We have released RT version 4.2.10 to resolve CVE-2014-9472, CVE-2015-1165, and CVE-2015-1464, along with a number of bugfixes; see the release notes for a complete list.
RT 4.0.23 released
We have released RT version 4.0.23 to resolve CVE-2014-9472, CVE-2015-1165, and CVE-2015-1464, along with a number of bugfixes; see the release notes for a complete list.
Security vulnerabilities in RT
We have discovered security vulnerabilities which affect both RT 4.0.xand RT 4.2.x. We are releasing RT versions 4.0.23 and 4.2.10 to resolve these vulnerabilities, as well as patches which apply atop all released versions of 4.0 and 4.2.
The vulnerabilities addressed by 4.0.23, 4.2.10, and the below patches include the following:
RT 3.0.0 and above, if running on Perl 5.14.0 or higher, are vulnerable to a remote denial-of-service via the email gateway; any installation which accepts mail from untrusted sources is vulnerable, regardless of the permissions configuration inside RT. This denial-of-service may encompass both CPU and disk usage, depending on RT's logging configuration. This vulnerability is assigned CVE-2014-9472.
RT 3.8.8 and above are vulnerable to an information disclosure attack which may reveal RSS feeds URLs, and thus ticket data; this vulnerability is assigned CVE-2015-1165. RSS feed URLs can also be leveraged to perform session hijacking, allowing a user with the URL to log in as the user that created the feed; this vulnerability is assigned CVE-2015-1464.
We would like to thank Christian Loos
Patches for all releases of 4.0.x and 4.2.x are available (signature). Versions of RT older than 4.0.0 are unsupported and do not receive security patches; please contact sales@bestpractical.com if you need assistance with an older RT version.
The README in the tarball contains instructions for applying the patches. If you need help resolving this issue locally, we will provide discounted pricing for single-incident support; please contact us at sales@bestpractical.com for more information.
RT 4.2.8 released
We have released RT version 4.2.8 to resolve CVE-2014-7227, along with a small number of bugfixes; see the release notes for a complete list.
Security vulnerability in RT 4.2.x - CVE-2014-7227
We have discovered a security vulnerability in RT 4.2.x, detailed below.We are releasing RT version 4.2.8 to resolve this vulnerability, as well as patches which apply atop all released versions of 4.2.
RT 4.2.0 and above may be vulnerable to arbitrary execution of code by way of CVE-2014-7169, CVE-2014-7186, CVE-2014-7187, CVE-2014-6277, or CVE-2014-6271 -- collectively known as "Shellshock." This vulnerability requires a privileged user with access to an RT instance running with SMIME integration enabled; it applies to both mod_perl and fastcgi deployments. If you have already taken upgrades to bash to resolve "Shellshock," you are protected from this vulnerability in RT, and there is no need to apply this patch. This vulnerability has been assigned CVE-2014-7227.
As there is no SMIME integration available for RT 4.0, it is not vulnerable to this attack. The RT-Crypt-SMIME extension for RT 3.6.0, while also vulnerable, is no longer supported.
Patches for all releases of 4.2.x are available (signature). Versions of RT older than 4.0.0 are unsupported and do not receive security patches; please contact sales@bestpractical.com if you need assistance with an older RT version.
The README in the tarball contains instructions for applying the patches. If you need help resolving this issue locally, we will provide discounted pricing for single-incident support; please contact us at sales@bestpractical.com for more information.
RT 4.0.22 and 4.2.7
We are pleased to announce that RT 4.0.22 and RT 4.2.7 have just been released. They are primarily a bugfix releases; most notably, they rework UTF8 data handling to work with versions of DBD::Pg 3.3.0 and above. On PostgreSQL, this requires a newer version of DBIx::SearchBuilder. A complete list of changes is available from the release notes.
RT 4.2.5 released
We are pleased to announce that RT 4.2.5 has just been released. Is is primarily a bugfix releases; most notably, it explicitly updates a dependency to fix a previously-announced security vulnerability, resolves two serious bugs in the serializer, and fixes the "paste" feature in the Rich Text editor. A complete list of changes is available from the release notes.
RTIR 3.0.2, and RT 4.0.20 and 4.2.4 released
We are pleased to announce that RT 4.2.4 and RT 4.0.20 have just been released. Both are primarily bugfix releases; a complete list of changes is available from the release notes (for 4.2.4 and for 4.0.20)
Simultaneously, we have also released RTIR 3.0.2; the release notes are available here.
Local date header extension
We're testing a possible enhancement to core RT with anew extension that modifies the Date: display in RT's ticket history.
We've seen that some mail servers (particularly some versions of Microsoft Exchange) are now sending all emails with timestamps in UTC. This can be very confusing for users since RT will display that an email was received in the user's timezone, but then display an email Date header many hours "off" from the user's view. This has always been true when someone from New York sent email to an RT used by a user in Los Angeles, but the forced shift to UTC makes this even more noticeable.
Here is a standard RT display of such an email.
That same email with the extension enabled:
If you've noticed this display issue in your RT, give the RT::Extension::LocalDateHeader extension a try on your RT installation.
Bugs can be reported to bug-RT-Extension-LocalDateHeader [at] rt.cpan.org and we take pull requests at github.
RT 3.8 reaches End-of-Life
As previously announced, the 3.8 series of RT has now reachedend-of-life, and is no longer supported by Best Practical. This also ends support for RTFM, as well as RTIR 2.4 and 2.6, as those products depended on RT 3.8.
Best Practical continues to support the RT 4.0 (maintenance) series, as well as RT 4.2 (stable). RTFM was integrated into RT 4.0 as Articles, and is thus forward-compatible. RTIR 3.0 is available for RT 4.0, and we expect release candidates for RTIR 3.2 (compatible with RT 4.2) to be available shortly.
If you are currently still running RT 3.8 (or earlier!) and would like help with your upgrade, you can get in touch with us at sales@bestpractical.com for professional assistance.