All versions of RT from 3.0.0 to 3.6.6 (including some, but not all RT 3.7 development releases) are vulnerable to a potential remote denial of service attack which could exhaust virtual memory or consume all available CPU resources. After a detailed analysis, we believe that an attacker would need to be a 'Privileged' RT user in order to perform an attack.
We recommend that you install version 1.19 or newer of the Perl module Devel::StackTrace from CPAN, which will close the vulnerability. Two methods for doing this are: * Using the CPAN shell - as root, run the following: # cpan Devel::StackTrace * Download and install the package by hand - as root, run the following: # wget http://www.cpan.org/authors/id/D/DR/DROLSKY/Devel-StackTrace-1.1901.tar.gz # tar xvzf Devel-StackTrace-1.1901.tar.gz # cd Devel-StackTrace-1.1901 # perl Makefile.PL # make # make test # make install Installing this newer version of the module is a complete fix, and will close the vulnerability. However, we suggest that you upgrade to RT 3.6.7, released last Monday, which provides additional safeguards against this type of attack. We wish to thank Rune Hammersland <[EMAIL PROTECTED]> for bringing this issue to our attention in a diligent and professional manner, and to Dave Rolsky <[EMAIL PROTECTED]> for working with us to resolve the issue in the libraries that RT uses. If you need help resolving this issue locally, we will provide significantly discounted pricing for single-incident support. Please contact us at [EMAIL PROTECTED] for more information.
signature.asc
Description: This is a digitally signed message part
_______________________________________________ http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users Community help: http://wiki.bestpractical.com Commercial support: [EMAIL PROTECTED] Discover RT's hidden secrets with RT Essentials from O'Reilly Media. Buy a copy at http://rtbook.bestpractical.com