[interchange-bugs] [rt.icdevgroup.org #316] Upgrade to RT 3.8.5

Jon Jensen via RT setup at rt.icdevgroup.org
Mon Sep 14 19:54:35 UTC 2009 

Mon Sep 14 19:54:34 2009: Request 316 was acted upon.
Transaction: Ticket created by jon
       Queue: RT Setup
     Subject: Upgrade to RT 3.8.5
       Owner: Nobody
  Requestors: jon at endpoint.com
      Status: new
 Ticket <URL: http://rt.icdevgroup.org/Ticket/Display.html?id=316 >


Date: Mon, 14 Sep 2009 15:27:35 -0400
From: Kevin Falcone <falcone at bestpractical.com>
To: rt-announce at lists.bestpractical.com
Subject: [Rt-announce] RT 3.8.5 Released
Message-ID: <20090914192735.GL724 at jibsheet.com>
User-Agent: Mutt/1.5.20 (2009-06-14)

This release of RT-3.8.5 contains an important security fix.

You can download it from:

http://download.bestpractical.com/pub/rt/release/rt-3.8.5.tar.gz
http://download.bestpractical.com/pub/rt/release/rt-3.8.5.tar.gz.sig

SHA1 checksums

26854e1a34052a2a922dc0ff533056f782813ea7 rt-3.8.5.tar.gz
96fcf9d75ce293d019bdcd0865495c6b2ac18534 rt-3.8.5.tar.gz.sig

During a routine internal audit, it was determined that all versions of
RT from 3.4.6 to 3.8.4 are vulnerable to an escaping bug in the display
of Custom Fields that could allow injection of javascript into the RT
UI.

This bug is only exploitable if you have a Custom Field that accepts
data from an end user (such as Enter one Value, or Fill in one text
area). It does not affect 'select one value' fields. In addition, you
must allow malicious users to set these custom fields, either through
the Web UI (SelfService) or through an automated parsing script such as
RT-Extension-ExtractCustomFieldValues, RT-Extension-CommandByMail or a
local parsing modification.

If you do not allow external users to set Custom Field values and the
only users who have ModifyCustomField are your Privileged users, then
the impact of this is limited to one of your trusted users attacking the
system.

I have attached patches for the 3.4, 3.6 and 3.8 branches of RT
in case you do not wish to upgrade at this time.

You can apply these patches as follows:

RT 3.4

cd /opt/rt3/share
patch -p1 < /path/to/RT-3.4-escape_custom_field_value.patch

RT 3.6

cd /opt/rt3/share
patch -p1 < /path/to/RT-3.6-escape_custom_field_value.patch

RT 3.8

cd /opt/rt3/
patch -p1 < /path/to/RT-3.8-escape_custom_field_value.patch

You should then clear your mason cache
# rm -rf /opt/rt3/var/mason_data/obj/*

and restart your webserver, this is often accomplished with

# /etc/init.d/httpd restart
or
# /etc/init.d/apache restart

More information about the interchange-bugs mailing list