RT: Request Tracker

RT 4.4.2 Release Notes

RT 4.4.2rc2 -- 2017-06-15

We're pleased to announce the availability of the second release
candidate for RT 4.4.2. This release candidate introduces several
important security fixes; you can find out more information on our
rt-announce mailing list post:


See the 4.4.2rc1 announcement for a list of changes to be included in
4.4.2; what follows is only the new changes in rc2 since rc1.


SHA-256 sums

cc8d6ae083ef93d3ffb7862bac0d3ad0d0446cd6ad2150d485f521b2b5c367b8  rt-4.4.2rc2.tar.gz
d1ecc55176f5ec21e66aeb21b032dcc5e6d2ab7cd8c86aff21499f736af2a9e3  rt-4.4.2rc2.tar.gz.asc

 - Shawn M Moore, for Best Practical

RT 4.0.0 and above are vulnerable to an information leak of cross-site
request forgery (CSRF) verification tokens if a user visits a specific
URL crafted by an attacker. This vulnerability is assigned
CVE-2017-5943. It was discovered by a third-party security researcher.

RT 4.0.0 and above are vulnerable to a cross-site scripting (XSS) attack
if an attacker uploads a malicious file with a certain content type.
Installations which use the AlwaysDownloadAttachments config setting are
unaffected. This fix addresses all existant and future uploaded
attachments. This vulnerability is assigned CVE-2016-6127. This was
responsibly disclosed to us first by Scott Russo and the GE Application
Security Assessment Team.

One of RT's dependencies, a Perl module named Email::Address, has a
denial of service vulnerability which could induce a denial of service
of RT itself. We recommend administrators install Email::Address version
1.908 or above, though we additionally provide a new workaround within
RT. The Email::Address vulnerability was assigned CVE-2015-7686. This
vulnerability's application to RT was brought to our attention by Pali

RT 4.0.0 and above are vulnerable to timing side-channel attacks for
user passwords. By carefully measuring millions or billions of login
attempts, an attacker could crack a user's password even over the
internet. RT now uses a constant-time comparison algorithm for secrets
to thwart such attacks. This vulnerability is assigned CVE-2017-5361.
This was responsibly disclosed to us by Aaron Kondziela.

RT's ExternalAuth feature is vulnerable to a similar timing side-channel
attack. Both RT 4.0/4.2 with the widely-deployed RT::Authen::ExternalAuth
extension, as well as the core ExternalAuth feature in RT 4.4 are
vulnerable. Installations which don't use ExternalAuth, or which use
ExternalAuth for LDAP/ActiveDirectory authentication, or which use
ExternalAuth for cookie-based authentication, are unaffected. Only
ExternalAuth in DBI (database) mode is vulnerable.

RT 4.0.0 and above are potentially vulnerable to a remote code execution
attack in the dashboard subscription interface. A privileged attacker
can cause unexpected code to be executed through carefully-crafted saved
search names. Though we have not been able to demonstrate an actual
attack owing to other defenses in place, it could be possible. This fix
addresses all existant and future saved searches. This vulnerability is
assigned CVE-2017-5944. It was discovered by an internal security audit.

RT 4.0.0 and above have misleading documentation which could reduce
system security. The RestrictLoginReferrer config setting (which has
security implications) was inconsistent with its implementation, which
checked for a slightly different variable name. RT will now check for the
incorrect name and produce an error message. This was responsibly
disclosed to us by Alex Vandiver.

There is an additional change in this release candidate beyond security
fixes, which is that we addressed a bug in the new-in-4.4.2
$SelfServiceCorrespondenceOnly setting which was preventing users from seeing
a ticket's initial "create" message.

A complete changelog is available from git by running:
    git log rt-4.4.2rc1..rt-4.4.2rc2
or visiting