[request-tracker-maintainers] [alexmv at bestpractical.com: [rt-announce] Security vulnerabilities in three commonly deployed RT extensions]

Dominic Hargreaves dom at earth.li
Thu Jul 26 21:47:08 UTC 2012 

I've pushed out a fix for this. It tests out okay for me, but I don't
use it heavily. If you use it, could you give it a try and report back
before I sumbit it for a DSA?

http://anonscm.debian.org/gitweb/?p=pkg-request-tracker/rt-rtfm.git;a=shortlog;h=refs/heads/squeeze

----- Forwarded message from Alex Vandiver <alexmv at bestpractical.com> -----

Date: Wed, 25 Jul 2012 13:17:23 -0700
From: Alex Vandiver <alexmv at bestpractical.com>
To: rt-announce at bestpractical.com
Subject: [rt-announce] Security vulnerabilities in three commonly deployed
	RT extensions
X-Spam-Status: No, score=-4.2 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_MED,
	T_RP_MATCHES_RCVD autolearn=ham version=3.3.1
Resent-From: Dominic Hargreaves <dominic.hargreaves at oucs.ox.ac.uk>
Resent-Date: Thu, 26 Jul 2012 10:26:00 +0100
Resent-To: dom at larted.org.uk
Organization: Best Practical Solutions, LLC
X-Mailer: Evolution 2.32.2
X-Urchin-Spam-Score-Int: -41
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.2

We have determined a number of security vulnerabilities in commonly
installed RT extensions, enumerated below.  You can determine which, if
any, of these extensions your RT installation is using by navigating to
Configuration -> Tools -> System Configuration, and examining the
"Plugins" configuration setting.

We have released updated versions of each vulnerable extension.
Installation instructions for each are included in a README file in each
extension's tarball.  You need only download and upgrade these
extensions if you have a previous version of them installed; RT
installations with none of the below extensions installed are not
vulnerable, and do not need to take action.


RT::Authen::ExternalAuth 0.10 and below (for all versions of RT) are
vulnerable to an escalation of privilege attack where the URL of a RSS
feed of the user can be used to acquire a fully logged-in session as
that user.  CVE-2012-2770 has been assigned to this vulnerability.

Users of RT 3.8.2 and above should upgrade to RT::Authen::ExternalAuth
0.11, which resolves this vulnerability.  Because users of RT 3.8.1
cannot run RT::Authen::ExternalAuth later then 0.08 (due to bugs in
plugin handling code in RT 3.8.1), we are also providing a patch which
applies to RT::Authen::ExternalAuth 0.08.  This patch should only be
applied if you are running RT 3.8.1 and RT::Authen::ExternalAuth 0.08.
Instructions for applying the patch can be found in the patch file
itself.

  http://cpan.metacpan.org/authors/id/A/AL/ALEXMV/RT-Authen-ExternalAuth-0.11.tar.gz
  http://download.bestpractical.com/pub/rt/release/rt-authen-externalauth-0.08.patch
  http://download.bestpractical.com/pub/rt/release/rt-authen-externalauth-0.08.patch.asc

  33ade803072d0ee6fff96f12969c1d4390b1211e  RT-Authen-ExternalAuth-0.11.tar.gz
  0d8057031b4115c2eb9dcc9ec43400ddea49afed  rt-authen-externalauth-0.08.patch
  31043b1c139487ae9ca1f8e3184493c077580b92  rt-authen-externalauth-0.08.patch.asc


RT::FM versions 2.0.4 through 2.4.3, inclusive, are vulnerable to
multiple cross-site scripting (XSS) attacks in the topic administration
page.  CVE-2012-2768 has been assigned to this vulnerability.  This
release also includes updates for compatibility with RT 3.8.12.  As RT
4.0 and above bundle RT::FM's functionality, and resolved this
vulnerability in RT 4.0.6, this update is only applicable to
installations of RT 3.8.

  http://download.bestpractical.com/pub/rt/release/RTFM-2.4.4.tar.gz
  http://download.bestpractical.com/pub/rt/release/RTFM-2.4.4.tar.gz.asc

  abebd875d6d37b7d7ce3135952e23d8427b685c9  RTFM-2.4.4.tar.gz
  5f5e55ec9a8ee03c3f444c502012b1b958d4412c  RTFM-2.4.4.tar.gz.asc


RT::Extension::MobileUI 1.01 and below are vulnerable to multiple
cross-site scripting (XSS) attacks.  CVE-2012-2769 has been assigned to
this vulnerability.  As RT 4.0 and above bundle
RT::Extension::MobileUI's functionality, and resolved this vulnerability
in RT 4.0.6, this update is only applicable to installations of RT 3.8.

  http://cpan.metacpan.org/authors/id/A/AL/ALEXMV/RT-Extension-MobileUI-1.02.tar.gz

  4f97065fab28c3e875393a6aeb61c3d3bb7bb3be  RT-Extension-MobileUI-1.02.tar.gz



The README in each tarball contains instructions for upgrading the
extension.  If you need help resolving this issue locally, we will
provide discounted pricing for single-incident support; please contact
us at sales at bestpractical.com for more information.

 - Alex



_______________________________________________
rt-announce mailing list
rt-announce at lists.bestpractical.com
http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-announce


----- End forwarded message -----

-- 
Dominic Hargreaves | http://www.larted.org.uk/~dom/
PGP key 5178E2A5 from the.earth.li (keyserver,web,email)

More information about the pkg-request-tracker-maintainers mailing list