[rt-users] New vulnerability with FCKEditor, is RT effected
Kevin Falcone
falcone at bestpractical.com
Mon Jul 6 11:24:12 EDT 2009
On Jul 6, 2009, at 10:47 AM, Mike Harris wrote:
> I'm unsure what version of FCKEditor is included with RT 3.8.4. Is
> the version of FCKEditor less than 2.6.4.1?
>
> There is a potential advisory out for FCKEditor 2.6.4.1 and less:
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2265
We ship 2.6.4, but we haven't included the filemanager directory
in 3.8.2, 3.8.3 or 3.8.4.
We don't support any of the FCKEditor file management
code paths, so we disabled them.
Those versions of RT shouldn't be affected by this security report,
and if you're running 3.8.0 or 3.8.1 there have been a ton of bugfixes
in our FCKEditor support so an upgrade is recommended.
We'll roll 2.6.4.1 in before we release 3.8.5, I've created
http://rt3.fsck.com/Ticket/Display.html?id=13665
to make sure it is tracked
-kevin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 194 bytes
Desc: This is a digitally signed message part
URL: <http://lists.bestpractical.com/pipermail/rt-users/attachments/20090706/d5ad061d/attachment.sig>
More information about the rt-users
mailing list