[rt-announce] Security vulnerabilities in RT

Shawn Moore shawn at bestpractical.com
Wed Aug 12 15:38:55 EDT 2015


We have discovered security vulnerabilities which affect both RT 4.0.x
and RT 4.2.x.  We are releasing RT versions 4.0.24 and 4.2.12 to resolve
these vulnerabilities, as well as patches which apply atop all released
versions of 4.0 and 4.2.

The vulnerabilities addressed by 4.0.24, 4.2.12, and the below patches
include the following:

RT 4.0.0 and above are vulnerable to a cross-site scripting (XSS) attack via
the user and group rights management pages.  This vulnerability is assigned
CVE-2015-5475.  It was discovered and reported by Marcin Kopeć at Data Reliance
Shared Service Center.

RT 4.2.0 and above are vulnerable to a cross-site scripting (XSS) attack
via the cryptography interface.  This vulnerability could allow an attacker
with a carefully-crafted key to inject JavaScript into RT's user interface.
Installations which use neither GnuPG nor S/MIME are unaffected.

Patches for all releases of 4.0.x and 4.2.x are available for download
below.  Versions of RT older than 4.0.0 are unsupported and do not
receive security patches; please contact sales at bestpractical.com if you
need assistance with an older RT version.

https://download.bestpractical.com/pub/rt/release/security-2015-08-12.tar.gz
https://download.bestpractical.com/pub/rt/release/security-2015-08-12.tar.gz.asc

0ffdfae09837c09957f69e9de69660735d3099ee  security-2015-08-12.tar.gz
92c8d4d299c7bc205eb8382274306dc3aaa14970  security-2015-08-12.tar.gz.asc

The README in the tarball contains instructions for applying the
patches.  If you need help resolving this issue locally, we will provide
discounted pricing for single-incident support; please contact us at
sales at bestpractical.com for more information.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.bestpractical.com/pipermail/rt-announce/attachments/20150812/5f991efb/attachment.pgp>


More information about the rt-announce mailing list