jesse at bestpractical
Oct 30, 2001, 11:34 PM
Post #1 of 1
(959 views)
Permalink
|
|
RT 2.0.8_01 - CRITICAL SECURITY FIX
|
|
Earlier today, I was alerted to a security vulnerability in RT's command
line administration tool, rtadmin by Jay Kramer at Mojomole.com.
The vulnerability, as Jay discovered, allows _local_ shell users to access
RT's commandline administrative tool with RT superuser permissions. If you
have local shell users who have access to execute the RT binaries but who are
not trusted administrators, you MUST upgrade to RT 2.0.8_01 as soon as humanly
possible.
Until you upgrade, we recommend that you disable the rtadmin program by
executing the following command:
chmod 000 /path/to/rt/bin/rtadmin
RT 2.0.8_01 is immediately available from:
ftp://ftp.fsck.com/pub/rt/release/rt-2-0-8_01.tar.gz
A diff between RT 2.0.8 and RT 2.0.8_01 is attached to this message.
Thanks very much to Jay Kramer for his quick and professional handling of
this vulnerability report.
Jesse Vincent
Best Practical Solutions, LLC
--
http://www.bestpractical.com/products/rt -- Trouble Ticketing. Free.
|
rt-2-0-8_01-security.diff
