alexmv at bestpractical
Jul 25, 2012, 1:17 PM
Post #1 of 1
We have determined a number of security vulnerabilities in commonly
[rt-announce] Security vulnerabilities in three commonly deployed RT extensions
installed RT extensions, enumerated below. You can determine which, if
any, of these extensions your RT installation is using by navigating to
Configuration -> Tools -> System Configuration, and examining the
"Plugins" configuration setting.
We have released updated versions of each vulnerable extension.
Installation instructions for each are included in a README file in each
extension's tarball. You need only download and upgrade these
extensions if you have a previous version of them installed; RT
installations with none of the below extensions installed are not
vulnerable, and do not need to take action.
RT::Authen::ExternalAuth 0.10 and below (for all versions of RT) are
vulnerable to an escalation of privilege attack where the URL of a RSS
feed of the user can be used to acquire a fully logged-in session as
that user. CVE-2012-2770 has been assigned to this vulnerability.
Users of RT 3.8.2 and above should upgrade to RT::Authen::ExternalAuth
0.11, which resolves this vulnerability. Because users of RT 3.8.1
cannot run RT::Authen::ExternalAuth later then 0.08 (due to bugs in
plugin handling code in RT 3.8.1), we are also providing a patch which
applies to RT::Authen::ExternalAuth 0.08. This patch should only be
applied if you are running RT 3.8.1 and RT::Authen::ExternalAuth 0.08.
Instructions for applying the patch can be found in the patch file
RT::FM versions 2.0.4 through 2.4.3, inclusive, are vulnerable to
multiple cross-site scripting (XSS) attacks in the topic administration
page. CVE-2012-2768 has been assigned to this vulnerability. This
release also includes updates for compatibility with RT 3.8.12. As RT
4.0 and above bundle RT::FM's functionality, and resolved this
vulnerability in RT 4.0.6, this update is only applicable to
installations of RT 3.8.
RT::Extension::MobileUI 1.01 and below are vulnerable to multiple
cross-site scripting (XSS) attacks. CVE-2012-2769 has been assigned to
this vulnerability. As RT 4.0 and above bundle
RT::Extension::MobileUI's functionality, and resolved this vulnerability
in RT 4.0.6, this update is only applicable to installations of RT 3.8.
The README in each tarball contains instructions for upgrading the
extension. If you need help resolving this issue locally, we will
provide discounted pricing for single-incident support; please contact
us at sales [at] bestpractical for more information.