On Fri, 2014-04-18 at 16:35 +0000, Percynski, Fred wrote: > I haven’t seen anything on this mailing list, or on the Best Practical > web site, that discusses the Heartbleed vulnerability. > > Does RT use OpenSSL in any way?
RT does not use OpenSSL in any way that is vulnerable. While RT 4.2 does use OpenSSL directly when decoding S/MIME encrypted mail, this process does not involve TLS -- hence the vulnerability in the Heartbeat extension of TLS does not apply. That being said, there are a number of external services that RT interacts with which may use OpenSSL in an affected manner. Restarting those services after updating your OpenSSL libraries is sufficient to close the vulnerability. The ways in which RT may interact with vulnerable services includes such things as: 1. Your webserver (Apache, nginx, etc) may use OpenSSL to implement TLS negotiation for HTTPS connection. 2. Your database may use OpenSSL to implement TLS negotiation to secure the connection that RT uses to speak to the database. This is the case if the RT configuration option $DatabaseRequireSSL is set. 3. Your LDAP server (OpenLDAP) may use OpenSSL to implement TLS negotiation to secure the connection that RT::Authen::ExternalAuth or RT::Extension::LDAPImport uses to acquire LDAP data. 4. Your mail server (postfix, exim, etc) may use OpenSSL to implement TLS negotiation over SMTP when speaking to remote mailservers. In all of the above cases, restarting the affected server after updating the OpenSSL libraries is sufficient to close the vulnerability. You may wish to also generate new SSL certificates, in the light of the fact that the vulnerability has been successfully used to acquire SSL private keys, and multiple automated tools to do so have been released. > My server had a vulnerable version of OpenSSL installed at the time RT > was compiled. I would like to know if RT needs to be > recompiled/upgraded now that OpenSSL has been patched. RT is written in perl; as such, it is not compiled, and no changes need to be made to RT itself to close the vulnerability. See above concerning other related services which may be affected, of course. - Alex -- RT Training - Dallas May 20-21 http://bestpractical.com/training
