We are happy to announce that RT 3.8.9 is now available. You can download it from:
This release of RT contains 9 months of small improvements and bug fixes. It includes a fix for the security issue announced here: http://lists.bestpractical.com/pipermail/rt-announce/2011-January/000185.html.
If you have previously installed RT-Extension-SaltedPasswords, it will automatically disable itself after the upgrade. You may then safely remove it from @Plugins.
Important upgrade notes:
In addition to the normal /opt/rt3/sbin/rt-setup-database upgrade step, there are a few standalone upgrade scripts you should run. You can find full details in the "UPGRADING" file in the distribution. Please review 'UPGRADING FROM 3.8.8 and earlier' and ensure you follow each of the steps.
- Move to a SHA-256 based password hashing scheme
- Redirect users to their desired pages after login. This prevents possible back button attacks after a user logs out.
- Clone Scrip's TicketObj since we change the CurrentUser and it can leak information (Custom field values, etc)
A full changelog is available in the release email.