release notes for a complete list.
Security vulnerabilities in RT
We have discovered security vulnerabilities which affect both RT 4.0.xand RT 4.2.x. We are releasing RT versions 4.0.23 and 4.2.10 to resolve these vulnerabilities, as well as patches which apply atop all released versions of 4.0 and 4.2.
The vulnerabilities addressed by 4.0.23, 4.2.10, and the below patches include the following:
RT 3.0.0 and above, if running on Perl 5.14.0 or higher, are vulnerable to a remote denial-of-service via the email gateway; any installation which accepts mail from untrusted sources is vulnerable, regardless of the permissions configuration inside RT. This denial-of-service may encompass both CPU and disk usage, depending on RT's logging configuration. This vulnerability is assigned CVE-2014-9472.
RT 3.8.8 and above are vulnerable to an information disclosure attack which may reveal RSS feeds URLs, and thus ticket data; this vulnerability is assigned CVE-2015-1165. RSS feed URLs can also be leveraged to perform session hijacking, allowing a user with the URL to log in as the user that created the feed; this vulnerability is assigned CVE-2015-1464.
We would like to thank Christian Loos
Patches for all releases of 4.0.x and 4.2.x are available (signature). Versions of RT older than 4.0.0 are unsupported and do not receive security patches; please contact sales@bestpractical.com if you need assistance with an older RT version.
The README in the tarball contains instructions for applying the patches. If you need help resolving this issue locally, we will provide discounted pricing for single-incident support; please contact us at sales@bestpractical.com for more information.
RT for Incident Response 3.2.0 Released
RTIR 3.2.0 is the first release of RTIR compatible with RT 4.2.
It is only compatible with RT 4.2.9 and later and will refuse to install on earlier versions of RT 4.2.
You should be sure to review both core RT's UPGRADING-4.2 as well as RTIR's UPGRADING-3.2 documentation and any other UPGRADING documentation which may be relevant to your old version.
You can find complete release notes and downloads on https://bestpractical.com/rtir/
RT for Incident Response 3.0.4 Released
RTIR 3.0.4 is a bug fix release for the RTIR 3.0 series and is now available.
If you've been waiting to upgrade to RTIR 3.2.0, please consider testing RTIR 3.2.0rc5 and sending feedback to the mailing list or bugtracker.
RT 4.2.9 Released
RT 4.2.9 has been released.
RT for Incident Response 3.0.3 Released
RTIR 3.0.3 contains a number of bugfixes from 3.0.2.
RT for Incident Response 3.2.0 Release Candidate available
We released our first release candidate for RTIR 3.2.0rc1 earlier this week.
You can read the release notes or download a tarball.
RT 4.2.8 released
We have released RT version 4.2.8 to resolve CVE-2014-7227, along with a small number of bugfixes; see the release notes for a complete list.
Security vulnerability in RT 4.2.x - CVE-2014-7227
We have discovered a security vulnerability in RT 4.2.x, detailed below.We are releasing RT version 4.2.8 to resolve this vulnerability, as well as patches which apply atop all released versions of 4.2.
RT 4.2.0 and above may be vulnerable to arbitrary execution of code by way of CVE-2014-7169, CVE-2014-7186, CVE-2014-7187, CVE-2014-6277, or CVE-2014-6271 -- collectively known as "Shellshock." This vulnerability requires a privileged user with access to an RT instance running with SMIME integration enabled; it applies to both mod_perl and fastcgi deployments. If you have already taken upgrades to bash to resolve "Shellshock," you are protected from this vulnerability in RT, and there is no need to apply this patch. This vulnerability has been assigned CVE-2014-7227.
As there is no SMIME integration available for RT 4.0, it is not vulnerable to this attack. The RT-Crypt-SMIME extension for RT 3.6.0, while also vulnerable, is no longer supported.
Patches for all releases of 4.2.x are available (signature). Versions of RT older than 4.0.0 are unsupported and do not receive security patches; please contact sales@bestpractical.com if you need assistance with an older RT version.
The README in the tarball contains instructions for applying the patches. If you need help resolving this issue locally, we will provide discounted pricing for single-incident support; please contact us at sales@bestpractical.com for more information.