From nobody Fri Oct 20 06:09:12 2023 X-Original-To: dev-commits-ports-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4SBZ0m6ldPz4xMw1; Fri, 20 Oct 2023 06:09:12 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4SBZ0m60RBz3Xlx; Fri, 20 Oct 2023 06:09:12 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1697782152; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=FcNOWu9tIRkD97WIg3erK1Qh5PoGZex0v0fw6YO7+mE=; b=IhQx6mGMa3KEX0KBI4TcEpAiVhwvZZ3JrWfqax8zeVWBQdr7iONh0Y5qfEZ3QTNiG8ncIK 98yE4xtmE0DHpowIApgnN/9I4MCxka/gROP0O2yNKh2Cz4A4o08CKEaUPr/TYju/yfSgZo i8kGVxvatZi0PZzPstoEOZGEJMCoFfko+Ph9iV4Adomw7pCyL879/U7c+a/L1/6s67sUsA odLm8OUDKoAzg/JkDGqFxrGSLpeNl2pExDgLzIat5ELIXAMZQXQnBIMucP1qQMCUV26RVS NI+jd5isnievmL+slHxJ4HXZUrs3fiH52XSslE1nzC42DDYOT+AdhaSl/I8qOQ== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1697782152; a=rsa-sha256; cv=none; b=Oejs5/ktyEg+RJcasKV6osO1z38eUw4NiWoLKLV6n4Xw0KcxyIQSOQ22wQ0BBUo5HYuWKi lDXoNWe1Tmf1xyvuWIXnp6NCrSDaImg9cibPZ4tFLd99/+Apdv9AeLV/6IbaIje9WrVdRX P+1VgNHXXtonPm9wbA244W/FG6DWvWm3EhU4c7uesMb34QXFV6tmfd0/1KXWGKFdctS5fs l+I+WNkw8pqB67pqH8WqtgNvTSKPgR3lAPXQamrBkxlQR6qrEo6PemUeCPNWOUxnC2RaCo TgB2OvzubGMykSMhBdQMiWRiXM164fct6ncQ/ziClLJK98cxgXbeLS8w1qPjkA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1697782152; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=FcNOWu9tIRkD97WIg3erK1Qh5PoGZex0v0fw6YO7+mE=; b=sve7koxaRQOTpqLH48BA3/alerUOg/lsR89EV6Y225ThMlu2ySjT1InJSQkbe5wtjZt3+I R8rgtVW1qqu25n1cxCqRkPMP+239Qm98JNVKH/ANK1MpM3DRzHlA6RZRTw4zKNHF2znWRZ JUTEdMnuBYbs4569vgg3Pi3mkoyBAbk3md2PyIM428BiS7lGNzUVXbn5CmqWUWpoJEOQTf A3yVaRlf14qAGTVHtmSNSmVZCX/G1SZpzRRFu09GTOrUWKs+X3m3P2T9j07sMNhtPU34Q3 0esoq80wKXI/00lptGItIQSQWDeF4g5vuApIi8jLJqln+Cf+zUhXCjixMl4S+A== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4SBZ0m4zRMz6DR; Fri, 20 Oct 2023 06:09:12 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.17.1/8.17.1) with ESMTP id 39K69Cnl042037; Fri, 20 Oct 2023 06:09:12 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.17.1/8.17.1/Submit) id 39K69CEE042034; Fri, 20 Oct 2023 06:09:12 GMT (envelope-from git) Date: Fri, 20 Oct 2023 06:09:12 GMT Message-Id: <202310200609.39K69CEE042034@gitrepo.freebsd.org> To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org From: Mikael Urankar Subject: git: c2ce69e2f52b - main - www/rt44: Fix vulnerabilities List-Id: Commit messages for all branches of the ports repository List-Archive: https://lists.freebsd.org/archives/dev-commits-ports-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-ports-all@freebsd.org X-BeenThere: dev-commits-ports-all@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: mikael X-Git-Repository: ports X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: c2ce69e2f52b932bb6d5d52c174d6d06fe95bef1 Auto-Submitted: auto-generated The branch main has been updated by mikael: URL: https://cgit.FreeBSD.org/ports/commit/?id=c2ce69e2f52b932bb6d5d52c174d6d06fe95bef1 commit c2ce69e2f52b932bb6d5d52c174d6d06fe95bef1 Author: Mikael Urankar AuthorDate: 2023-10-04 08:03:35 +0000 Commit: Mikael Urankar CommitDate: 2023-10-20 06:08:17 +0000 www/rt44: Fix vulnerabilities The following issues are addressed with these security updates: - RT is vulnerable to unvalidated email headers in incoming email and the mail-gateway REST interface. This vulnerability is assigned CVE-2023-41259. - RT is vulnerable to information leakage via response messages returned from requests sent via the mail-gateway REST interface. This vulnerability is assigned CVE-2023-41260. - RT 5.0 is vulnerable to information leakage via transaction searches made by authenticated users in the transaction query builder. This vulnerability is assigned CVE-2023-45024. - RT 5.0 can reveal information about data on various RT objects in errors and other response messages to REST 2 requests. --- www/rt44/Makefile | 1 + www/rt44/files/patch-vuln-2023-09-26 | 107 +++++++++++++++++++++++++++++++++++ 2 files changed, 108 insertions(+) diff --git a/www/rt44/Makefile