RT 4.0.0rc4 Released

All released versions of RT from 3.0.0 through 3.8.9rc1 use an
insecure hashing algorithm to store user passwords. If an attacker is
able to gain read access to RT’s database, it would be possible for
the attacker to brute-force the hash and discover users’ passwords.
CVE-2011-0009 has been assigned to this vulnerability.

This vulnerability may affect you even if your RT instance
authenticates against an external source. If your RT instance has ever
stored user passwords in the database, their presence is a risk.

4.0.0rc4 closes this vulnerability by extending the size of the password
field and using SHA-512 with a 16-byte salt. We are additionally
considering moving to the same multiple-round SHA-512 algorithm that
modern Linux crypt() uses.

We wish to thank Chris Ball cjb@laptop.org for bringing this to our
attention in a diligent and professional manner.

Please see docs/UPGRADING-3.8 for instructions on upgrading the password
hashes in your database.


SHA1 sums

7c19910ed4ba8f46619a796b5c68b9145092014b rt-4.0.0rc4.tar.gz
8c1a8d8fc1d4c5ae3713a97b1ce80b96f020e165 rt-4.0.0rc4.tar.gz.sig