[rt-users] [rt-announce] Security vulnerabilities in RT
We have discovered security vulnerabilities which affect both RT 4.0.x and RT 4.2.x. We are releasing RT versions 4.0.24 and 4.2.12 to resolve these vulnerabilities, as well as patches which apply atop all released versions of 4.0 and 4.2. The vulnerabilities addressed by 4.0.24, 4.2.12, and the below patches include the following: RT 4.0.0 and above are vulnerable to a cross-site scripting (XSS) attack via the user and group rights management pages. This vulnerability is assigned CVE-2015-5475. It was discovered and reported by Marcin Kopeć at Data Reliance Shared Service Center. RT 4.2.0 and above are vulnerable to a cross-site scripting (XSS) attack via the cryptography interface. This vulnerability could allow an attacker with a carefully-crafted key to inject JavaScript into RT's user interface. Installations which use neither GnuPG nor S/MIME are unaffected. Patches for all releases of 4.0.x and 4.2.x are available for download below. Versions of RT older than 4.0.0 are unsupported and do not receive security patches; please contact sa...@bestpractical.com if you need assistance with an older RT version. https://download.bestpractical.com/pub/rt/release/security-2015-08-12.tar.gz https://download.bestpractical.com/pub/rt/release/security-2015-08-12.tar.gz.asc 0ffdfae09837c09957f69e9de69660735d3099ee security-2015-08-12.tar.gz 92c8d4d299c7bc205eb8382274306dc3aaa14970 security-2015-08-12.tar.gz.asc The README in the tarball contains instructions for applying the patches. If you need help resolving this issue locally, we will provide discounted pricing for single-incident support; please contact us at sa...@bestpractical.com for more information. signature.asc Description: Message signed with OpenPGP using GPGMail ___ rt-announce mailing list rt-annou...@lists.bestpractical.com http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-announce
[rt-users] [rt-announce] Security vulnerabilities in RT
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 We have discovered security vulnerabilities which affect both RT 4.0.x and RT 4.2.x. We are releasing RT versions 4.0.23 and 4.2.10 to resolve these vulnerabilities, as well as patches which apply atop all released versions of 4.0 and 4.2. The vulnerabilities addressed by 4.0.23, 4.2.10, and the below patches include the following: RT 3.0.0 and above, if running on Perl 5.14.0 or higher, are vulnerable to a remote denial-of-service via the email gateway; any installation which accepts mail from untrusted sources is vulnerable, regardless of the permissions configuration inside RT. This denial-of-service may encompass both CPU and disk usage, depending on RT's logging configuration. This vulnerability is assigned CVE-2014-9472. RT 3.8.8 and above are vulnerable to an information disclosure attack which may reveal RSS feeds URLs, and thus ticket data; this vulnerability is assigned CVE-2015-1165. RSS feed URLs can also be leveraged to perform session hijacking, allowing a user with the URL to log in as the user that created the feed; this vulnerability is assigned CVE-2015-1464. We would like to thank Christian Loos for reporting CVE-2014-9472 and CVE-2015-1165; CVE-2015-1464 was found by internal review. Patches for all releases of 4.0.x and 4.2.x are available for download below. Versions of RT older than 4.0.0 are unsupported and do not receive security patches; please contact sa...@bestpractical.com if you need assistance with an older RT version. https://download.bestpractical.com/pub/rt/release/security-2015-02-26.tar.gz https://download.bestpractical.com/pub/rt/release/security-2015-02-26.tar.gz.asc aac58bf3aa6d918dbefbaa2b27a9694f27b32d58 security-2015-02-26.tar.gz 6abe9a58400db3ee2cdbdf17704f0d881d90d744 security-2015-02-26.tar.gz.asc The README in the tarball contains instructions for applying the patches. If you need help resolving this issue locally, we will provide discounted pricing for single-incident support; please contact us at sa...@bestpractical.com for more information. -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.22 (GNU/Linux) iEYEARECAAYFAlTvSZMACgkQMflWJZZAbqCj5gCgwmXReEL+TIUYrAzfTl0aj0rr +ZIAn2Uq8K12j3r+se6yZlg/B6myoJSM =kSeJ -END PGP SIGNATURE- ___ rt-announce mailing list rt-annou...@lists.bestpractical.com http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-announce
[rt-users] [rt-announce] Security vulnerabilities in RT
