« Return to Thread: [Fwd: [rt-users] Security vulnerability in RT 3.0 and up]
[Fwd: [rt-users] Security vulnerability in RT 3.0 and up]
by Lance A. Brown
::
Rate this Message:
Hmmmm. Is this something Catalyst needs to worry about?
--[Lance]
--
GPG Fingerprint: 409B A409 A38D 92BF 15D9 6EEE 9A82 F2AC 69AC 07B9
CACert.org Assurer
All versions of RT from 3.0.0 to 3.6.6 (including some, but not all RT
3.7 development releases) are vulnerable to a potential remote denial
of service attack which could exhaust virtual memory or consume all
available CPU resources. After a detailed analysis, we believe that
an attacker would need to be a 'Privileged' RT user in order to
perform an attack.
We recommend that you install version 1.19 or newer of the Perl module
Devel::StackTrace from CPAN, which will close the vulnerability. Two
methods for doing this are:
* Using the CPAN shell - as root, run the following:
# cpan Devel::StackTrace
* Download and install the package by hand - as root, run the
following:
# wget http://www.cpan.org/authors/id/D/DR/DROLSKY/Devel-StackTrace-1.1901.tar.gz
# tar xvzf Devel-StackTrace-1.1901.tar.gz
# cd Devel-StackTrace-1.1901
# perl Makefile.PL
# make
# make test
# make install
Installing this newer version of the module is a complete fix, and
will close the vulnerability. However, we suggest that you upgrade to
RT 3.6.7, released last Monday, which provides additional safeguards
against this type of attack.
We wish to thank Rune Hammersland <rune.hammersland@...> for
bringing this issue to our attention in a diligent and professional
manner, and to Dave Rolsky <autarch@...> for working with us to
resolve the issue in the libraries that RT uses.
If you need help resolving this issue locally, we will provide
significantly discounted pricing for single-incident support. Please
contact us at sales@... for more information.
_______________________________________________
RT-Announce mailing list
RT-Announce@...
http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-announce
_______________________________________________
http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users
Community help: http://wiki.bestpractical.com
Commercial support: sales@...
Discover RT's hidden secrets with RT Essentials from O'Reilly Media.
Buy a copy at http://rtbook.bestpractical.com
_______________________________________________
List: Catalyst@...
Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
Searchable archive: http://www.mail-archive.com/catalyst@.../
Dev site: http://dev.catalyst.perl.org/
--[Lance]
--
GPG Fingerprint: 409B A409 A38D 92BF 15D9 6EEE 9A82 F2AC 69AC 07B9
CACert.org Assurer
All versions of RT from 3.0.0 to 3.6.6 (including some, but not all RT
3.7 development releases) are vulnerable to a potential remote denial
of service attack which could exhaust virtual memory or consume all
available CPU resources. After a detailed analysis, we believe that
an attacker would need to be a 'Privileged' RT user in order to
perform an attack.
We recommend that you install version 1.19 or newer of the Perl module
Devel::StackTrace from CPAN, which will close the vulnerability. Two
methods for doing this are:
* Using the CPAN shell - as root, run the following:
# cpan Devel::StackTrace
* Download and install the package by hand - as root, run the
following:
# wget http://www.cpan.org/authors/id/D/DR/DROLSKY/Devel-StackTrace-1.1901.tar.gz
# tar xvzf Devel-StackTrace-1.1901.tar.gz
# cd Devel-StackTrace-1.1901
# perl Makefile.PL
# make
# make test
# make install
Installing this newer version of the module is a complete fix, and
will close the vulnerability. However, we suggest that you upgrade to
RT 3.6.7, released last Monday, which provides additional safeguards
against this type of attack.
We wish to thank Rune Hammersland <rune.hammersland@...> for
bringing this issue to our attention in a diligent and professional
manner, and to Dave Rolsky <autarch@...> for working with us to
resolve the issue in the libraries that RT uses.
If you need help resolving this issue locally, we will provide
significantly discounted pricing for single-incident support. Please
contact us at sales@... for more information.
_______________________________________________
RT-Announce mailing list
RT-Announce@...
http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-announce
_______________________________________________
http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users
Community help: http://wiki.bestpractical.com
Commercial support: sales@...
Discover RT's hidden secrets with RT Essentials from O'Reilly Media.
Buy a copy at http://rtbook.bestpractical.com
_______________________________________________
List: Catalyst@...
Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
Searchable archive: http://www.mail-archive.com/catalyst@.../
Dev site: http://dev.catalyst.perl.org/
signature.asc (204 bytes) « Return to Thread: [Fwd: [rt-users] Security vulnerability in RT 3.0 and up]
| Free Forum Powered by Nabble | Forum Help |
