|

»

Web Development Framework

»

Catalyst Web Framework

[Fwd: [rt-users] Security vulnerability in RT 3.0 and up]

View: New views

4 Messages — Rating Filter: Alert me

	[Fwd: [rt-users] Security vulnerability in RT 3.0 and up] by Lance A. Brown :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message Hmmmm. Is this something Catalyst needs to worry about? --[Lance] -- GPG Fingerprint: 409B A409 A38D 92BF 15D9 6EEE 9A82 F2AC 69AC 07B9 CACert.org Assurer All versions of RT from 3.0.0 to 3.6.6 (including some, but not all RT 3.7 development releases) are vulnerable to a potential remote denial of service attack which could exhaust virtual memory or consume all available CPU resources. After a detailed analysis, we believe that an attacker would need to be a 'Privileged' RT user in order to perform an attack. We recommend that you install version 1.19 or newer of the Perl module Devel::StackTrace from CPAN, which will close the vulnerability. Two methods for doing this are: * Using the CPAN shell - as root, run the following: # cpan Devel::StackTrace * Download and install the package by hand - as root, run the following: # wget http://www.cpan.org/authors/id/D/DR/DROLSKY/Devel-StackTrace-1.1901.tar.gz # tar xvzf Devel-StackTrace-1.1901.tar.gz # cd Devel-StackTrace-1.1901 # perl Makefile.PL # make # make test # make install Installing this newer version of the module is a complete fix, and will close the vulnerability. However, we suggest that you upgrade to RT 3.6.7, released last Monday, which provides additional safeguards against this type of attack. We wish to thank Rune Hammersland <rune.hammersland@...> for bringing this issue to our attention in a diligent and professional manner, and to Dave Rolsky <autarch@...> for working with us to resolve the issue in the libraries that RT uses. If you need help resolving this issue locally, we will provide significantly discounted pricing for single-incident support. Please contact us at sales@... for more information. _______________________________________________ RT-Announce mailing list RT-Announce@... http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-announce _______________________________________________ http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users Community help: http://wiki.bestpractical.com Commercial support: sales@... Discover RT's hidden secrets with RT Essentials from O'Reilly Media. Buy a copy at http://rtbook.bestpractical.com _______________________________________________ List: Catalyst@... Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@.../ Dev site: http://dev.catalyst.perl.org/ signature.asc (204 bytes) Download Attachment
	Re: [Fwd: [rt-users] Security vulnerability in RT 3.0 and up] by Dave Rolsky :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message On Mon, 23 Jun 2008, Lance A. Brown wrote: > Hmmmm. Is this something Catalyst needs to worry about? The case to tickle this particular bug is that you need to pass bad UTF8 to a sub that's in the call chain and then generate a Devel::StackTrace object and then try to stringify that object. Also, this only affects some versions of Perl. So, the short answer is that this is unlikely to be a problem for most applications out there. RT, amazingly, happened to do exactly the sequence of things I described above. It certainly will not hurt to upgrade your copy of Devel::StackTrace, however. -dave /========================== VegGuide.Org Your guide to all that's veg ==========================/ _______________________________________________ List: Catalyst@... Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@.../ Dev site: http://dev.catalyst.perl.org/
	Re: [Fwd: [rt-users] Security vulnerability in RT 3.0 and up] by Matt S Trout-2 :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message On Mon, Jun 23, 2008 at 01:17:15PM -0400, Lance A. Brown wrote: > Hmmmm. Is this something Catalyst needs to worry about? StackTrace only activates for Catlyst in debug mode. If you're deploying your app publically in debug mode, you have more than this to worry about (like exceptions showing your DBI connect info :) -- Matt S Trout Need help with your Catalyst or DBIx::Class project? Technical Director http://www.shadowcat.co.uk/catalyst/ Shadowcat Systems Ltd. Want a managed development or deployment platform? http://chainsawblues.vox.com/ http://www.shadowcat.co.uk/servers/ _______________________________________________ List: Catalyst@... Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@.../ Dev site: http://dev.catalyst.perl.org/
	Re: [Fwd: [rt-users] Security vulnerability in RT 3.0 and up] by Dave Rolsky :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message On Sun, 20 Jul 2008, Matt S Trout wrote: > On Mon, Jun 23, 2008 at 01:17:15PM -0400, Lance A. Brown wrote: >> Hmmmm. Is this something Catalyst needs to worry about? > > StackTrace only activates for Catlyst in debug mode. But if you're writing Mason views, Mason uses Devel::StackTrace internally. -dave /========================== VegGuide.Org Your guide to all that's veg ==========================/ _______________________________________________ List: Catalyst@... Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@.../ Dev site: http://dev.catalyst.perl.org/