RT 4.2.14 -- 2017-07-26
=======================
We're pleased to announce the general availability of RT 4.2.14. This
release introduces several important security fixes as well as many
bugfixes.
The list of security fixes is included below, followed by other
improvements and bugfixes.
https://download.bestpractical.com/pub/rt/release/rt-4.2.14.tar.gz
https://download.bestpractical.com/pub/rt/release/rt-4.2.14.tar.gz.asc
SHA-256 sums
b3ee51d284001fe6938f879754a03866073aa48992fdd1709b1a54a1e6c6e614 rt-4.2.14.tar.gz
a5dd10fe84691a3f84e1d5983d8223c46a6b34eb20b92cbeca1c0a2f793d8e56 rt-4.2.14.tar.gz.asc
- Shawn M Moore, for Best Practical
Security
* RT 4.0.0 and above are vulnerable to an information leak of cross-site
request forgery (CSRF) verification tokens if a user visits a specific
URL crafted by an attacker. This vulnerability is assigned
CVE-2017-5943. It was discovered by a third-party security researcher.
* RT 4.0.0 and above are vulnerable to a cross-site scripting (XSS) attack
if an attacker uploads a malicious file with a certain content type.
Installations which use the AlwaysDownloadAttachments config setting are
unaffected. This fix addresses all existant and future uploaded
attachments. This vulnerability is assigned CVE-2016-6127. This was
responsibly disclosed to us first by Scott Russo and the GE Application
Security Assessment Team.
* One of RT's dependencies, a Perl module named Email::Address, has a
denial of service vulnerability which could induce a denial of service
of RT itself. We recommend administrators install Email::Address version
1.908 or above, though we additionally provide a new workaround within
RT. The Email::Address vulnerability was assigned CVE-2015-7686. This
vulnerability's application to RT was brought to our attention by Pali
Rohár.
* RT 4.0.0 and above are vulnerable to timing side-channel attacks for
user passwords. By carefully measuring millions or billions of login
attempts, an attacker could crack a user's password even over the
internet. RT now uses a constant-time comparison algorithm for secrets
to thwart such attacks. This vulnerability is assigned CVE-2017-5361.
This was responsibly disclosed to us by Aaron Kondziela.
* RT's ExternalAuth feature is vulnerable to a similar timing side-channel
attack. Both RT 4.0/4.2 with the widely-deployed RT::Authen::ExternalAuth
extension, as well as the core ExternalAuth feature in RT 4.4 are
vulnerable. Installations which don't use ExternalAuth, or which use
ExternalAuth for LDAP/ActiveDirectory authentication, or which use
ExternalAuth for cookie-based authentication, are unaffected. Only
ExternalAuth in DBI (database) mode is vulnerable.
* RT 4.0.0 and above are potentially vulnerable to a remote code execution
attack in the dashboard subscription interface. A privileged attacker
can cause unexpected code to be executed through carefully-crafted saved
search names. Though we have not been able to demonstrate an actual
attack owing to other defenses in place, it could be possible. This fix
addresses all existant and future saved searches. This vulnerability is
assigned CVE-2017-5944. It was discovered by an internal security audit.
* RT 4.0.0 and above have misleading documentation which could reduce
system security. The RestrictLoginReferrer config setting (which has
security implications) was inconsistent with its implementation, which
checked for a slightly different variable name. RT will now check for the
incorrect name and produce an error message. This was responsibly
disclosed to us by Alex Vandiver.