b/www/rt44/Makefile index f97351728c68..ed8f906e7f7b 100644 --- a/www/rt44/Makefile +++ b/www/rt44/Makefile @@ -1,5 +1,6 @@ PORTNAME= rt DISTVERSION= 4.4.6 +PORTREVISION= 1 CATEGORIES= www MASTER_SITES= http://download.bestpractical.com/pub/rt/release/ PKGNAMESUFFIX= 44 diff --git a/www/rt44/files/patch-vuln-2023-09-26 b/www/rt44/files/patch-vuln-2023-09-26 new file mode 100644 index 000000000000..6772187d9342 --- /dev/null +++ b/www/rt44/files/patch-vuln-2023-09-26 @@ -0,0 +1,107 @@ +diff --git a/docs/web_deployment.pod b/docs/web_deployment.pod +index d4d6a43122..3177d2abfd 100644 +--- docs/web_deployment.pod ++++ docs/web_deployment.pod +@@ -171,6 +171,30 @@ B + To run RT using mod_perl 1.xx please see L for + configuration examples. + ++=head3 Restricting the REST 1.0 mail-gateway ++ ++RT processes email via a REST 1.0 endpoint. If you accept email on the same ++server as your running RT, you can restrict this endpoint to localhost only ++with a configuration like the following: ++ ++ # Accept requests only from localhost ++ ++ Require local ++ ++ ++If you run C on a separate server, you can update ++the above to allow additional IP addresses. ++ ++ ++ Require ip 127.0.0.1 ::1 192.0.2.0 # Add you actual IPs ++ ++ ++See the L ++for additional configuration options. ++ ++After adding this configuration, test receiving email and confirm ++your C utility and C configurations ++can successfully submit email to RT. + + =head2 nginx + +diff --git a/lib/RT/Interface/Email.pm b/lib/RT/Interface/Email.pm +index 159e7758a3..7ded8b7310 100644 +--- lib/RT/Interface/Email.pm ++++ lib/RT/Interface/Email.pm +@@ -159,6 +159,10 @@ sub Gateway { + ); + } + ++ # Clean up sensitive headers. Crypt related headers are cleaned up in RT::Interface::Email::Crypt::VerifyDecrypt ++ my @headers = qw( RT-Attach RT-Send-Cc RT-Send-Bcc RT-Message-ID RT-DetectedAutoGenerated RT-Squelch-Replies-To ); ++ $Message->head->delete($_) for @headers; ++ + #Set up a queue object + my $SystemQueueObj = RT::Queue->new( RT->SystemUser ); + $SystemQueueObj->Load( $args{'queue'} ); +diff --git a/lib/RT/Interface/Email/Crypt.pm b/lib/RT/Interface/Email/Crypt.pm +index f4eab01935..a8b0ea3f19 100644 +--- lib/RT/Interface/Email/Crypt.pm ++++ lib/RT/Interface/Email/Crypt.pm +@@ -73,13 +73,14 @@ sub VerifyDecrypt { + ); + + # we clean all possible headers +- my @headers = ++ my @headers = ( + qw( + X-RT-Incoming-Encryption + X-RT-Incoming-Signature X-RT-Privacy + X-RT-Sign X-RT-Encrypt + ), +- map "X-RT-$_-Status", RT::Crypt->Protocols; ++ map "X-RT-$_-Status", RT::Crypt->Protocols ++ ); + foreach my $p ( $args{'Message'}->parts_DFS ) { + $p->head->delete($_) for @headers; + } +diff --git a/share/html/REST/1.0/NoAuth/mail-gateway b/share/html/REST/1.0/NoAuth/mail-gateway +index 328be91bc6..107d7858c7 100644 +--- share/html/REST/1.0/NoAuth/mail-gateway ++++ share/html/REST/1.0/NoAuth/mail-gateway +@@ -59,9 +59,18 @@ use RT::Interface::Email; + $r->content_type('text/plain; charset=utf-8'); + $m->error_format('text'); + my ( $status, $error, $Ticket ) = RT::Interface::Email::Gateway( \%ARGS ); ++ ++# Obscure the message to avoid any information disclosure unless ++# in DevelMode. ++my $log_error; ++unless ( RT->Config->Get('DevelMode') ) { ++ $log_error = $error; ++ $error = 'operation unsuccessful'; ++} ++ + if ( $status == 1 ) { + $m->out("ok\n"); +- if ( $Ticket && $Ticket->Id ) { ++ if ( $Ticket && $Ticket->Id && RT->Config->Get('DevelMode') ) { + $m->out( 'Ticket: ' . ($Ticket->Id || '') . "\n" ); + $m->out( 'Queue: ' . ($Ticket->QueueObj->Name || '') . "\n" ); + $m->out( 'Owner: ' . ($Ticket->OwnerObj->Name || '') . "\n" ); +@@ -73,9 +82,11 @@ if ( $status == 1 ) { + } + else { + if ( $status == -75 ) { ++ RT->Logger->error("mail-gateway returned status -75: $log_error") if $log_error; + $m->out( "temporary failure - $error\n" ); + } + else { ++ RT->Logger->error("mail-gateway error: $log_error") if $log_error; + $m->out( "not ok - $error\n" ); + } + }