On Tue, 2012-05-22 at 10:34 -0400, Alex Vandiver wrote: > Internal audits of the RT codebase have uncovered a number of security > vulnerabilities in RT. We are releasing versions 3.8.12 and 4.0.6 to > resolve these vulnerabilities, as well as patches which apply atop all > released versions of 3.8 and 4.0. > > [snip] > In addition to releasing RT versions 3.8.12 and 4.0.6 which address > these issues, we have also collected patches for all releases of 3.8 and 4.0 > into a distribution available for download at this link:
Sites which are running RT 3.8.x under mod_perl will likely be affected by a bug introduced by these security patches, which causes outgoing email to fail. A hotfix for this bug can be applied via: curl https://github.com/bestpractical/rt/commit/b7a5a53.patch | patch -p1 -d /opt/rt3 RT 4.0.x should not be affected by this bug, as 'SetHandler modperl' is the correct mod_perl deployment option in RT 4. If you are experiencing this issue with RT 4.0, simply alter your Apache configuration to use 'SetHandler modperl' instead of 'SetHandler perl-script' for your RT deployment. RT 3.8.12 is affected by this bug as well; we are releasing RT 3.8.13 shortly to address this, and suggest that affected users on RT 3.8.12 simply upgrade to RT 3.8.13. If possible, please test that the just-released RT 3.8.13rc1 [1] solves the problem. - Alex [1] http://download.bestpractical.com/pub/rt/devel/rt-3.8.13rc1.tar.gz
signature.asc
Description: This is a digitally signed message part
_______________________________________________ rt-announce mailing list rt-annou...@lists.bestpractical.com http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-announce