[rt-devel] [rt-announce] RT 4.2.12 released

Shawn Moore shawn at bestpractical.com
Wed Aug 12 15:42:14 EDT 2015

RT 4.2.12 -- 2015-08-12

RT 4.2.12 contains important security fixes.


SHA1 sums

ddbf70752c2b96354caf7687534addf075859d4d  rt-4.2.12.tar.gz
8e76c69a56a60afbe0a75673874a1f4510355350  rt-4.2.12.tar.gz.asc

This release is a security release which addresses the following

RT 4.0.0 and above are vulnerable to a cross-site scripting (XSS) attack via
the user and group rights management pages.  This vulnerability is assigned
CVE-2015-5475.  It was discovered and reported by Marcin Kopeć at Data Reliance
Shared Service Center.

RT 4.2.0 and above are vulnerable to a cross-site scripting (XSS) attack
via the cryptography interface.  This vulnerability could allow an attacker
with a carefully-crafted key to inject JavaScript into RT's user interface.
Installations which use neither GnuPG nor S/MIME are unaffected.

A complete changelog is available from git by running:
    git log rt-4.2.11..rt-4.2.12
or visiting

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.bestpractical.com/pipermail/rt-devel/attachments/20150812/2119c7ed/attachment.pgp>
-------------- next part --------------
rt-announce mailing list
rt-announce at lists.bestpractical.com

More information about the rt-devel mailing list