RT Request Tracker

RT 3.8.9 Released

We are happy to announce that RT 3.8.9 is now available. You can download it from:

http://download.bestpractical.com/pub/rt/release/rt-3.8.9.tar.gz
http://download.bestpractical.com/pub/rt/release/rt-3.8.9.tar.gz.sig

This release of RT contains 9 months of small improvements and bug fixes. It includes a fix for the security issue announced here: http://lists.bestpractical.com/pipermail/rt-announce/2011-January/000185.html.

If you have previously installed RT-Extension-SaltedPasswords, it will automatically disable itself after the upgrade. You may then safely remove it from @Plugins.

Important upgrade notes:

In addition to the normal /opt/rt3/sbin/rt-setup-database upgrade step, there are a few standalone upgrade scripts you should run. You can find full details in the "UPGRADING" file in the distribution. Please review 'UPGRADING FROM 3.8.8 and earlier' and ensure you follow each of the steps.

SHA1 sums

4dc78880220ccc8bf7b49b2c4efca0eeb3372133 rt-3.8.9.tar.gz
95dc126acaba7b5069f83bf042c31e6857e7397f rt-3.8.9.tar.gz.sig

SECURITY

  • Move to a SHA-256 based password hashing scheme
  • Redirect users to their desired pages after login. This prevents possible back button attacks after a user logs out.
  • Clone Scrip's TicketObj since we change the CurrentUser and it can leak information (Custom field values, etc) 

A full changelog is available in the release email.

Share this post: