If you are running RT 3 under mod_fastcgi, you may be vulnerable to the FCGI module's CVE-2011-2766. The vulnerability affects FCGI versions 0.70 though 0.73, inclusive; you can determine if you are running an affected version by running: perl -MFCGI -le 'print "FCGI version $FCGI::VERSION"'
Version 0.70 of FCGI, released March 22, 2010, introduced a bug in this interface, wherein the environment of the very first request to the FastCGI child was copied into all subsequent requests. Among other things, this means that the cookies of the first request were seen by all subsequent requests that did not themselves specify a cookie. We recommend affected users upgrade their version of FCGI to version 0.74, which was released on September 24, 2011. In most deployments, you can accomplish this by running, as root: cpan FCGI You will then need to restart your Apache server. We intend to release RT 3.8.11rc1 shortly, which will include a dependency on FCGI 0.74 or higher. No security changes are required to RT, this release will just include a bump to the new version of FCGI. RT 4 does not use the vulnerable API, and as such is not affected by this vulnerability. Deployments using mod_fcgid instead of mod_fastcgi are not vulnerable, nor are deployments where RT is run as an external FastCGI server. Deployments using mod_perl or standalone are also unaffected by this. - Alex
signature.asc
Description: This is a digitally signed message part
_______________________________________________ RT-Announce mailing list [email protected] http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-announce
-------- RT Training Sessions (http://bestpractical.com/services/training.html) * San Francisco, CA, USA October 18 & 19, 2011 * Washington DC, USA October 31 & November 1, 2011 * Barcelona, Spain November 28 & 29, 2011