We discovered a number of security vulnerabilities which affect both RT 3.8.x and RT 4.0.x. We are releasing RT versions 3.8.17 and 4.0.13 to resolve these vulnerabilities, as well as patches which apply atop all released versions of 3.8 and 4.0. The vulnerabilities addressed by 3.8.17, 4.0.13, and the below patches include the following: RT 4.0.0 and above are vulnerable to a limited privilege escalation leading to unauthorized modification of ticket data. The DeleteTicket right and any custom lifecycle transition rights may be bypassed by any user with ModifyTicket. This vulnerability is assigned CVE-2012-4733. RT 3.8.0 and above include a version of bin/rt that uses semi-predictable names when creating tempfiles. This could possibly be exploited by a malicious user to overwrite files with permissions of the user running bin/rt. This vulnerability is assigned CVE-2013-3368. RT 3.8.0 and above allow calling of arbitrary Mason components (without control of arguments) for users who can see administration pages. This could be used by a malicious user to run private components which may have negative side-effects. This vulnerability is assigned CVE-2013-3369. RT 3.8.0 and above allow direct requests to private callback components. Though no callback components ship with RT, this could be used to exploit an extension or local callback which uses the arguments passed to it insecurely. This vulnerability is assigned CVE-2013-3370. RT 3.8.3 and above are vulnerable to cross-site scripting (XSS) via attachment filenames. The vector is difficult to exploit due to parsing requirements. Additionally, RT 4.0.0 and above are vulnerable to XSS via maliciously-crafted "URLs" in ticket content when RT's "MakeClicky" feature is configured. Although not believed to be exploitable in the stock configuration, a patch is also included for RTIR 2.6.x to add bulletproofing. These vulnerabilities are assigned CVE-2013-3371. RT 3.8.0 and above are vulnerable to an HTTP header injection limited to the value of the Content-Disposition header. Injection of other arbitrary response headers is not possible. Some (especially older) browsers may allow multiple Content-Disposition values which could lead to XSS. Newer browsers contain security measures to prevent this. Thank you to Dominic Hargreaves for reporting this vulnerability. This vulnerability is assigned CVE-2013-3372. RT 3.8.0 and above are vulnerable to a MIME header injection in outgoing email generated by RT. The vectors via RT's stock templates are resolved by this patchset, but any custom email templates should be updated to ensure that values interpolated into mail headers do not contain newlines. This vulnerability is assigned CVE-2013-3373. RT 3.8.0 and above are vulnerable to limited session re-use when using the file-based session store, Apache::Session::File. RT's default session configuration only uses Apache::Session::File for Oracle. RT instances using Oracle may be locally configured to use the database-backed Apache::Session::Oracle, in which case sessions are never re-used. The extent of session re-use is limited to information leaks of certain user preferences and caches, such as queue names available for ticket creation. Thank you to Jenny Martin for reporting the problem that lead to discovery of this vulnerability. This vulnerability is assigned CVE-2013-3374. Patches for all releases of 3.8.x and 4.0.x are available for download below. Versions of RT older than 3.8.0 are unsupported and do not receive security patches; please contact sa...@bestpractical.com if you need assistance with an older RT version. http://download.bestpractical.com/pub/rt/release/security-2013-05-22.tar.gz http://download.bestpractical.com/pub/rt/release/security-2013-05-22.tar.gz.sig 25349c393c1b8d720f26a62dd57dc90d7def1cea security-2013-05-22.tar.gz d78db2e9fba3b78c1ee7a0a8d9ede871cc7ba7dc security-2013-05-22.tar.gz.sig The README in the tarball contains instructions for applying the patches. If you need help resolving this issue locally, we will provide discounted pricing for single-incident support; please contact us at sa...@bestpractical.com for more information. signature.asc Description: OpenPGP digital signature ___ rt-announce mailing list rt-annou...@lists.bestpractical.com http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-announce -- RT Training in Seattle, June 19-20: http://bestpractical.com/training
[rt-users] [rt-announce] Security vulnerabilities in RT
