[rt-users] Heartbleed OpenSSL vulnerability

Alex Vandiver alexmv at bestpractical.com
Sat Apr 19 00:38:16 EDT 2014


On Fri, 2014-04-18 at 16:35 +0000, Percynski, Fred wrote:
> I haven’t seen anything on this mailing list, or on the Best Practical
> web site, that discusses the Heartbleed vulnerability.   
> 
> Does RT use OpenSSL in any way?

RT does not use OpenSSL in any way that is vulnerable.  While RT 4.2
does use OpenSSL directly when decoding S/MIME encrypted mail, this
process does not involve TLS -- hence the vulnerability in the Heartbeat
extension of TLS does not apply.


That being said, there are a number of external services that RT
interacts with which may use OpenSSL in an affected manner. Restarting
those services after updating your OpenSSL libraries is sufficient to
close the vulnerability.  The ways in which RT may interact with
vulnerable services includes such things as:

  1. Your webserver (Apache, nginx, etc) may use OpenSSL to implement
TLS negotiation for HTTPS connection.
  2. Your database may use OpenSSL to implement TLS negotiation to
secure the connection that RT uses to speak to the database.  This is
the case if the RT configuration option $DatabaseRequireSSL is set.
  3. Your LDAP server (OpenLDAP) may use OpenSSL to implement TLS
negotiation to secure the connection that RT::Authen::ExternalAuth or
RT::Extension::LDAPImport uses to acquire LDAP data.
  4. Your mail server (postfix, exim, etc) may use OpenSSL to implement
TLS negotiation over SMTP when speaking to remote mailservers.

In all of the above cases, restarting the affected server after updating
the OpenSSL libraries is sufficient to close the vulnerability.  You may
wish to also generate new SSL certificates, in the light of the fact
that the vulnerability has been successfully used to acquire SSL private
keys, and multiple automated tools to do so have been released.


> My server had a vulnerable version of OpenSSL installed at the time RT
> was compiled.  I would like to know if RT needs to be 
> recompiled/upgraded now that OpenSSL has been patched.

RT is written in perl; as such, it is not compiled, and no changes need
to be made to RT itself to close the vulnerability.  See above
concerning other related services which may be affected, of course.

 - Alex





More information about the rt-users mailing list