On Tue, 2012-05-22 at 10:34 -0400, Alex Vandiver wrote:
> Internal audits of the RT codebase have uncovered a number of security
> vulnerabilities in RT. We are releasing versions 3.8.12 and 4.0.6 to
> resolve these vulnerabilities, as well as patches which apply atop all
> released versions of 3.8 and 4.0.
>
> [snip]
> In addition to releasing RT versions 3.8.12 and 4.0.6 which address
> these issues, we have also collected patches for all releases of 3.8 and 4.0
> into a distribution available for download at this link:
Sites which are running RT 3.8.x under mod_perl will likely be affected
by a bug introduced by these security patches, which causes outgoing
email to fail. A hotfix for this bug can be applied via:
curl https://github.com/bestpractical/rt/commit/b7a5a53.patch |
patch -p1 -d /opt/rt3
RT 4.0.x should not be affected by this bug, as 'SetHandler modperl' is
the correct mod_perl deployment option in RT 4. If you are experiencing
this issue with RT 4.0, simply alter your Apache configuration to use
'SetHandler modperl' instead of 'SetHandler perl-script' for your RT
deployment.
RT 3.8.12 is affected by this bug as well; we are releasing RT 3.8.13
shortly to address this, and suggest that affected users on RT 3.8.12
simply upgrade to RT 3.8.13. If possible, please test that the
just-released RT 3.8.13rc1 [1] solves the problem.
- Alex
[1] http://download.bestpractical.com/pub/rt/devel/rt-3.8.13rc1.tar.gz
> Internal audits of the RT codebase have uncovered a number of security
> vulnerabilities in RT. We are releasing versions 3.8.12 and 4.0.6 to
> resolve these vulnerabilities, as well as patches which apply atop all
> released versions of 3.8 and 4.0.
>
> [snip]
> In addition to releasing RT versions 3.8.12 and 4.0.6 which address
> these issues, we have also collected patches for all releases of 3.8 and 4.0
> into a distribution available for download at this link:
Sites which are running RT 3.8.x under mod_perl will likely be affected
by a bug introduced by these security patches, which causes outgoing
email to fail. A hotfix for this bug can be applied via:
curl https://github.com/bestpractical/rt/commit/b7a5a53.patch |
patch -p1 -d /opt/rt3
RT 4.0.x should not be affected by this bug, as 'SetHandler modperl' is
the correct mod_perl deployment option in RT 4. If you are experiencing
this issue with RT 4.0, simply alter your Apache configuration to use
'SetHandler modperl' instead of 'SetHandler perl-script' for your RT
deployment.
RT 3.8.12 is affected by this bug as well; we are releasing RT 3.8.13
shortly to address this, and suggest that affected users on RT 3.8.12
simply upgrade to RT 3.8.13. If possible, please test that the
just-released RT 3.8.13rc1 [1] solves the problem.
- Alex
[1] http://download.bestpractical.com/pub/rt/devel/rt-3.8.13rc1.tar.gz
Attached Files:
-
signature.asc (0.19 KB)