We have determined a number of security vulnerabilities which affect both RT 3.8.x and RT 4.0.x. We are releasing RT versions 3.8.15 and 4.0.8, and RTFM version 2.4.5, to resolve these vulnerabilities, as well as patches which apply atop all released versions of 3.8 and 4.0. The vulnerabilities addressed by 3.8.15, 4.0.8, and the below patches include the following: All versions of RT are vulnerable to an email header injection attack. Users with ModifySelf or AdminUser can cause RT to add arbitrary headers or content to outgoing mail. Depending on the scrips that are configured, this may be be leveraged for information leakage or phishing. We have been assigned CVE-2012-4730 for this vulnerability; we would like to thank Scott MacVicar for bringing this matter to our attention. RT 4.0.0 and above and RTFM 2.0.0 and above contain a vulnerability due to lack of proper rights checking, allowing any privileged user to create Articles in any class. We have been assigned CVE-2012-4731 for this vulnerability. All versions of RT with cross-site-request forgery (CSRF) protection (RT 3.8.12 and above, RT 4.0.6 and above, and any instances running the security patches released 2012-05-22) contain a vulnerability which incorrectly allows though CSRF requests which toggle ticket bookmarks. We have been assigned CVE-2012-4732 for this vulnerability; we would like to thank Matthew Astley for bringing this to our attention. Additionally, all versions of RT are vulnerable to a confused deputy attack on the user. While not strictly a CSRF attack, users who are not logged in who are tricked into following a malicious link may, after supplying their credentials, be subject to an attack which leverages their credentials to modify arbitrary state. While users who were logged in would have observed the CSRF protection page, users who were not logged in receive no such warning due to the intervening login process. RT has been extended to notify users of pending actions during the login process. We have been assigned CVE-2012-4734 for this vulnerability; we would like to thank Matthew Astley for bringing this to our attention. RT 3.8.0 and above are susceptible to a number of vulnerabilities concerning improper signing or encryption of messages using GnuPG; if GnuPG is not enabled, none of the following affect you. We have been assigned CVE-2012-4735 for the following related vulnerabilities: * When using GnuPG, RT now clarifies the concepts of signing for _integrity_ and signing for _authentication_, which are separate (and exclusive) concepts. Previously, enabling the "Sign by default" queue configuration began signing automatically-generated messages with the queue's key, in addition to defaulting emails sent from the web UI to being signed. This provides integrity, but causes emails signed with that key to no longer possess authenticity; no individual email is guaranteed to have come from an actor designated to act for that key, in the case of automatically-generated emails. RT has now changed the "Sign by default" checkbox to merely provide a default in the web UI when composing messages; it no longer affects automatically-generated outgoing messages. Thus the "Sign by default" option helps to provide _authenticity_. A separate queue configuration option, "Sign all auto-generated mail" (defaulting to off) now controls the signing of automatically- generated emails, which (when used in combination with the previous option) helps provide _integrity_ of all outgoing messages. Users who had previously checked "Sign by default" and who wish to maintain the previous effect of integrity but not authenticity will need to enable the new option as well. We would like to thank Matthijs Melissen (University of Luxembourg) for bringing this matter to our attention. * RT 3.8.0 and above contain a vulnerability which allows incoming emails to force all triggered outgoing mail to be signed and/or encrypted. * RT 3.8.0 and above contain a vulnerability which allows incoming emails to incorrectly appear in the UI to have been encrypted when they had not been. This vulnerability only applies to encryption, not signing. * RT 3.8.0 and above contain a vulnerability which allows any user who is capable of sending signed email in the UI to do so using any secret key stored in RT's keyring. Additionally, RT 3.8.0 and above contain a vulnerability which allows a user to pass arbitrary arguments to the command-line GnuPG client, which could be leveraged to create arbitrary files on disk with the permissions of the webserver. This vulnerability only applies if GnuPG is enabled, and does _not_ allow for execution of programs other than the command-line GnuPG client. We have been assigned CVE-2012-4884 for this vulnerability. If you are running 3.8.x and RTFM, you will need to install RTFM 2.4.5 t
Re: [rt-users] [rt-announce] Security vulnerabilities in RT
