subject:"\[rt\-users\] \[Rt\-announce\] RT 3.8.5 Released"

Re: [rt-users] [Rt-announce] RT 3.8.5 Released

2009-09-15 Thread Kevin Falcone

On Tue, Sep 15, 2009 at 12:32:20PM -0400, Jeff Voskamp wrote:
>On 09/15/2009 11:28 AM, Kevin Falcone wrote:
> 
>Then you should rename ticket #13574 in rt3.fsck.com. :-)

Already done:
Tue Sep 15 11:55:12 2009 falcone - Subject changed from 'RT 3.8.5
Release' to 'RT 3.8.6 Release' 

-kevin
___
http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users

Community help: http://wiki.bestpractical.com
Commercial support: sa...@bestpractical.com


Discover RT's hidden secrets with RT Essentials from O'Reilly Media. 
Buy a copy at http://rtbook.bestpractical.com

Re: [rt-users] [Rt-announce] RT 3.8.5 Released

2009-09-15 Thread Jeff Voskamp


On 09/15/2009 11:28 AM, Kevin Falcone wrote:

On Tue, Sep 15, 2009 at 02:03:56PM +0200, Sven Sternberger wrote:
   

Hello!

On Mo, 2009-09-14 at 15:27 -0400, Kevin Falcone wrote:
 

This release of RT-3.8.5 contains an important security fix.
   

so to patch RT-3.8.4 with the attached patches gives me a
RT-3.8.5? There are no other features,fixes or cleanups
in 3.8.5?
 

3.8.5 was branched from the 3.8.4 release in our repository and
includes none of the changes on 3.8-trunk other than the bug fix and a
version number bump.

-kevin

Then you should rename ticket #13574 in rt3.fsck.com. :-)

Jeff
___
http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users

Community help: http://wiki.bestpractical.com
Commercial support: sa...@bestpractical.com


Discover RT's hidden secrets with RT Essentials from O'Reilly Media. 
Buy a copy at http://rtbook.bestpractical.com

Re: [rt-users] [Rt-announce] RT 3.8.5 Released

2009-09-15 Thread Kevin Falcone

On Tue, Sep 15, 2009 at 02:03:56PM +0200, Sven Sternberger wrote:
> Hello!
> 
> On Mo, 2009-09-14 at 15:27 -0400, Kevin Falcone wrote:
> > This release of RT-3.8.5 contains an important security fix.
> 
> so to patch RT-3.8.4 with the attached patches gives me a
> RT-3.8.5? There are no other features,fixes or cleanups 
> in 3.8.5?

3.8.5 was branched from the 3.8.4 release in our repository and
includes none of the changes on 3.8-trunk other than the bug fix and a
version number bump.  

-kevin
___
http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users

Community help: http://wiki.bestpractical.com
Commercial support: sa...@bestpractical.com

Discover RT's hidden secrets with RT Essentials from O'Reilly Media. 
Buy a copy at http://rtbook.bestpractical.com

Re: [rt-users] [Rt-announce] RT 3.8.5 Released

2009-09-15 Thread Sven Sternberger

Hello!

On Mo, 2009-09-14 at 15:27 -0400, Kevin Falcone wrote:
> This release of RT-3.8.5 contains an important security fix.

so to patch RT-3.8.4 with the attached patches gives me a
RT-3.8.5? There are no other features,fixes or cleanups 
in 3.8.5?

best regards!

sven

___
http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users

Community help: http://wiki.bestpractical.com
Commercial support: sa...@bestpractical.com


Discover RT's hidden secrets with RT Essentials from O'Reilly Media. 
Buy a copy at http://rtbook.bestpractical.com

[rt-users] [Rt-announce] RT 3.8.5 Released

2009-09-14 Thread Kevin Falcone

This release of RT-3.8.5 contains an important security fix.

You can download it from:

http://download.bestpractical.com/pub/rt/release/rt-3.8.5.tar.gz
http://download.bestpractical.com/pub/rt/release/rt-3.8.5.tar.gz.sig

SHA1 checksums

26854e1a34052a2a922dc0ff533056f782813ea7  rt-3.8.5.tar.gz
96fcf9d75ce293d019bdcd0865495c6b2ac18534  rt-3.8.5.tar.gz.sig

During a routine internal audit, it was determined that all versions of
RT from 3.4.6 to 3.8.4 are vulnerable to an escaping bug in the display
of Custom Fields that could allow injection of javascript into the RT
UI.

