RT: Request Tracker

RT 4.0.25 Release Notes

RT 4.0.25 -- 2017-07-26
=======================

We're pleased to announce the general availability of RT 4.0.25. This
release introduces several important security fixes as well as a handful
of bugfixes. Please be aware that we intend for the 4.0.25 release to be
the final release of the RT 4.0 series and no further security or bug
fixes will be published.

The list of security fixes is included below, followed by other
improvements and bugfixes.

https://download.bestpractical.com/pub/rt/release/rt-4.0.25.tar.gz
https://download.bestpractical.com/pub/rt/release/rt-4.0.25.tar.gz.sig

SHA-256 sums

69daa9b9e6c9acb4ca31ec1c3efc8bb4901cc7047eed784f2f91515815fdd4cd  rt-4.0.25.tar.gz
cde49077cb7b125216cb264048fee9ad8961d227c5d24e93d7f7644c88b0a7d6  rt-4.0.25.tar.gz.sig

 - Shawn M Moore, for Best Practical


Security
  * RT 4.0.0 and above are vulnerable to an information leak of cross-site
    request forgery (CSRF) verification tokens if a user visits a specific
    URL crafted by an attacker. This vulnerability is assigned
    CVE-2017-5943. It was discovered by a third-party security researcher.

  * RT 4.0.0 and above are vulnerable to a cross-site scripting (XSS) attack
    if an attacker uploads a malicious file with a certain content type.
    Installations which use the AlwaysDownloadAttachments config setting are
    unaffected. This fix addresses all existant and future uploaded
    attachments. This vulnerability is assigned CVE-2016-6127. This was
    responsibly disclosed to us first by Scott Russo and the GE Application
    Security Assessment Team.

  * One of RT's dependencies, a Perl module named Email::Address, has a
    denial of service vulnerability which could induce a denial of service
    of RT itself. We recommend administrators install Email::Address version
    1.908 or above, though we additionally provide a new workaround within
    RT. The Email::Address vulnerability was assigned CVE-2015-7686. This
    vulnerability's application to RT was brought to our attention by Pali
    Rohár.

  * RT 4.0.0 and above are vulnerable to timing side-channel attacks for
    user passwords. By carefully measuring millions or billions of login
    attempts, an attacker could crack a user's password even over the
    internet. RT now uses a constant-time comparison algorithm for secrets
    to thwart such attacks. This vulnerability is assigned CVE-2017-5361.
    This was responsibly disclosed to us by Aaron Kondziela.

  * RT's ExternalAuth feature is vulnerable to a similar timing side-channel
    attack. Both RT 4.0/4.2 with the widely-deployed RT::Authen::ExternalAuth
    extension, as well as the core ExternalAuth feature in RT 4.4 are
    vulnerable. Installations which don't use ExternalAuth, or which use
    ExternalAuth for LDAP/ActiveDirectory authentication, or which use
    ExternalAuth for cookie-based authentication, are unaffected. Only
    ExternalAuth in DBI (database) mode is vulnerable.

  * RT 4.0.0 and above are potentially vulnerable to a remote code execution
    attack in the dashboard subscription interface. A privileged attacker
    can cause unexpected code to be executed through carefully-crafted saved
    search names. Though we have not been able to demonstrate an actual
    attack owing to other defenses in place, it could be possible. This fix
    addresses all existant and future saved searches. This vulnerability is
    assigned CVE-2017-5944. It was discovered by an internal security audit.

  * RT 4.0.0 and above have misleading documentation which could reduce
    system security. The RestrictLoginReferrer config setting (which has
    security implications) was inconsistent with its implementation, which
    checked for a slightly different variable name. RT will now check for the
    incorrect name and produce an error message. This was responsibly
    disclosed to us by Alex Vandiver.

General user UI
  * Make sub-menus accessible on screen-readers
  * Respect the user's chosen units for Time Worked across page loads, instead
    of always defaulting to minutes (I#17985)
  * In Jumbo, preserve ticket basics so in progress changes persist after
    returning to the page
  * Fix a regression in 4.0.20 which caused some users to have
    blank homepages (I#30106)
  * Include the new Request Tracker logo

Database
  * We now correctly shred ObjectCustomFields records when shredding a
    CustomField

Server Administration
  * Avoid issues with dual-life module installation on older, patched perls
  * Explicitly depend on Class::Accessor::Fast, not Class::Accessor
  * Fix potential upgrade failure in e.g. etc/upgrade/upgrade-articles
  * Avoid regex deprecation warnings on perl 5.21.1+
  * Avoid issues with modern Perl versions excluding ./ from @INC
  * Avoid broken DateTime::Locale versions (I#31542)
  * Avoid incompatible DBD::mysql version (I#32670)

Developer
  * Fix RT::Attribute->DeleteSubValue
  * Remove duplicated content-encoding handling in OriginalContent

Documentation
  * Update links to the RT wiki
  * Update mailing list references to point to community forum

Internationalization
  * Update translations for: Arabic, Catalan, Czech, Occitan, Persian,
    Serbian, and Slovak

A complete changelog is available from git by running:
    git log rt-4.0.24..rt-4.0.25
or visiting
    https://github.com/bestpractical/rt/compare/rt-4.0.24...rt-4.0.25