Several flaws have been reported [1] and corrected in RT versions 3.6.11 and 3.8.10, including: RT versions 3.8.0 and above with the "external custom field" feature enabled and configured are vulnerable to a remote code execution vulnerability. An authenticated user (either privileged orunprivileged) can use this vulnerability to execute arbitrary code with the permissions of the webserver; they may also be tricked into doing so via cross-site request forgery (CSRF). (CVE-2011-1685) RT versions 2.0.0 and above are vulnerable to multiple SQL injection attacks. We do not believe these attacks to be capable of directly inserting, altering or removing data from the database, but an authenticated user (either privileged or unprivileged) could use them to retrieve unauthorized ticket data. (CVE-2011-1686) RT versions 3.0.0 and higher are vulnerable to an information leak wherein an authenticated privileged user could gain sensitive information, such as encrypted passwords, via the search interface. (CVE-2011-1687) RT versions 3.6.0 through 3.8.7, as well as 3.8.8 to a more limited degree, are vulnerable to a malicious attacker tricking the user into sending their authentication credentials to a third-party server. (CVE-2011-1690) RT versions 3.2.0 and above are vulnerable to a directory traversal attack where an unauthenticated attacker can read any file which is readable by the webserver. While some servers (Apache, nginx) have safeguards which mitigate this attack, preventing such traversals from accessing files outside of RT's document root, many others (including the standalone server provided with RT, plackup, starman, twiggy, and lighttpd) are vulnerable to this exploit. (CVE-2011-1688) RT versions 2.0.0 and above are vulnerable to javascript cross-site-scripting vulnerabilities, which allow an attacker to run javascript with the user's credentials. (CVE-2011-1689) Upstream have released a patchset [2] as well for 3.6.10 and 3.8 releases, in addition to the new releases. [1] http://blog.bestpractical.com/2011/04/security-vulnerabilities-in-rt.html [2] http://download.bestpractical.com/pub/rt/release/security-2011-04-14.tar.gz
rt3-3.8.10-2.el6.1 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.