[Rt-devel] RT 3.8.9rc2 Released

Kevin Falcone falcone at bestpractical.com
Wed Jan 19 19:18:39 EST 2011

All released versions of RT from 3.0.0 through 3.8.9rc1 use an
insecure hashing algorithm to store user passwords. If an attacker is
able to gain read access to RT's database, it would be possible for
the attacker to brute-force the hash and discover users' passwords.
CVE-2011-0009 has been assigned to this vulnerability.

This vulnerability may affect you even if your RT instance
authenticates against an external source. If your RT instance has ever
stored user passwords in the database, their presence is a risk.

3.8.9rc2 closes this vulnerability by moving to a password storage based
on salted SHA hashes using SHA-256 with a four-byte salt, identical to
the RT-Extension-SaltedPassword extension.

We intend to release 3.8.9 next week if no significant problems are
found with this release.

We wish to thank Chris Ball <cjb at laptop.org> for bringing this to our
attention in a diligent and professional manner.

Please see UPGRADING for instructions on upgrading the password hashes
in your database.


SHA1 sums

9ce13be1960e089cc7abb9230f1aa5ac9bbaf3d2  rt-3.8.9rc2.tar.gz
2876b6f9dcc033a1b2567236bcccc30772f719c0  rt-3.8.9rc2.tar.gz.sig

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 195 bytes
Desc: not available
URL: <http://lists.bestpractical.com/pipermail/rt-devel/attachments/20110119/40b39a20/attachment.pgp>

More information about the rt-devel mailing list