From Secunia: A vulnerability has been reported in RT, which can be exploited by malicious people to conduct script insertion attacks. Certain input displayed via custom fields is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site if malicious data is viewed. Successful exploitation requires "ModifyCustomField" permissions or that e.g. malicious people can set custom field values via automated parsing scripts or the Web UI. The vulnerability is reported in versions 3.4.6 to 3.8.4.
CVE-2009-3585 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3585): Session fixation vulnerability in html/Elements/SetupSessionCookie in Best Practical Solutions RT 3.0.0 through 3.6.9 and 3.8.x through 3.8.5 allows remote attackers to hijack web sessions by setting the session identifier via a manipulation that leverages a second web server within the same domain. CVE-2009-4151 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-4151): Session fixation vulnerability in html/Elements/SetupSessionCookie in Best Practical Solutions RT 3.0.0 through 3.6.9 and 3.8.x through 3.8.5 allows remote attackers to hijack web sessions by setting the session identifier via a manipulation that leverages "HTTP access to the RT server," a related issue to CVE-2009-3585.
I am currently working on bumping rt from 3.6.7 -> 3.8.10 and finally 4.0.2. 3.8.10 resolves all of these issues, and work is being done in bug #235914. I have posted a diff for 3.8.10 and I'm waiting for my proxy maintainer to sign off on it.
rt-3.8.10 is in tree. No stable version => this bug is fixed.
Thanks, folks. Closing noglsa.
Alright, really closing.