RT: Request Tracker

RT 4.2.17 Release Notes

RT 4.2.17 -- 2021-09-14

RT 4.2.17 is now available. This is the last release in the
RT 4.2 series. Users should plan to upgrade soon to a supported
release of RT 4.4 or 5.0. The list of changes included with this
release is below.

This release also includes a security fix described below.


SHA-256 sums

177b7e004b90ec7faaac8e21e11b7bc33bd129aba2d512e4b011c37995f8480c rt-4.2.17.tar.gz
95215dd19b46c01303470b8681d27626d3cb6c88a50491d6d5a9c8c7072bebe3 rt-4.2.17.tar.gz.asc


* In previous versions, RT's native login system is vulnerable to user enumeration
through a timing side-channel attack. This means an external entity could try to
find valid usernames by attempting logins and comparing the time to evaluate each
login attempt for valid and invalid usernames. This vulnerability does not allow any
access to the RT system. This vulnerability is assigned CVE-2021-38562 and is fixed
in this release.


* Remove search string including numbers in ticket autocomplete search on select
* Use the correct CurrentUserCanSetOwner return value.
* Find full path for processing acl files on upgrade
* Find full path for processing index files on upgrade
* Convert to abs path before executing initialdata files
* Remove extra closing div on Login/Logout pages

A complete changelog is available from git by running:
    git log rt-4.2.16..rt-4.2.17
or visiting