git: ac7961ef0d09 - 2023Q4 - www/rt44: Fix vulnerabilities
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Fri, 20 Oct 2023 06:11:33 UTC
The branch 2023Q4 has been updated by mikael:
URL: https://cgit.FreeBSD.org/ports/commit/?id=ac7961ef0d090aff65e79a93e27b8bcf15795c4e
commit ac7961ef0d090aff65e79a93e27b8bcf15795c4e
Author: Mikael Urankar <mikael@FreeBSD.org>
AuthorDate: 2023-10-04 08:03:35 +0000
Commit: Mikael Urankar <mikael@FreeBSD.org>
CommitDate: 2023-10-20 06:10:06 +0000
www/rt44: Fix vulnerabilities
The following issues are addressed with these security updates:
- RT is vulnerable to unvalidated email headers in incoming email and the
mail-gateway REST interface.
This vulnerability is assigned CVE-2023-41259.
- RT is vulnerable to information leakage via response messages returned from
requests sent via the mail-gateway REST interface.
This vulnerability is assigned CVE-2023-41260.
- RT 5.0 is vulnerable to information leakage via transaction searches made by
authenticated users in the transaction query builder.
This vulnerability is assigned CVE-2023-45024.
- RT 5.0 can reveal information about data on various RT objects in errors and
other response messages to REST 2 requests.
(cherry picked from commit c2ce69e2f52b932bb6d5d52c174d6d06fe95bef1)
---
www/rt44/Makefile | 1 +
www/rt44/files/patch-vuln-2023-09-26 | 107 +++++++++++++++++++++++++++++++++++
2 files changed, 108 insertions(+)
diff --git a/www/rt44/Makefile b/www/rt44/Makefile
index f97351728c68..ed8f906e7f7b 100644
--- a/www/rt44/Makefile
+++ b/www/rt44/Makefile
@@ -1,5 +1,6 @@
PORTNAME= rt
DISTVERSION= 4.4.6
+PORTREVISION= 1
CATEGORIES= www
MASTER_SITES= http://download.bestpractical.com/pub/rt/release/
PKGNAMESUFFIX= 44
diff --git a/www/rt44/files/patch-vuln-2023-09-26 b/www/rt44/files/patch-vuln-2023-09-26
new file mode 100644
index 000000000000..6772187d9342
--- /dev/null
+++ b/www/rt44/files/patch-vuln-2023-09-26
@@ -0,0 +1,107 @@
+diff --git a/docs/web_deployment.pod b/docs/web_deployment.pod
+index d4d6a43122..3177d2abfd 100644
+--- docs/web_deployment.pod
++++ docs/web_deployment.pod
+@@ -171,6 +171,30 @@ B<WARNING: mod_perl 1.99_xx is not supported.>
+ To run RT using mod_perl 1.xx please see L<Plack::Handler::Apache1> for
+ configuration examples.
+
++=head3 Restricting the REST 1.0 mail-gateway
++
++RT processes email via a REST 1.0 endpoint. If you accept email on the same
++server as your running RT, you can restrict this endpoint to localhost only
++with a configuration like the following:
++
++ # Accept requests only from localhost
++ <Location /REST/1.0/NoAuth/mail-gateway>
++ Require local
++ </Location>
++
++If you run C<bin/rt-mailgate> on a separate server, you can update
++the above to allow additional IP addresses.
++
++ <Location /REST/1.0/NoAuth/mail-gateway>
++ Require ip 127.0.0.1 ::1 192.0.2.0 # Add you actual IPs
++ </Location>
++
++See the L<Apache documentation|https://httpd.apache.org/docs/2.4/mod/mod_authz_host.html>
++for additional configuration options.
++
++After adding this configuration, test receiving email and confirm
++your C<bin/rt-mailgate> utility and C</etc/aliases> configurations
++can successfully submit email to RT.
+
+ =head2 nginx
+
+diff --git a/lib/RT/Interface/Email.pm b/lib/RT/Interface/Email.pm
+index 159e7758a3..7ded8b7310 100644
+--- lib/RT/Interface/Email.pm
++++ lib/RT/Interface/Email.pm
+@@ -159,6 +159,10 @@ sub Gateway {
+ );
+ }
+
++ # Clean up sensitive headers. Crypt related headers are cleaned up in RT::Interface::Email::Crypt::VerifyDecrypt
++ my @headers = qw( RT-Attach RT-Send-Cc RT-Send-Bcc RT-Message-ID RT-DetectedAutoGenerated RT-Squelch-Replies-To );
++ $Message->head->delete($_) for @headers;
++
+ #Set up a queue object
+ my $SystemQueueObj = RT::Queue->new( RT->SystemUser );
+ $SystemQueueObj->Load( $args{'queue'} );
+diff --git a/lib/RT/Interface/Email/Crypt.pm b/lib/RT/Interface/Email/Crypt.pm
+index f4eab01935..a8b0ea3f19 100644
+--- lib/RT/Interface/Email/Crypt.pm
++++ lib/RT/Interface/Email/Crypt.pm
+@@ -73,13 +73,14 @@ sub VerifyDecrypt {
+ );
+
+ # we clean all possible headers
+- my @headers =
++ my @headers = (
+ qw(
+ X-RT-Incoming-Encryption
+ X-RT-Incoming-Signature X-RT-Privacy
+ X-RT-Sign X-RT-Encrypt
+ ),
+- map "X-RT-$_-Status", RT::Crypt->Protocols;
++ map "X-RT-$_-Status", RT::Crypt->Protocols
++ );
+ foreach my $p ( $args{'Message'}->parts_DFS ) {
+ $p->head->delete($_) for @headers;
+ }
+diff --git a/share/html/REST/1.0/NoAuth/mail-gateway b/share/html/REST/1.0/NoAuth/mail-gateway
+index 328be91bc6..107d7858c7 100644
+--- share/html/REST/1.0/NoAuth/mail-gateway
++++ share/html/REST/1.0/NoAuth/mail-gateway
+@@ -59,9 +59,18 @@ use RT::Interface::Email;
+ $r->content_type('text/plain; charset=utf-8');
+ $m->error_format('text');
+ my ( $status, $error, $Ticket ) = RT::Interface::Email::Gateway( \%ARGS );
++
++# Obscure the message to avoid any information disclosure unless
++# in DevelMode.
++my $log_error;
++unless ( RT->Config->Get('DevelMode') ) {
++ $log_error = $error;
++ $error = 'operation unsuccessful';
++}
++
+ if ( $status == 1 ) {
+ $m->out("ok\n");
+- if ( $Ticket && $Ticket->Id ) {
++ if ( $Ticket && $Ticket->Id && RT->Config->Get('DevelMode') ) {
+ $m->out( 'Ticket: ' . ($Ticket->Id || '') . "\n" );
+ $m->out( 'Queue: ' . ($Ticket->QueueObj->Name || '') . "\n" );
+ $m->out( 'Owner: ' . ($Ticket->OwnerObj->Name || '') . "\n" );
+@@ -73,9 +82,11 @@ if ( $status == 1 ) {
+ }
+ else {
+ if ( $status == -75 ) {
++ RT->Logger->error("mail-gateway returned status -75: $log_error") if $log_error;
+ $m->out( "temporary failure - $error\n" );
+ }
+ else {
++ RT->Logger->error("mail-gateway error: $log_error") if $log_error;
+ $m->out( "not ok - $error\n" );
+ }
+ }