On Tue, 2012-05-22 at 10:34 -0400, Alex Vandiver wrote: > In addition to releasing RT versions 3.8.12 and 4.0.6 which address > these issues, we have also collected patches for all releases of 3.8 and 4.0 > into a distribution available for download at this link: > > http://download.bestpractical.com/rt/release/security-2012-05-22.tar.gz > http://download.bestpractical.com/rt/release/security-2012-05-22.tar.gz.asc It has been brought to our attention that the patchset requires version 0.68 or higher of FCGI.pm if you are running a FastCGI deployment. A too-low version of this module will manifest as outgoing mail failing to be sent, and errors in the logs resembling: Could not send mail with command `[...]`: Can't locate object method "FILENO" via package "FCGI::Stream" RT 3.8.11 and 4.0.5 already require version 0.75 or higher, to ensure that you are protected from CVE-2011-2766, which affects mod_fastcgi: http://lists.bestpractical.com/pipermail/rt-announce/2011-October/000196.html - Alex ___ rt-announce mailing list rt-annou...@lists.bestpractical.com http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-announce
[rt-users] [rt-announce] Security vulnerabilities in RT
Internal audits of the RT codebase have uncovered a number of security vulnerabilities in RT. We are releasing versions 3.8.12 and 4.0.6 to resolve these vulnerabilities, as well as patches which apply atop all released versions of 3.8 and 4.0. The vulnerabilities addressed by 3.8.12, 4.0.6, and the below patches include the following: The previously released tool to upgrade weak password hashes as part of CVE-2011-0009 was an incomplete fix and failed to upgrade passwords of disabled users. This release includes an updated version of the `vulnerable-passwords` tool, which should be run again to upgrade the remaining password hashes. CVE-2011-2082 is assigned to this vulnerability. RT versions 3.0 and above contain a number of cross-site scripting (XSS) vulnerabilities which allow an attacker to run JavaScript with the user's credentials. CVE-2011-2083 is assigned to this vulnerability. RT versions 3.0 and above are vulnerable to multiple information disclosure vulnerabilities. This includes the ability for privileged users to expose users' previous password hashes -- this vulnerability is particularly dangerous given RT's weak hashing previous to the fix in CVE-2011-0009. A separate vulnerability allows privileged users to obtain correspondence history for any ticket in RT. CVE-2011-2084 is assigned to this vulnerability. All publicly released versions of RT are vulnerable to cross-site request forgery (CSRF), in which a malicious website causes the browser to make a request to RT as the currently logged in user. This attack vector could be used for information disclosure, privilege escalation, and arbitrary execution of code. Because some external integrations may rely on RT's previously permissive functionality, we have included a configuration option ($RestrictReferrer) to disable CSRF protection. We have also added an additional configuration parameter ($ReferrerWhitelist) to aid in exempting certain originating sites from CSRF protections. CVE-2011-2085 is assigned to this vulnerability. We have also added a separate configuration option ($RestrictLoginReferrer) to prevent login CSRF, a different class of CSRF attack where the user is silently logged in using the attacker's credentials. $RestrictLoginReferrer defaults to disabled, because this functionality's benign usage is more commonly relied upon and presents less of a threat vector for RT than many other types of online applications. RT versions 3.6.1 and above are vulnerable to a remote execution of code vulnerability if the optional VERP configuration options ($VERPPrefix and $VERPDomain) are enabled. RT 3.8.0 and higher are vulnerable to a limited remote execution of code which can be leveraged for privilege escalation. RT 4.0.0 and above contain a vulnerability in the global $DisallowExecuteCode option, allowing sufficiently privileged users to still execute code even if RT was configured to not allow it. CVE-2011-4458 is assigned to this set of vulnerabilities. RT versions 3.0 and above may, under some circumstances, still respect rights that a user only has by way of a currently-disabled group. CVE-2011-4459 is assigned to this vulnerability. RT versions 2.0 and above are vulnerable to a SQL injection attack, which allow privileged users to obtain arbitrary information from the database. CVE-2011-4460 is assigned to this vulnerability. In addition to releasing RT versions 3.8.12 and 4.0.6 which address these issues, we have also collected patches for all releases of 3.8 and 4.0 into a distribution available for download at this link: http://download.bestpractical.com/rt/release/security-2012-05-22.tar.gz http://download.bestpractical.com/rt/release/security-2012-05-22.tar.gz.asc 37e49809e28f1f48313a25b4abf3acd2e863fc26 security-2012-05-22.tar.gz 87be1fad89e078d49a146e8594eb64a78368b7cb security-2012-05-22.tar.gz.asc The README in the tarball contains instructions for applying the patches. If you need help resolving this issue locally, we will provide discounted pricing for single-incident support; please contact us at sa...@bestpractical.com for more information. - Alex signature.asc Description: This is a digitally signed message part ___ rt-announce mailing list rt-annou...@lists.bestpractical.com http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-announce
