From ${URL} : This release is primarily a security release; it addresses CVE-2014-9472, a denial-of-service via RT's email gateway, as well as CVE-2015-1165 and CVE-2015-1464, which allow for information disclosure and session hijacking via RT's RSS feeds. @maintainer(s): since the package or the affected version has never been marked as stable, we don't need to stabilize it. After the bump, please remove the affected versions from the tree.
I'm working on this now and it will be addressed soon.
This package has been updated with insecure version(s) removed. *rt-4.2.11 (19 May 2015) 19 May 2015; Aaron W. Swenson <titanofold@gentoo.org> -rt-4.2.9-r1.ebuild, +rt-4.2.11.ebuild, +files/rt-makefile-serialize-install-prereqs.patch, -files/rt_apache2_fcgi.conf, -files/rt_apache2.conf: Address security bug 542882. Add patch fixing bug 540014 to serialize primary build targets while still allowing parallel building on subtargets. Remove outdated Apache configuration examples fixing bug 544566. Users should follow the online guide.
CVE-2015-1464 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-1464): RT (aka Request Tracker) before 4.0.23 and 4.2.x before 4.2.10 allows remote attackers to hijack sessions via an RSS feed URL. CVE-2015-1165 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-1165): RT (aka Request Tracker) 3.8.8 through 4.x before 4.0.23 and 4.2.x before 4.2.10 allows remote attackers to obtain sensitive RSS feed URLs and ticket data via unspecified vectors. CVE-2014-9472 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9472): The email gateway in RT (aka Request Tracker) 3.0.0 through 4.x before 4.0.23 and 4.2.x before 4.2.10 allows remote attackers to cause a denial of service (CPU and disk consumption) via a crafted email.
Thank you all. Closing as noglsa.
