Updated rt/perl-Encode packages fix security vulnerability

RT 4.0.0 and above are vulnerable to a limited privilege escalation leading to unauthorized modification of ticket data. The DeleteTicket right and any custom lifecycle transition rights may be bypassed by any user with ModifyTicket (CVE-2012-4733). RT 3.8.0 and above include a version of bin/rt that uses semi-predictable names when creating tempfiles. This could possibly be exploited by a malicious user to overwrite files with permissions of the user running bin/rt (CVE-2013-3368). RT 3.8.0 and above allow calling of arbitrary Mason components (without control of arguments) for users who can see administration pages. This could be used by a malicious user to run private components which may have negative side-effects (CVE-2013-3369). RT 3.8.0 and above allow direct requests to private callback components. Though no callback components ship with RT, this could be used to exploit an extension or local callback which uses the arguments passed to it insecurely (CVE-2013-3370). RT 3.8.3 and above are vulnerable to cross-site scripting (XSS) via attachment filenames. The vector is difficult to exploit due to parsing requirements. Additionally, RT 4.0.0 and above are vulnerable to XSS via maliciously-crafted “URLs” in ticket content when RT’s “MakeClicky” feature is configured (CVE-2013-3371). RT 3.8.0 and above are vulnerable to an HTTP header injection limited to the value of the Content-Disposition header. Injection of other arbitrary response headers is not possible. Some (especially older) browsers may allow multiple Content-Disposition values which could lead to XSS. Newer browsers contain security measures to prevent this (CVE-2013-3372). RT 3.8.0 and above are vulnerable to a MIME header injection in outgoing email generated by RT (CVE-2013-3373). RT 3.8.0 and above are vulnerable to limited session re-use when using the file-based session store, Apache::Session::File. RT’s default session configuration only uses Apache::Session::File for Oracle (CVE-2013-3374). RT 3.0.0 and above, if running on Perl 5.14.0 or higher, are vulnerable to a remote denial-of-service via the email gateway; any installation which accepts mail from untrusted sources is vulnerable, regardless of the permissions configuration inside RT. This denial-of-service may encompass both CPU and disk usage, depending on RT’s logging configuration (CVE-2014-9472). RT 3.8.8 and above are vulnerable to an information disclosure attack which may reveal RSS feeds URLs, and thus ticket data (CVE-2015-1165). RSS feed URLs can also be leveraged to perform session hijacking, allowing a user with the URL to log in as the user that created the feed (CVE-2015-1464). RT 4.0.0 and above are vulnerable to a cross-site scripting (XSS) attack via the user and group rights management pages (CVE-2015-5475). RT 4.2.0 and above are vulnerable to a cross-site scripting (XSS) attack via the cryptography interface. This vulnerability could allow an attacker with a carefully-crafted key to inject JavaScript into RT’s user interface. Installations which use neither GnuPG nor S/MIME are unaffected. RT 4.0.0 and above are vulnerable to an information leak of cross-site request forgery (CSRF) verification tokens if a user visits a specific URL crafted by an attacker (CVE-2017-5943). RT 4.0.0 and above are vulnerable to a cross-site scripting (XSS) attack if an attacker uploads a malicious file with a certain content type. Installations which use the AlwaysDownloadAttachments config setting are unaffected. This fix addresses all existant and future uploaded attachments (CVE-2016-6127). RT 4.0.0 and above are vulnerable to timing side-channel attacks for user passwords. By carefully measuring millions or billions of login attempts, an attacker could crack a user’s password even over the internet. RT now uses a constant-time comparison algorithm for secrets to thwart such attacks (CVE-2017-5361). RT’s ExternalAuth feature is vulnerable to a similar timing side-channel attack. Both RT 4.0/4.2 with the widely-deployed RT::Authen::ExternalAuth extension, as well as the core ExternalAuth feature in RT 4.4 are vulnerable. Installations which don’t use ExternalAuth, or which use ExternalAuth for LDAP/ActiveDirectory authentication, or which use ExternalAuth for cookie-based authentication, are unaffected. Only ExternalAuth in DBI (database) mode is vulnerable. RT 4.0.0 and above are potentially vulnerable to a remote code execution attack in the dashboard subscription interface. A privileged attacker can cause unexpected code to be executed through carefully-crafted saved search names. Though we have not been able to demonstrate an actual attack owing to other defenses in place, it could be possible (CVE-2017-5944). RT 4.0.0 and above have misleading documentation which could reduce system security. The RestrictLoginReferrer config setting (which has security implications) was inconsistent with its implementation, which checked for a slightly different variable name. Note that any custom email templates should be updated to ensure that values interpolated into mail headers do not contain newlines, which will ensure that they themselves are not vulnerable to a similar issue to CVE-2013-3373.