-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 We have discovered a security vulnerability in RT 4.2.x, detailed below. We are releasing RT version 4.2.8 to resolve this vulnerability, as well as patches which apply atop all released versions of 4.2.
RT 4.2.0 and above may be vulnerable to arbitrary execution of code by way of CVE-2014-7169, CVE-2014-7186, CVE-2014-7187, CVE-2014-6277, or CVE-2014-6271 -- collectively known as "Shellshock." This vulnerability requires a privileged user with access to an RT instance running with SMIME integration enabled; it applies to both mod_perl and fastcgi deployments. If you have already taken upgrades to bash to resolve "Shellshock," you are protected from this vulnerability in RT, and there is no need to apply this patch. This vulnerability has been assigned CVE-2014-7227. As there is no SMIME integration available for RT 4.0, it is not vulnerable to this attack. The RT-Crypt-SMIME extension for RT 3.6.0, while also vulnerable, is no longer supported. Patches for all releases of 4.2.x are available for download below. Versions of RT older than 4.0.0 are unsupported and do not receive security patches; please contact sa...@bestpractical.com if you need assistance with an older RT version. http://download.bestpractical.com/pub/rt/release/security-2014-10-02.tar.gz http://download.bestpractical.com/pub/rt/release/security-2014-10-02.tar.gz.asc 694483fe6595bdbb8d98285d7e2f9eeafeb511da security-2014-10-02.tar.gz 0f7c1baa0262833dbed6549e43d2554abd3c2e77 security-2014-10-02.tar.gz.asc The README in the tarball contains instructions for applying the patches. If you need help resolving this issue locally, we will provide discounted pricing for single-incident support; please contact us at sa...@bestpractical.com for more information. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iEYEARECAAYFAlQtdqcACgkQMflWJZZAbqDJ/wCgjaP6qbP0wdgGGYyvMWJDSKb7 FWcAniXypUZ+fMni2yc+96HAgCpnU62+ =EHkb -----END PGP SIGNATURE----- _______________________________________________ rt-announce mailing list rt-annou...@lists.bestpractical.com http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-announce -- RT Training November 4 & 5 Los Angeles http://bestpractical.com/training