General user UI
* Avoid divide-by-zero in charts with no data (I#32143)
* Remove dashboard from menu if it can't be loaded (I#29719)
* Avoid wrapping one-time recipient checkbox separately from its
label (I#32117)
* Use only top-level attachments for generating one-time recipient lists
to avoid e.g. phishing addresses
* Fix bulk update for asset custom fields (I#32509)
* Sort one-time recipient addresses (I#31879)
* Fix article quicksearch degrading the article menu (#31591)
* Avoid noisy "CF changed from 0 to 0" messages (I#32440)
* Avoid showing a truncated list of articles due to permissions (I#31989)
* Include the new Request Tracker logo
* Stop double-escaping HTML which is made into links (I#31169)
Email
* Avoid overaggressively trimming whitespace from MIME encoded-words
* Add config option $OverrideMailPrecedence to help avoid out-of-office
autoreplies
* Fix issues with encrypted attachments being unreadable/absent
Database
* Replace deprecated NOCREATEUSER with NOSUPERUSER for
Postgres 9.6 (I#32511)
rt-serializer/rt-importer
* Fix several incorrect references in output (I#31803, I#31804, I#31805,
I#31808)
* Add --exclude-organization option (I#31812, I#31813)
* Add --limit-queues and --limit-cfs options
* Suppress semi-unmigrated link relationships by default
* Add --hyperlink-unmigrated option
* Fix queue change transactions to mention unmigrated queues by name
* Support for dashboards in menu preference (I#31810)
* Support for RT at a Glance preference (I#31809)
* Don't skip RT->System searches
* Avoid breaking rights granted to users (I#31806)
Web Administration
* Add checkbox for selecting all custom field values in admin UI
* Log a history entry when adjusting whether a user is Privileged
* Log history entries when adding/removing a group member both to
the group and to the member
* Hide disabled scrips by default, adding a "include disabled scrips"
checkbox (I#30131)
* Add missing timezone field on user create/modify (I#29977)
* Add RT extension names and versions to System Configuration page (I#31482)
Server Administration
* Avoid error messages in 4.0.1 upgrade step
* Improve automatic identification of `find` command
* Add RefreshIntervals config option for managing homepage and
dashboard refresh
* Log failure to unlink temp file after email parse (I#32142)
* Make automatically linking a used article to the ticket configurable
with $LinkArticlesOnInclude config
* Avoid undef warnings with mbox MailCommand and FastCGI
* Avoid regex deprecation warnings on perl 5.21.1+
* Avoid issues with modern Perl versions excluding ./ from @INC
* Reduce log levels of custom field loading issues caused by ordinary
end-user actions (I#31742)
* Adapt SMIME probe to work with openssl 1.1
* Double bcrypt cost for password hashing
* Avoid "Couldn't load object RT::Transaction #0" warnings (I#31548)
* Avoid broken DateTime::Locale versions (I#31542)
* Avoid incompatible DBD::mysql version (I#32670)
Developer
* Clarify the usage of skip_update in /Ticket/Update.html BeforeUpdate
callback
* Fix whitespace-related test failures under Mojolicious 7.0
* Fix test failures when /usr/bin/sendmail absent
* Factor out _OutgoingMailFrom into a separate method for extensibility
* Ensure that Test::NoWarnings is skipped if skip_all is used
* Fix bug where RT::Ticket->Create's SquelchMailTo would squelch only
to the first address (I#31600)
* Avoid test failure caused by hash randomization
* Set up default args for customizations calling SignEncrypt directly
* New callbacks:
/Elements/ShowCustomFieldWikitext WikiFormatArgs
/Search/Elements/Chart AfterChartTable
* Improved callbacks:
/Elements/Tabs Privileged adds Search_Args and Has_Query parameters
Documentation
* Update links to the RT wiki
* Update mailing list references to point to community forum
* Improve documentation around creating a custom theme (I#31800)
* Document how to include custom fields in format strings
Internationalization
* Improve translatability of "Refresh home page every x minutes." now
that "x" is configurable with @RefreshIntervals
* Update translations for: Brazilian Portuguese, Dutch, German, Latvian,
Macedonian, Russian, Serbian, Slovenian, and Spanish
A complete changelog is available from git by running:
git log rt-4.2.13..rt-4.2.14
or visiting
https://github.com/bestpractical/rt/compare/rt-4.2.13...rt-4.2.14
_______________________________________________
rt-announce mailing list
rt-announce@lists.bestpractical.com
http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-announce
=======================
We're pleased to announce the general availability of RT 4.2.14. This
release introduces several important security fixes as well as many
bugfixes.
The list of security fixes is included below, followed by other
improvements and bugfixes.
https://download.bestpractical.com/pub/rt/release/rt-4.2.14.tar.gz
https://download.bestpractical.com/pub/rt/release/rt-4.2.14.tar.gz.asc
SHA-256 sums
b3ee51d284001fe6938f879754a03866073aa48992fdd1709b1a54a1e6c6e614 rt-4.2.14.tar.gz
a5dd10fe84691a3f84e1d5983d8223c46a6b34eb20b92cbeca1c0a2f793d8e56 rt-4.2.14.tar.gz.asc
- Shawn M Moore, for Best Practical
Security
* RT 4.0.0 and above are vulnerable to an information leak of cross-site
request forgery (CSRF) verification tokens if a user visits a specific
URL crafted by an attacker. This vulnerability is assigned
CVE-2017-5943. It was discovered by a third-party security researcher.
* RT 4.0.0 and above are vulnerable to a cross-site scripting (XSS) attack
if an attacker uploads a malicious file with a certain content type.
Installations which use the AlwaysDownloadAttachments config setting are
unaffected. This fix addresses all existant and future uploaded
attachments. This vulnerability is assigned CVE-2016-6127. This was
responsibly disclosed to us first by Scott Russo and the GE Application
Security Assessment Team.
* One of RT's dependencies, a Perl module named Email::Address, has a
denial of service vulnerability which could induce a denial of service
of RT itself. We recommend administrators install Email::Address version
1.908 or above, though we additionally provide a new workaround within
RT. The Email::Address vulnerability was assigned CVE-2015-7686. This
vulnerability's application to RT was brought to our attention by Pali
Rohár.
* RT 4.0.0 and above are vulnerable to timing side-channel attacks for
user passwords. By carefully measuring millions or billions of login
attempts, an attacker could crack a user's password even over the
internet. RT now uses a constant-time comparison algorithm for secrets
to thwart such attacks. This vulnerability is assigned CVE-2017-5361.
This was responsibly disclosed to us by Aaron Kondziela.
* RT's ExternalAuth feature is vulnerable to a similar timing side-channel
attack. Both RT 4.0/4.2 with the widely-deployed RT::Authen::ExternalAuth
extension, as well as the core ExternalAuth feature in RT 4.4 are
vulnerable. Installations which don't use ExternalAuth, or which use
ExternalAuth for LDAP/ActiveDirectory authentication, or which use
ExternalAuth for cookie-based authentication, are unaffected. Only
ExternalAuth in DBI (database) mode is vulnerable.
* RT 4.0.0 and above are potentially vulnerable to a remote code execution
attack in the dashboard subscription interface. A privileged attacker
can cause unexpected code to be executed through carefully-crafted saved
search names. Though we have not been able to demonstrate an actual
attack owing to other defenses in place, it could be possible. This fix
addresses all existant and future saved searches. This vulnerability is
assigned CVE-2017-5944. It was discovered by an internal security audit.
* RT 4.0.0 and above have misleading documentation which could reduce
system security. The RestrictLoginReferrer config setting (which has
security implications) was inconsistent with its implementation, which
checked for a slightly different variable name. RT will now check for the
incorrect name and produce an error message. This was responsibly
disclosed to us by Alex Vandiver.
General user UI
* Avoid divide-by-zero in charts with no data (I#32143)
* Remove dashboard from menu if it can't be loaded (I#29719)
* Avoid wrapping one-time recipient checkbox separately from its
label (I#32117)
* Use only top-level attachments for generating one-time recipient lists
to avoid e.g. phishing addresses
* Fix bulk update for asset custom fields (I#32509)
* Sort one-time recipient addresses (I#31879)
* Fix article quicksearch degrading the article menu (#31591)
* Avoid noisy "CF changed from 0 to 0" messages (I#32440)
* Avoid showing a truncated list of articles due to permissions (I#31989)
* Include the new Request Tracker logo
* Stop double-escaping HTML which is made into links (I#31169)
* Avoid overaggressively trimming whitespace from MIME encoded-words
* Add config option $OverrideMailPrecedence to help avoid out-of-office
autoreplies
* Fix issues with encrypted attachments being unreadable/absent
Database
* Replace deprecated NOCREATEUSER with NOSUPERUSER for
Postgres 9.6 (I#32511)
rt-serializer/rt-importer
* Fix several incorrect references in output (I#31803, I#31804, I#31805,
I#31808)
* Add --exclude-organization option (I#31812, I#31813)
* Add --limit-queues and --limit-cfs options
* Suppress semi-unmigrated link relationships by default
* Add --hyperlink-unmigrated option
* Fix queue change transactions to mention unmigrated queues by name
* Support for dashboards in menu preference (I#31810)
* Support for RT at a Glance preference (I#31809)
* Don't skip RT->System searches
* Avoid breaking rights granted to users (I#31806)
Web Administration
* Add checkbox for selecting all custom field values in admin UI
* Log a history entry when adjusting whether a user is Privileged
* Log history entries when adding/removing a group member both to
the group and to the member
* Hide disabled scrips by default, adding a "include disabled scrips"
checkbox (I#30131)
* Add missing timezone field on user create/modify (I#29977)
* Add RT extension names and versions to System Configuration page (I#31482)
Server Administration
* Avoid error messages in 4.0.1 upgrade step
* Improve automatic identification of `find` command
* Add RefreshIntervals config option for managing homepage and
dashboard refresh
* Log failure to unlink temp file after email parse (I#32142)
* Make automatically linking a used article to the ticket configurable
with $LinkArticlesOnInclude config
* Avoid undef warnings with mbox MailCommand and FastCGI
* Avoid regex deprecation warnings on perl 5.21.1+
* Avoid issues with modern Perl versions excluding ./ from @INC
* Reduce log levels of custom field loading issues caused by ordinary
end-user actions (I#31742)
* Adapt SMIME probe to work with openssl 1.1
* Double bcrypt cost for password hashing
* Avoid "Couldn't load object RT::Transaction #0" warnings (I#31548)
* Avoid broken DateTime::Locale versions (I#31542)
* Avoid incompatible DBD::mysql version (I#32670)
Developer
* Clarify the usage of skip_update in /Ticket/Update.html BeforeUpdate
callback
* Fix whitespace-related test failures under Mojolicious 7.0
* Fix test failures when /usr/bin/sendmail absent
* Factor out _OutgoingMailFrom into a separate method for extensibility
* Ensure that Test::NoWarnings is skipped if skip_all is used
* Fix bug where RT::Ticket->Create's SquelchMailTo would squelch only
to the first address (I#31600)
* Avoid test failure caused by hash randomization
* Set up default args for customizations calling SignEncrypt directly
* New callbacks:
/Elements/ShowCustomFieldWikitext WikiFormatArgs
/Search/Elements/Chart AfterChartTable
* Improved callbacks:
/Elements/Tabs Privileged adds Search_Args and Has_Query parameters
Documentation
* Update links to the RT wiki
* Update mailing list references to point to community forum
* Improve documentation around creating a custom theme (I#31800)
* Document how to include custom fields in format strings
Internationalization
* Improve translatability of "Refresh home page every x minutes." now
that "x" is configurable with @RefreshIntervals
* Update translations for: Brazilian Portuguese, Dutch, German, Latvian,
Macedonian, Russian, Serbian, Slovenian, and Spanish
A complete changelog is available from git by running:
git log rt-4.2.13..rt-4.2.14
or visiting
https://github.com/bestpractical/rt/compare/rt-4.2.13...rt-4.2.14
_______________________________________________
rt-announce mailing list
rt-announce@lists.bestpractical.com
http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-announce