RT 4.0.17 is now available.
This release fixes an important regression in the upgrade script included in 4.0.14, 4.0.15, and 4.0.16. Attempting to upgrade from 3.x would skip key upgrade steps. New installs, and sites upgrading from within the 4.0.x series, are unaffected.
Affected installations (i.e., who upgraded from 3.x to 4.0.14, 4.0.15, or 4.0.16) should install RT 4.0.17, and then run 'make upgrade-database', specifying versions 3.9.9 through 4.0.0 as the versions to upgrade from and to. This should produce:
Going to apply following upgrades: * 4.0.0rc2 * 4.0.0rc4 * 4.0.0rc7
Due to the missed upgrade steps, passwords would work until after the user first logged in, or until etc/upgrade/vulnerable-passwords was run. Affected users may be found by running the following SQL query:
SELECT Name FROM Users WHERE Password LIKE '!sha512!%' AND LENGTH(Password) = 40;
After completing the upgrade steps mentioned above, passwords for affected users should be restored from backups, the admin UI (assuming an administrator can log in), or (as a last resort) setting them explicitly via:
perl -I/opt/rt4/local/lib -I/opt/rt4/lib -MRT=-init \ -e 'my $u = RT::User->new( RT->SystemUser );' \ -e '($u->Load("username")) or die "Failed to load user";' \ -e '$u->SetPassword("new_password");'
Adjust the username and password on the last two lines accordingly. You may need to adjust /opt/rt4/local/lib and /opt/rt4/lib on the first line if your RT is not installed into the default location of /opt/rt4
A complete changelog is available from git.