[rt-devel] [rt-announce] Security vulnerability in RT 4.2.x - CVE-2014-7227

Alex Vandiver alexmv at bestpractical.com
Thu Oct 2 12:00:45 EDT 2014


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

We have discovered a security vulnerability in RT 4.2.x, detailed below.
We are releasing RT version 4.2.8 to resolve this vulnerability, as well
as patches which apply atop all released versions of 4.2.

RT 4.2.0 and above may be vulnerable to arbitrary execution of code by
way of CVE-2014-7169, CVE-2014-7186, CVE-2014-7187, CVE-2014-6277, or
CVE-2014-6271 -- collectively known as "Shellshock."  This vulnerability
requires a privileged user with access to an RT instance running with
SMIME integration enabled; it applies to both mod_perl and fastcgi
deployments.  If you have already taken upgrades to bash to resolve
"Shellshock," you are protected from this vulnerability in RT, and there
is no need to apply this patch.  This vulnerability has been assigned
CVE-2014-7227.

As there is no SMIME integration available for RT 4.0, it is not
vulnerable to this attack.  The RT-Crypt-SMIME extension for RT 3.6.0,
while also vulnerable, is no longer supported.

Patches for all releases of 4.2.x are available for download below.
Versions of RT older than 4.0.0 are unsupported and do not receive
security patches; please contact sales at bestpractical.com if you need
assistance with an older RT version.

http://download.bestpractical.com/pub/rt/release/security-2014-10-02.tar.gz
http://download.bestpractical.com/pub/rt/release/security-2014-10-02.tar.gz.asc

694483fe6595bdbb8d98285d7e2f9eeafeb511da  security-2014-10-02.tar.gz
0f7c1baa0262833dbed6549e43d2554abd3c2e77  security-2014-10-02.tar.gz.asc

The README in the tarball contains instructions for applying the
patches.  If you need help resolving this issue locally, we will provide
discounted pricing for single-incident support; please contact us at
sales at bestpractical.com for more information.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iEYEARECAAYFAlQtdqcACgkQMflWJZZAbqDJ/wCgjaP6qbP0wdgGGYyvMWJDSKb7
FWcAniXypUZ+fMni2yc+96HAgCpnU62+
=EHkb
-----END PGP SIGNATURE-----
_______________________________________________
rt-announce mailing list
rt-announce at lists.bestpractical.com
http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-announce


More information about the rt-devel mailing list