Re: [rt-users] [Rt-announce] Security vulnerabilities in RT
On Thu, 2011-04-14 at 10:18 -0400, Murphy, Kevin wrote: > Just to clarify: after applying the patch to 3.8.9, do I have 3.8.10? > The page footer and system configuration page still say 3.8.9 and > don't mention the patch. No. The security patchsets are a minimal set of security patches which do not include the other bugfixes in 3.8.10. - Alex
[rt-users] [Rt-announce] Security vulnerabilities in RT
In the process of preparing the release of RT 4.0.0, we performed an extensive security audit of RT's source code. During this audit, several vulnerabilities were found which affect earlier releases of RT. We are releasing versions 3.6.11, 3.8.10, and 4.0.0rc8 to resolve these vulnerabilities, as well as patches which apply atop 3.6.10 and all versions of RT 3.8. RT versions 3.8.0 and above with the "external custom field" feature enabled and configured are vulnerable to a remote code execution vulnerability. An authenticated user (either privileged or unprivileged) can use this vulnerability to execute arbitrary code with the permissions of the webserver; they may also be tricked into doing so via cross-site request forgery (CSRF). The external custom field option is disabled by default; if you have not explicitly enabled "CustomFieldValuesSources" in your RT configuration, your RT instance is not vulnerable. We have been assigned CVE-2011-1685 for this vulnerability. RT versions 2.0.0 and above are vulnerable to multiple SQL injection attacks. We do not believe these attacks to be capable of directly inserting, altering or removing data from the database, but an authenticated user (either privileged or unprivileged) could use them to retrieve unauthorized ticket data. Deployments since 3.6.0 are additionally vulnerable to a more complex attack, which can be used by a privileged user to retrieve arbitrary data from the database. We have been assigned CVE-2011-1686 for this vulnerability. RT versions 3.0.0 and higher are vulnerable to an information leak wherein an authenticated privileged user could gain sensitive information, such as encrypted passwords, via the search interface. We have been assigned CVE-2011-1687 for this vulnerability. This vulnerability is particularly notable given RT's previous vulnerability with insecure hashing (CVE-2011-0009). RT versions 3.6.0 through 3.8.7, as well as 3.8.8 to a more limited degree, are vulnerable to a malicious attacker tricking the user into sending their authentication credentials to a third-party server. We have been assigned CVE-2011-1690 for this vulnerability. RT versions 3.2.0 and above are vulnerable to a directory traversal attack where an unauthenticated attacker can read any file which is readable by the webserver. While some servers (Apache, nginx) have safeguards which mitigate this attack, preventing such traversals from accessing files outside of RT's document root, many others (including the standalone server provided with RT, plackup, starman, twiggy, and lighttpd) are vulnerable to this exploit. We have been assigned CVE-2011-1688 for this vulnerability. RT versions 2.0.0 and above are vulnerable to javascript cross-site-scripting vulnerabilities, which allow an attacker to run javascript with the user's credentials. We have been assigned CVE-2011-1689 for this vulnerability. In addition to releasing RT versions 3.6.11, 3.8.10, and 4.0.0rc8, we have collected patches for 3.6.10 and all releases of 3.8 into a distribution available for download at this link: http://download.bestpractical.com/pub/rt/release/security-2011-04-14.tar.gz http://download.bestpractical.com/pub/rt/release/security-2011-04-14.tar.gz.sig 7d09b1315785a90d915bdbc86da1a0c9bd017a03 security-2011-04-14.tar.gz 7898a45b15474641a0f9c381d0f6f58fb34afcc3 security-2011-04-14.tar.gz.sig The README in the tarball contains instructions for applying the patches. If you need help resolving this issue locally, we will provide discounted pricing for single-incident support. Please contact us at sa...@bestpractical.com for more information. - Alex signature.asc Description: This is a digitally signed message part ___ RT-Announce mailing list rt-annou...@lists.bestpractical.com http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-announce