[prev in list] [next in list] [prev in thread] [next in thread]
List: rtir
Subject: [rtir] [rt-announce] Security vulnerabilities in RT
From: Shawn Moore <shawn () bestpractical ! com>
Date: 2015-08-12 19:38:55
Message-ID: 0B7E51C9-FCA2-4CF2-AA39-A30E9EA36144 () bestpractical ! com
[Download RAW message or body]
[Attachment #2 (multipart/signed)]
We have discovered security vulnerabilities which affect both RT 4.0.x
and RT 4.2.x. We are releasing RT versions 4.0.24 and 4.2.12 to resolve
these vulnerabilities, as well as patches which apply atop all released
versions of 4.0 and 4.2.
The vulnerabilities addressed by 4.0.24, 4.2.12, and the below patches
include the following:
RT 4.0.0 and above are vulnerable to a cross-site scripting (XSS) attack =
via
the user and group rights management pages. This vulnerability is =
assigned
CVE-2015-5475. It was discovered and reported by Marcin Kope=C4=87 at =
Data Reliance
Shared Service Center.
RT 4.2.0 and above are vulnerable to a cross-site scripting (XSS) attack
via the cryptography interface. This vulnerability could allow an =
attacker
with a carefully-crafted key to inject JavaScript into RT's user =
interface.
Installations which use neither GnuPG nor S/MIME are unaffected.
Patches for all releases of 4.0.x and 4.2.x are available for download
below. Versions of RT older than 4.0.0 are unsupported and do not
receive security patches; please contact sales@bestpractical.com if you
need assistance with an older RT version.
=
https://download.bestpractical.com/pub/rt/release/security-2015-08-12.tar.=
gz
=
https://download.bestpractical.com/pub/rt/release/security-2015-08-12.tar.=
gz.asc
0ffdfae09837c09957f69e9de69660735d3099ee security-2015-08-12.tar.gz
92c8d4d299c7bc205eb8382274306dc3aaa14970 security-2015-08-12.tar.gz.asc
The README in the tarball contains instructions for applying the
patches. If you need help resolving this issue locally, we will provide
discounted pricing for single-incident support; please contact us at
sales@bestpractical.com for more information.
["signature.asc" (signature.asc)]
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCAAGBQJVy6DUAAoJEDdW4lQxRAUg4N0QAI3DR7F6KiEAUb6KiT3cGTXp
ryDFPJRrmDBrysMVJm5sMXLAlDfM9jgLXfv3fIyMIkX6SowrPW5zpYgQzYLw4qUN
qnPP8/3JtPqaNuV42scDD+zzBvOC3qEwlEqIBIxzBGuqUAhkf0ZuKqvsGJVvmVU0
JqlEfW2wfvyOR8/xcjgCmIOu6/AgaGJQM0PYqGPIsoaJgXC5inkw8gzzk9Fkwjjw
MBcjLz2j1VPkDwNJKGt3cF2DdUPt3MXX+F44T+4qn6sZUSB5pCu/dHkgh6GOT8Pe
5H/552O4hFOrSNFs4zZ+b0GrPXu1ygxHyMWo1T3mdiZDfPrzwN6+195A9heZMoIJ
OlMZrX6izXokf03v9lerEJ50sD2o2gRBHBdhbS3L4hRNczlXKBVhehkZtiNtRlD6
t0OuwCO4YFZ762ixO7cfSQMh15+Klzf77gOPPzZ8VFoKwnzna931osElw7muImmt
clli0i5+SS7oGjMujV/nY69VS9nrgLRioeS8+FFPNPZWvRg3M8EMTdH81P35znhd
rpxr9ISxYbk3TRual7q2CPUk67dTQKpw0A6wDGUnZsQ826H1ctSY/0RKnQ3coFt4
c3xOsJlpC9RSZGxjdrJKTZqckOtUDzNJV9tJwaoK03PcRt0GUW0DmnMIibrq//LT
kwZH2dsmuu2WYI3/NrX0
=RfJz
-----END PGP SIGNATURE-----
_______________________________________________
rt-announce mailing list
rt-announce@lists.bestpractical.com
http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-announce
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic