Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. Request Tracker>
  3. Devel
[rt-announce] RT 4.2.12 released
shawn at bestpractical
Aug 12, 2015, 12:42 PM
Post #1 of 4 (1239 views)
Permalink
RT 4.2.12 -- 2015-08-12
-----------------------

RT 4.2.12 contains important security fixes.

https://download.bestpractical.com/pub/rt/release/rt-4.2.12.tar.gz
https://download.bestpractical.com/pub/rt/release/rt-4.2.12.tar.gz.asc

SHA1 sums

ddbf70752c2b96354caf7687534addf075859d4d rt-4.2.12.tar.gz
8e76c69a56a60afbe0a75673874a1f4510355350 rt-4.2.12.tar.gz.asc

This release is a security release which addresses the following
vulnerabilities:

RT 4.0.0 and above are vulnerable to a cross-site scripting (XSS) attack via
the user and group rights management pages. This vulnerability is assigned
CVE-2015-5475. It was discovered and reported by Marcin Kopeć at Data Reliance
Shared Service Center.

RT 4.2.0 and above are vulnerable to a cross-site scripting (XSS) attack
via the cryptography interface. This vulnerability could allow an attacker
with a carefully-crafted key to inject JavaScript into RT's user interface.
Installations which use neither GnuPG nor S/MIME are unaffected.


A complete changelog is available from git by running:
git log rt-4.2.11..rt-4.2.12
or visiting
https://github.com/bestpractical/rt/compare/rt-4.2.11...rt-4.2.12

Attached Files:

Re: [rt-announce] RT 4.2.12 released [ In reply to ]
cloos at netsandbox
Aug 12, 2015, 3:19 PM
Post #2 of 4 (1219 views)
Permalink
Hi,

previously, security releases also included the commits since the last
release (and translation updates).
Are security releases from now released only with the security fixes?

Chris
Re: [rt-announce] RT 4.2.12 released [ In reply to ]
shawn at bestpractical
Aug 13, 2015, 12:35 PM
Post #3 of 4 (1212 views)
Permalink
> 2015/08/12 18:19、Christian Loos <cloos@netsandbox.de> のメール:
>
> Hi,

Hi Chris,

> previously, security releases also included the commits since the last
> release (and translation updates).
> Are security releases from now released only with the security fixes?

There have been releases in the past that address only security vulnerabilities or major faults (and not bugfixes or translation updates), such as 4.0.16, 4.0.15, and 4.0.13.

My inclination is that security releases should be as tiny as possible to help remove any reasons for people to avoid upgrading. Furthermore, we don’t want to have people wait on a release candidate to pass muster in order to be able to upgrade to a secure version of RT. Finally it’s also important to be able to roll these releases out quickly, having the most limited set of sources for regressions possible.

I know you’re asking because you care about translation updates and bugfixes (many of which you’ve contributed!), and we’re definitely going to be shipping another bugfix release once the dust settles on 4.2.12. :)

> Chris

Thanks,
Shawn

Attached Files:

Re: [rt-announce] RT 4.2.12 released [ In reply to ]
cloos at netsandbox
Aug 21, 2015, 2:16 AM
Post #4 of 4 (1190 views)
Permalink
Hi Shawn,

Am 13.08.2015 um 21:35 schrieb Shawn Moore:
>
>> 2015/08/12 18:19、Christian Loos <cloos@netsandbox.de> のメール:
>>
>> Hi,
>
> Hi Chris,
>
>> previously, security releases also included the commits since the last
>> release (and translation updates).
>> Are security releases from now released only with the security fixes?
>
> There have been releases in the past that address only security vulnerabilities or major faults (and not bugfixes or translation updates), such as 4.0.16, 4.0.15, and 4.0.13.
>
> My inclination is that security releases should be as tiny as possible to help remove any reasons for people to avoid upgrading. Furthermore, we don’t want to have people wait on a release candidate to pass muster in order to be able to upgrade to a secure version of RT. Finally it’s also important to be able to roll these releases out quickly, having the most limited set of sources for regressions possible.
Thanks for explaining this.
I just asked, as the last 4.2 security fixes also included changes.
But I'm with you that releasing security fixes as a separate release is
the better way.

>
> I know you’re asking because you care about translation updates and bugfixes (many of which you’ve contributed!), and we’re definitely going to be shipping another bugfix release once the dust settles on 4.2.12. :)
I hope someone have time to review my pending Pull Request before the
next release, which also includes some bugfixes [1].


Chris

[1] https://github.com/bestpractical/rt/pulls/cloos

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal