All released versions of RT from 3.0.0 through 3.8.9rc1 use an
insecure hashing algorithm to store user passwords. If an attacker is
able to gain read access to RT’s database, it would be possible for
the attacker to brute-force the hash and discover users’ passwords.
CVE-2011-0009 has been assigned to this vulnerability.
This vulnerability may affect you even if your RT instance
authenticates against an external source. If your RT instance has ever
stored user passwords in the database, their presence is a risk.
4.0.0rc4 closes this vulnerability by extending the size of the password
field and using SHA-512 with a 16-byte salt. We are additionally
considering moving to the same multiple-round SHA-512 algorithm that
modern Linux crypt() uses.
We wish to thank Chris Ball firstname.lastname@example.org for bringing this to our
attention in a diligent and professional manner.
Please see docs/UPGRADING-3.8 for instructions on upgrading the password
hashes in your database.