[rt-devel] [rt-announce] Security vulnerability in RT 4.2.x - CVE-2014-7227
alexmv at bestpractical.com
Thu Oct 2 12:00:45 EDT 2014
-----BEGIN PGP SIGNED MESSAGE-----
We have discovered a security vulnerability in RT 4.2.x, detailed below.
We are releasing RT version 4.2.8 to resolve this vulnerability, as well
as patches which apply atop all released versions of 4.2.
RT 4.2.0 and above may be vulnerable to arbitrary execution of code by
way of CVE-2014-7169, CVE-2014-7186, CVE-2014-7187, CVE-2014-6277, or
CVE-2014-6271 -- collectively known as "Shellshock." This vulnerability
requires a privileged user with access to an RT instance running with
SMIME integration enabled; it applies to both mod_perl and fastcgi
deployments. If you have already taken upgrades to bash to resolve
"Shellshock," you are protected from this vulnerability in RT, and there
is no need to apply this patch. This vulnerability has been assigned
As there is no SMIME integration available for RT 4.0, it is not
vulnerable to this attack. The RT-Crypt-SMIME extension for RT 3.6.0,
while also vulnerable, is no longer supported.
Patches for all releases of 4.2.x are available for download below.
Versions of RT older than 4.0.0 are unsupported and do not receive
security patches; please contact sales at bestpractical.com if you need
assistance with an older RT version.
The README in the tarball contains instructions for applying the
patches. If you need help resolving this issue locally, we will provide
discounted pricing for single-incident support; please contact us at
sales at bestpractical.com for more information.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
-----END PGP SIGNATURE-----
rt-announce mailing list
rt-announce at lists.bestpractical.com
More information about the rt-devel