[rt-users] [Rt-announce] RT 3.4/3.6 possible mail loop issue. Patch Attached
Jesse Vincent
jesse at bestpractical.com
Wed Mar 14 13:24:40 EDT 2007
In certain circumstances, a malicious (or incompetent) remote
attacker can coax an RT 3.4.6 or 3.6.3 instance into getting into a
mail loop with itself. Earlier releases may also be affected.
This vulnerability ONLY affects RT instances that have been
configured to restrict email creation of new tickets to users with
known accounts. Best Practical generally recommends that sites
configure RT somewhat more "openly," though we do support this
configuration.
The attached patch, which will be included in RT 3.6.4 and RT 3.4.7,
has resolved this issue in our testing and for the end user who
reported the issue. Community-provided help with this and other RT-
related issues is available via rt-users at lists.bestpractical.com, our
free and open RT support mailing list.
If you need professional assistance with this or any other RT-related
issue, please don't hesitate to contact us at sales at bestpractical.com.
We're indebted to Eric Jacksch of Tenebris Technologies Inc. for his
initial report of this issue and his help while we performed triage
and developed a solution.
Best,
Jesse Vincent
President
Best Practical Solutions, LLC
-------------- next part --------------
A non-text attachment was scrubbed...
Name: rt-3.4-and-3.6-mail-loop-fix.patch
Type: application/octet-stream
Size: 1575 bytes
Desc: not available
URL: <http://lists.bestpractical.com/pipermail/rt-users/attachments/20070314/09ca9da3/attachment.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 186 bytes
Desc: This is a digitally signed message part
URL: <http://lists.bestpractical.com/pipermail/rt-users/attachments/20070314/09ca9da3/attachment.sig>
-------------- next part --------------
_______________________________________________
RT-Announce mailing list
RT-Announce at lists.bestpractical.com
http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-announce
More information about the rt-users
mailing list