We have discovered security vulnerabilities which affect both RT 4.0.x and RT 4.2.x. We are releasing RT versions 4.0.24 and 4.2.12 to resolve these vulnerabilities, as well as patches which apply atop all released versions of 4.0 and 4.2.
The vulnerabilities addressed by 4.0.24, 4.2.12, and the below patches include the following:
RT 4.0.0 and above are vulnerable to a cross-site scripting (XSS) attack via the user and group rights management pages. This vulnerability is assigned CVE-2015-5475. It was discovered and reported by Marcin Kopeć at Data Reliance Shared Service Center.
The README in the tarball contains instructions for applying the patches. If you need help resolving this issue locally, we will provide discounted pricing for single-incident support; please contact us at firstname.lastname@example.org for more information.
We have released RT version 4.2.11. This is a bugfix release; most notably, it improves indexing time for full-text search, as well as improving support for Apache 2.4 and MySQL 5.5. Interactive command-line tools (including upgrade tools) will now also default to displaying warnings to STDERR, to aid in awareness of potential errors.
We are looking for a motivated, customer service oriented engineer to participate in all aspects of the software development cycles including requirements gathering, design, development, implementation, upgrades, maintenance and documentation. You will be responsible for ensuring that new or upgraded systems are fully deployed and functioning per the clients specification. You will also design and code new functionality or add new functionality to our products to add new features. Other responsibilities will include debugging issues and correcting defects reported by our users, testing new releases and updating code to address errors and overall performance. We work in a very dynamic and fast paced environment so you will need to be flexible to handle a consistent variety of things on a daily basis.
You should be a self-starter who has 3+ years experience with Perl, as well as some experience with at least a few of the following buzzwords:
Open source development practices
Distributed source control (git, branching, patches)
Test driven development (smoke testing, Test::More)
User interface design (HTML, CSS)
Documentation (user-facing, API)
SQL databases (MySQL, PostgreSQL, Oracle, SQLite)
Optimization, profiling and debugging
UNIX systems administration (web servers, mail servers)
It’s ok if you don’t know everything out of the gate but you should be able to learn on the fly and be comfortable asking questions before you get in over your head. Being vocal is a really important quality and being able to manage competing priorities with the help of your colleagues and project manager is key. RT is a large codebase to dive into, so you should be prepared to work with a project that’s too big to hold in your head all at once. If you want to see what you’ll be getting yourself into, you can find all of our open source code on github.
You will be working from our office in Somerville, MA. The hours are somewhat flexible (East or West coast business hours), and we all telecommute some of the time...though we work from our office in the heart of Davis Square most days. While we do a fair amount of our collaboration in-person, you should also be comfortable using email and instant messaging to coordinate and get work done, as we have a few employees in other parts of the globe.
DOE - This is a full-time salaried position, but the details are negotiable. We're a small, self funded company. The standard benefits apply, of course: health insurance, dental insurance, and junk food to make that dental insurance worthwhile.
How to apply
Send something approximating a cover letter, a resume in plain text, HTML or PDF, and a sample of some code you've written to email@example.com. If you're involved in open source development of one kind or another, please tell us about it. If you have a CPAN ID tell us what it is; we won't consider applications without some sort of code example to look at. We'll be paying particular attention to the readability, comments, and tests.
We have discovered security vulnerabilities which affect both RT 4.0.x
and RT 4.2.x. We are releasing RT versions 4.0.23 and 4.2.10 to resolve
these vulnerabilities, as well as patches which apply atop all released
versions of 4.0 and 4.2.
The vulnerabilities addressed by 4.0.23, 4.2.10, and the below patches
include the following:
RT 3.0.0 and above, if running on Perl 5.14.0 or higher, are vulnerable
to a remote denial-of-service via the email gateway; any installation
which accepts mail from untrusted sources is vulnerable, regardless of
the permissions configuration inside RT. This denial-of-service may
encompass both CPU and disk usage, depending on RT's logging
configuration. This vulnerability is assigned CVE-2014-9472.
RT 3.8.8 and above are vulnerable to an information disclosure attack
which may reveal RSS feeds URLs, and thus ticket data; this
vulnerability is assigned CVE-2015-1165. RSS feed URLs can also be
leveraged to perform session hijacking, allowing a user with the URL to
log in as the user that created the feed; this vulnerability is assigned
We would like to thank Christian Loos for
reporting CVE-2014-9472 and CVE-2015-1165; CVE-2015-1464 was found by
The README in the tarball contains instructions for applying the
patches. If you need help resolving this issue locally, we will provide
discounted pricing for single-incident support; please contact us at
firstname.lastname@example.org for more information.