We have determined a number of security vulnerabilities in commonly installed RT extensions, enumerated below. You can determine which, if any, of these extensions your RT installation is using by navigating to Configuration -> Tools -> System Configuration, and examining the "Plugins" configuration setting.
We have released updated versions of each vulnerable extension. Installation instructions for each are included in a README file in each extension's tarball. You need only download and upgrade these extensions if you have a previous version of them installed; RT installations with none of the below extensions installed are not vulnerable, and do not need to take action. RT::Authen::ExternalAuth 0.10 and below (for all versions of RT) are vulnerable to an escalation of privilege attack where the URL of a RSS feed of the user can be used to acquire a fully logged-in session as that user. CVE-2012-2770 has been assigned to this vulnerability. Users of RT 3.8.2 and above should upgrade to RT::Authen::ExternalAuth 0.11, which resolves this vulnerability. Because users of RT 3.8.1 cannot run RT::Authen::ExternalAuth later then 0.08 (due to bugs in plugin handling code in RT 3.8.1), we are also providing a patch which applies to RT::Authen::ExternalAuth 0.08. This patch should only be applied if you are running RT 3.8.1 and RT::Authen::ExternalAuth 0.08. Instructions for applying the patch can be found in the patch file itself. http://cpan.metacpan.org/authors/id/A/AL/ALEXMV/RT-Authen-ExternalAuth-0.11.tar.gz http://download.bestpractical.com/pub/rt/release/rt-authen-externalauth-0.08.patch http://download.bestpractical.com/pub/rt/release/rt-authen-externalauth-0.08.patch.asc 33ade803072d0ee6fff96f12969c1d4390b1211e RT-Authen-ExternalAuth-0.11.tar.gz 0d8057031b4115c2eb9dcc9ec43400ddea49afed rt-authen-externalauth-0.08.patch 31043b1c139487ae9ca1f8e3184493c077580b92 rt-authen-externalauth-0.08.patch.asc RT::FM versions 2.0.4 through 2.4.3, inclusive, are vulnerable to multiple cross-site scripting (XSS) attacks in the topic administration page. CVE-2012-2768 has been assigned to this vulnerability. This release also includes updates for compatibility with RT 3.8.12. As RT 4.0 and above bundle RT::FM's functionality, and resolved this vulnerability in RT 4.0.6, this update is only applicable to installations of RT 3.8. http://download.bestpractical.com/pub/rt/release/RTFM-2.4.4.tar.gz http://download.bestpractical.com/pub/rt/release/RTFM-2.4.4.tar.gz.asc abebd875d6d37b7d7ce3135952e23d8427b685c9 RTFM-2.4.4.tar.gz 5f5e55ec9a8ee03c3f444c502012b1b958d4412c RTFM-2.4.4.tar.gz.asc RT::Extension::MobileUI 1.01 and below are vulnerable to multiple cross-site scripting (XSS) attacks. CVE-2012-2769 has been assigned to this vulnerability. As RT 4.0 and above bundle RT::Extension::MobileUI's functionality, and resolved this vulnerability in RT 4.0.6, this update is only applicable to installations of RT 3.8. http://cpan.metacpan.org/authors/id/A/AL/ALEXMV/RT-Extension-MobileUI-1.02.tar.gz 4f97065fab28c3e875393a6aeb61c3d3bb7bb3be RT-Extension-MobileUI-1.02.tar.gz The README in each tarball contains instructions for upgrading the extension. If you need help resolving this issue locally, we will provide discounted pricing for single-incident support; please contact us at sa...@bestpractical.com for more information. - Alex
signature.asc
Description: This is a digitally signed message part
_______________________________________________ rt-announce mailing list rt-annou...@lists.bestpractical.com http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-announce