Re: [rt-users] [rt-announce] Security vulnerabilities in RT

[Alex Vandiver]

On Tue, 2012-05-22 at 10:34 -0400, Alex Vandiver wrote:
 In addition to releasing RT versions 3.8.12 and 4.0.6 which address
 these issues, we have also collected patches for all releases of 3.8 and 4.0
 into a distribution available for download at this link:
 
 http://download.bestpractical.com/rt/release/security-2012-05-22.tar.gz
 http://download.bestpractical.com/rt/release/security-2012-05-22.tar.gz.asc

It has been brought to our attention that the patchset requires version
0.68 or higher of FCGI.pm if you are running a FastCGI deployment.  A
too-low version of this module will manifest as outgoing mail failing to
be sent, and errors in the logs resembling:

  Could not send mail with command `[...]`:
 Can't locate object method FILENO via package FCGI::Stream

RT 3.8.11 and 4.0.5 already require version 0.75 or higher, to ensure
that you are protected from CVE-2011-2766, which affects mod_fastcgi:
http://lists.bestpractical.com/pipermail/rt-announce/2011-October/000196.html

 - Alex

___
rt-announce mailing list
rt-annou...@lists.bestpractical.com
http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-announce

Re: [rt-users] [Rt-announce] Security vulnerabilities in RT

[Alex Vandiver]

On Thu, 2011-04-14 at 10:18 -0400, Murphy, Kevin wrote:
 Just to clarify: after applying the patch to 3.8.9, do I have 3.8.10?
 The page footer and system configuration page still say 3.8.9 and
 don't mention the patch.

No.  The security patchsets are a minimal set of security patches which
do not include the other bugfixes in 3.8.10.
 - Alex