This bug is only exploitable if you have a Custom Field that accepts
data from an end user (such as Enter one Value, or Fill in one text
area).  It does not affect 'select one value' fields.  In addition, you
must allow malicious users to set these custom fields, either through
the Web UI (SelfService) or through an automated parsing script such as
RT-Extension-ExtractCustomFieldValues, RT-Extension-CommandByMail or a
local parsing modification.

If you do not allow external users to set Custom Field values and the
only users who have ModifyCustomField are your Privileged users, then
the impact of this is limited to one of your trusted users attacking the
system.

I have attached patches for the 3.4, 3.6 and 3.8 branches of RT
in case you do not wish to upgrade at this time.

You can apply these patches as follows:

RT 3.4

cd /opt/rt3/share
patch -p1 < /path/to/RT-3.4-escape_custom_field_value.patch

RT 3.6

cd /opt/rt3/share
patch -p1 < /path/to/RT-3.6-escape_custom_field_value.patch

RT 3.8

cd /opt/rt3/
patch -p1 < /path/to/RT-3.8-escape_custom_field_value.patch

You should then clear your mason cache
# rm -rf /opt/rt3/var/mason_data/obj/*

and restart your webserver, this is often accomplished with

# /etc/init.d/httpd restart
or
# /etc/init.d/apache restart
diff --git a/html/Elements/ShowCustomFields b/html/Elements/ShowCustomFields
index 199fe36..19a3b68 100644
--- a/html/Elements/ShowCustomFields
+++ b/html/Elements/ShowCustomFields
@@ -76,7 +76,7 @@ my $print_value = sub {
 if ( $m->comp_exists( $comp ) ) {
 $m->comp( $comp, Object => $value );
 } else {
-$m->print( $value->Content );
+$m->out( $m->interp->apply_escapes( $value->Content, 'h' ) );
 }
 };
 
diff --git a/html/Elements/ShowCustomFields b/html/Elements/ShowCustomFields
index 9fc74fd..cf6127e 100644
--- a/html/Elements/ShowCustomFields
+++ b/html/Elements/ShowCustomFields
@@ -90,7 +90,7 @@ my $print_value = sub {
 if ( $m->comp_exists( $comp ) ) {
 $m->comp( $comp, Object => $value );
 } else {
-$m->print( $value->Content );
+$m->out( $m->interp->apply_escapes( $value->Content, 'h' ) );
 }
 $m->out('') if $linked;
 
diff --git a/share/html/Elements/ShowCustomFields 
b/share/html/Elements/ShowCustomFields
index d9b23ed..7053594 100644
--- a/share/html/Elements/ShowCustomFields
+++ b/share/html/Elements/ShowCustomFields
@@ -92,7 +92,7 @@ my $print_value = sub {
 if ( $m->comp_exists( $comp ) ) {
 $m->comp( $comp, Object => $value );
 } else {
-$m->print( $value->Content );
+$m->out( $m->interp->apply_escapes( $value->Content, 'h' ) );
 }
 $m->out('') if $linked;
 


pgpzzBmlu9qki.pgp
Description: PGP signature
___
RT-Announce mailing list
rt-annou...@lists.bestpractical.com
http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-announce
___
http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users

Community help: http://wiki.bestpractical.com
Commercial support: sa...@bestpractical.com


Discover RT's hidden secrets with RT Essentials from O'Reilly Media. 
Buy a copy at http://rtbook.bestpractical.com

Re: [rt-users] [Rt-announce] RT 3.8.5 Released

Re: [rt-users] [Rt-announce] RT 3.8.5 Released

Re: [rt-users] [Rt-announce] RT 3.8.5 Released

Re: [rt-users] [Rt-announce] RT 3.8.5 Released

[rt-users] [Rt-announce] RT 3.8.5 Released

5 matches

Site Navigation

Mail list logo

Footer information