rt3 <= 3.6.6 is vulnerable to a DoS attack thru the perl-Devel-StackTrace < 1.19 vector. This and rt 3.6.7 is needed to fully fix the security issue. See http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3502 and http://lists.bestpractical.com/pipermail/rt-announce/2008-June/000158.html for details.
If I understand correctly, the vulnerability is in perl-Devel-StackTrace. Fedora 9-11 already come with Devel-StackTrace-1.20 => should not be affected by this vulnerability. Fedora 10 and 11's rt3 currently is at 3.8.x => should also not be affected. Leaves Fedora 9's rt3, which is at 3.6.6. Upgrading FC9's rt3 to rt-3.8.x is hardly possible due to rt once again changed having its database format and because there is no known way to automatically reformat the database from inside of rpm. Whether upgrading it to 3.6.7 is possible, needs to be analyzed. I'd rather avoid doing so.
(In reply to comment #1) > If I understand correctly, the vulnerability is in perl-Devel-StackTrace. > > Fedora 9-11 already come with Devel-StackTrace-1.20 > => should not be affected by this vulnerability. The vulnerability is in Devel::StackTrace, the bells and whistles are in rt3 3.6.7. > > Fedora 10 and 11's rt3 currently is at 3.8.x => should also not be affected. > That's why I filed a bug against rt3 F9 too. > Leaves Fedora 9's rt3, which is at 3.6.6. Upgrading FC9's rt3 to rt-3.8.x is > hardly possible due to rt once again changed having its database format and > because there is no known way to automatically reformat the database from > inside of rpm. > yes, upgrading between major rt3 releases is not possible, at least not automagically, so no way to do that in a stable release. > Whether upgrading it to 3.6.7 is possible, needs to be analyzed. I'd rather > avoid doing so. There's no database change nor any caveat mentioned in the changelog and we've successfully done some basic update tests. We've yet to try with a production database though.
Pushed to EPEL stable, as well as a fixed perl-Devel-StackTrace.