[rt-users] New vulnerability with FCKEditor, is RT effected

Kevin Falcone falcone at bestpractical.com
Mon Jul 6 11:24:12 EDT 2009


On Jul 6, 2009, at 10:47 AM, Mike Harris wrote:

> I'm unsure what version of FCKEditor is included with RT 3.8.4.  Is
> the version of FCKEditor less than 2.6.4.1?
>
> There is a potential advisory out for FCKEditor 2.6.4.1 and less:
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2265

We ship 2.6.4, but we haven't included the filemanager directory
in 3.8.2, 3.8.3 or 3.8.4.

We don't support any of the FCKEditor file management
code paths, so we disabled them.

Those versions of RT shouldn't be affected by this security report,
and if you're running 3.8.0 or 3.8.1 there have been a ton of bugfixes
in our FCKEditor support so an upgrade is recommended.

We'll roll 2.6.4.1 in before we release 3.8.5, I've created
http://rt3.fsck.com/Ticket/Display.html?id=13665
to make sure it is tracked

-kevin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 194 bytes
Desc: This is a digitally signed message part
URL: <http://lists.bestpractical.com/pipermail/rt-users/attachments/20090706/d5ad061d/attachment.sig>


More information about the rt-users mailing list