All released versions of RT from 3.0.0 through 3.8.9rc1 use an
insecure hashing algorithm to store user passwords. If an attacker is
able to gain read access to RT’s database, it would be possible for
the attacker to brute-force the hash and discover users’ passwords.
CVE-2011-0009 has been assigned to this vulnerability.
This vulnerability may affect you even if your RT instance
authenticates against an external source. If your RT instance has ever
stored user passwords in the database, their presence is a risk.
3.8.9rc2 closes this vulnerability by moving to a password storage based
on salted SHA hashes using SHA-256 with a four-byte salt, identical to
the RT-Extension-SaltedPassword extension.
We intend to release 3.8.9 next week if no significant problems are
found with this release.
We wish to thank Chris Ball firstname.lastname@example.org for bringing this to our
attention in a diligent and professional manner.
Please see UPGRADING for instructions on upgrading the password hashes
in your database.