[Rt-devel] RT 4.0.0rc4 Released

Kevin Falcone falcone at bestpractical.com
Wed Jan 19 19:19:24 EST 2011


All released versions of RT from 3.0.0 through 3.8.9rc1 use an
insecure hashing algorithm to store user passwords. If an attacker is
able to gain read access to RT's database, it would be possible for
the attacker to brute-force the hash and discover users' passwords.
CVE-2011-0009 has been assigned to this vulnerability.

This vulnerability may affect you even if your RT instance
authenticates against an external source. If your RT instance has ever
stored user passwords in the database, their presence is a risk.

4.0.0rc4 closes this vulnerability by extending the size of the password
field and using SHA-512 with a 16-byte salt.  We are additionally
considering moving to the same multiple-round SHA-512 algorithm that
modern Linux crypt() uses.

We wish to thank Chris Ball <cjb at laptop.org> for bringing this to our
attention in a diligent and professional manner.

Please see docs/UPGRADING-3.8 for instructions on upgrading the password
hashes in your database. 

http://download.bestpractical.com/pub/rt/devel/rt-4.0.0rc4.tar.gz
http://download.bestpractical.com/pub/rt/devel/rt-4.0.0rc4.tar.gz.sig

SHA1 sums

7c19910ed4ba8f46619a796b5c68b9145092014b  rt-4.0.0rc4.tar.gz
8c1a8d8fc1d4c5ae3713a97b1ce80b96f020e165  rt-4.0.0rc4.tar.gz.sig

-kevin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 195 bytes
Desc: not available
URL: <http://lists.bestpractical.com/pipermail/rt-devel/attachments/20110119/9a6f4a3c/attachment.pgp>


More information about the rt-devel mailing list