[request-tracker-maintainers] Bug#674522: [alexmv at bestpractical.com: [rt-announce] Bugfix for security patch on mod_perl]
Dominic Hargreaves
dom at earth.li
Fri May 25 08:26:05 UTC 2012
Package: request-tracker3.8
Version: 3.8.8-7+squeeze2
Severity: important
Tags: security
I will try and prepare an update for this issue by tomorrow morning
at the latest.
----- Forwarded message from Alex Vandiver <alexmv at bestpractical.com> -----
Date: Thu, 24 May 2012 17:24:20 -0400
From: Alex Vandiver <alexmv at bestpractical.com>
To: rt-announce at bestpractical.com
Subject: [rt-announce] Bugfix for security patch on mod_perl
X-Spam-Status: No, score=-4.2 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_MED,
T_RP_MATCHES_RCVD autolearn=ham version=3.3.1
Resent-From: Dominic Hargreaves <dominic.hargreaves at oucs.ox.ac.uk>
Resent-Date: Fri, 25 May 2012 09:23:45 +0100
Resent-To: dom at larted.org.uk
Organization: Best Practical Solutions, LLC
X-Mailer: Evolution 2.32.2
X-Urchin-Spam-Score-Int: -41
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.2
On Tue, 2012-05-22 at 10:34 -0400, Alex Vandiver wrote:
> Internal audits of the RT codebase have uncovered a number of security
> vulnerabilities in RT. We are releasing versions 3.8.12 and 4.0.6 to
> resolve these vulnerabilities, as well as patches which apply atop all
> released versions of 3.8 and 4.0.
>
> [snip]
> In addition to releasing RT versions 3.8.12 and 4.0.6 which address
> these issues, we have also collected patches for all releases of 3.8 and 4.0
> into a distribution available for download at this link:
Sites which are running RT 3.8.x under mod_perl will likely be affected
by a bug introduced by these security patches, which causes outgoing
email to fail. A hotfix for this bug can be applied via:
curl https://github.com/bestpractical/rt/commit/b7a5a53.patch |
patch -p1 -d /opt/rt3
RT 4.0.x should not be affected by this bug, as 'SetHandler modperl' is
the correct mod_perl deployment option in RT 4. If you are experiencing
this issue with RT 4.0, simply alter your Apache configuration to use
'SetHandler modperl' instead of 'SetHandler perl-script' for your RT
deployment.
RT 3.8.12 is affected by this bug as well; we are releasing RT 3.8.13
shortly to address this, and suggest that affected users on RT 3.8.12
simply upgrade to RT 3.8.13. If possible, please test that the
just-released RT 3.8.13rc1 [1] solves the problem.
- Alex
[1] http://download.bestpractical.com/pub/rt/devel/rt-3.8.13rc1.tar.gz
_______________________________________________
rt-announce mailing list
rt-announce at lists.bestpractical.com
http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-announce
----- End forwarded message -----
--
Dominic Hargreaves | http://www.larted.org.uk/~dom/
PGP key 5178E2A5 from the.earth.li (keyserver,web,email)
More information about the pkg-request-tracker-maintainers
mailing list