[rt-announce] Security vulnerability in RT

Alex Vandiver alexmv at bestpractical.com
Mon Jan 27 14:30:50 EST 2014


Versions of RT between 4.2.0 and 4.2.2 (inclusive) are vulnerable to a
denial-of-service attack via the email gateway; any installation which
accepts mail from untrusted sources is vulnerable, regardless of the
permissions configuration inside RT.  This vulnerability is assigned
CVE-2014-1474.

This vulnerability is caused by poor parsing performance in the
Email::Address::List module, which RT depends on.  We recommend that
affected users upgrade their version of Email::Address::List to v0.02 or
above, which resolves the issue.  Due to a communications mishap, the
release on CPAN will temporarily appear as "unauthorized," and the
command-line 'cpan' client will hence not install it.  We expect this to
be resolved shortly; in the meantime, the release is also available from
our server:

http://download.bestpractical.com/mirror/Email-Address-List-0.03.tar.gz
http://download.bestpractical.com/mirror/Email-Address-List-0.03.tar.gz.sig

f2e0c90b6ab9aecba9ebe0dd0e2645ece8aabd6d  Email-Address-List-0.03.tar.gz
5e1f83e5e8ff2fde22a1a25aaee488d84f810389  Email-Address-List-0.03.tar.gz.sig

After extracting the contents, the module can be installed by running:
    perl Makefile.PL
    make
    make install

The first step should be sure to use the same perl that RT runs using.
If you are unsure, the first line of /opt/rt4/sbin/standalone_httpd
should contain the full path to the relevant perl binary.  The last step
will likely need to be run with root permissions.  After this process,
you should restart your webserver.


If you need help resolving this issue locally, we will provide
discounted pricing for single-incident support; please contact us at
sales at bestpractical.com for more information.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part
URL: <http://lists.bestpractical.com/pipermail/rt-announce/attachments/20140127/77d3da95/attachment.pgp>


More information about the rt-announce mailing list