[rt-announce] Bugfix for security patch on mod_perl

Alex Vandiver alexmv at bestpractical.com
Thu May 24 17:24:20 EDT 2012


On Tue, 2012-05-22 at 10:34 -0400, Alex Vandiver wrote:
> Internal audits of the RT codebase have uncovered a number of security
> vulnerabilities in RT.  We are releasing versions 3.8.12 and 4.0.6 to
> resolve these vulnerabilities, as well as patches which apply atop all
> released versions of 3.8 and 4.0.
> 
> [snip]
> In addition to releasing RT versions 3.8.12 and 4.0.6 which address
> these issues, we have also collected patches for all releases of 3.8 and 4.0
> into a distribution available for download at this link:

Sites which are running RT 3.8.x under mod_perl will likely be affected
by a bug introduced by these security patches, which causes outgoing
email to fail.  A hotfix for this bug can be applied via:

   curl https://github.com/bestpractical/rt/commit/b7a5a53.patch | 
     patch -p1 -d /opt/rt3

RT 4.0.x should not be affected by this bug, as 'SetHandler modperl' is
the correct mod_perl deployment option in RT 4.  If you are experiencing
this issue with RT 4.0, simply alter your Apache configuration to use
'SetHandler modperl' instead of 'SetHandler perl-script' for your RT
deployment.

RT 3.8.12 is affected by this bug as well; we are releasing RT 3.8.13
shortly to address this, and suggest that affected users on RT 3.8.12
simply upgrade to RT 3.8.13.  If possible, please test that the
just-released RT 3.8.13rc1 [1] solves the problem.
 - Alex

[1] http://download.bestpractical.com/pub/rt/devel/rt-3.8.13rc1.tar.gz
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part
URL: <http://lists.bestpractical.com/pipermail/rt-announce/attachments/20120524/d646031c/attachment.pgp>


More information about the rt-announce mailing list