RT 4.0.17 released

This release fixes an important regression in the upgrade script
included in 4.0.14, 4.0.15, and 4.0.16. Attempting to upgrade from 3.x
would skip key upgrade steps. New installs, and sites upgrading from
within the 4.0.x series, are unaffected.

Affected installations (i.e., who upgraded from 3.x to 4.0.14, 4.0.15,
or 4.0.16) should install RT 4.0.17, and then run ‘make
upgrade-database’, specifying versions 3.9.9 through 4.0.0 as the
versions to upgrade from and to. This should produce:

Going to apply following upgrades:
* 4.0.0rc2
* 4.0.0rc4
* 4.0.0rc7

Due to the missed upgrade steps, passwords would work until after the
user first logged in, or until etc/upgrade/vulnerable-passwords was run.
Affected users may be found by running the following SQL query:

SELECT Name FROM Users WHERE Password LIKE '!sha512!%'
                         AND LENGTH(Password) = 40;

After completing the upgrade steps mentioned above, passwords for
affected users should be restored from backups, the admin UI (assuming
an administrator can log in), or (as a last resort) setting them
explicitly via:

perl -I/opt/rt4/local/lib -I/opt/rt4/lib -MRT=-init  \
     -e 'my $u = RT::User->new( RT->SystemUser );'   \
     -e '($u->Load("username"))[0] or die "Failed to load user";' \
     -e '$u->SetPassword("new_password");'

Adjust the username and password on the last two lines accordingly. You
may need to adjust /opt/rt4/local/lib and /opt/rt4/lib on the first
line if your RT is not installed into the default location of /opt/rt4

http://download.bestpractical.com/pub/rt/release/rt-4.0.17.tar.gz
http://download.bestpractical.com/pub/rt/release/rt-4.0.17.tar.gz.sig

SHA1 sums

b348fa687001db08198bc2b014a348083108e801 rt-4.0.17.tar.gz
edc3848822315a14bc4a272d4d0fae60fe5ced8d rt-4.0.17.tar.gz.sig

A complete changelog is available from git by running:
git log rt-4.0.16…rt-4.0.17
or visiting
https://github.com/bestpractical/rt/compare/rt-4.0.16...rt-4.0.17

rt-announce mailing list
rt-announce@lists.bestpractical.com
http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-announce