[rt-announce] Security vulnerabilities in RT

Alex Vandiver alexmv at bestpractical.com
Tue May 22 11:48:53 EDT 2012

On Tue, 2012-05-22 at 10:34 -0400, Alex Vandiver wrote:
> In addition to releasing RT versions 3.8.12 and 4.0.6 which address
> these issues, we have also collected patches for all releases of 3.8 and 4.0
> into a distribution available for download at this link:
> http://download.bestpractical.com/rt/release/security-2012-05-22.tar.gz
> http://download.bestpractical.com/rt/release/security-2012-05-22.tar.gz.asc

It has been brought to our attention that the patchset requires version
0.68 or higher of FCGI.pm if you are running a FastCGI deployment.  A
too-low version of this module will manifest as outgoing mail failing to
be sent, and errors in the logs resembling:

  Could not send mail with command `[...]`:
     Can't locate object method "FILENO" via package "FCGI::Stream"

RT 3.8.11 and 4.0.5 already require version 0.75 or higher, to ensure
that you are protected from CVE-2011-2766, which affects mod_fastcgi:

 - Alex

More information about the rt-announce mailing list