RT: Request Tracker

RT 4.4.8 Release Notes

RT 4.4.8 -- 2025-04-29
======================

RT 4.4.8 is now available for general use. The list of changes
included with this release is below. This release primarily provides
security updates. See below for details.

Note that with the upcoming release of RT 6.0.0, the RT 4.4 series
will soon reach end of life. Users should soon plan to upgrade to
RT 5 or RT 6.

https://download.bestpractical.com/pub/rt/release/rt-4.4.8.tar.gz
https://download.bestpractical.com/pub/rt/release/rt-4.4.8.tar.gz.asc

SHA-256 sums

b5ea3d861549f18ae144caacb37b2f1d7c231c18c0352fe657095e32af48ab4a  rt-4.4.8.tar.gz
e0972fcdc43ecc5a3a2be4e4444102391cb05e20e842daaf5455ab25994e9d34  rt-4.4.8.tar.gz.asc

Security

The following security issues are fixed in this release.

* RT 4.4 is vulnerable to Cross Site Scripting via injection of malicious
parameters in a search URL. This vulnerability is assigned CVE-2025-30087.
Thanks to Fabian Russwurm and the Siemens Red Team for reporting this
finding.

* RT 4.4 uses the default OpenSSL cipher, 3DES (des3), for encrypting SMIME
email. This is an outdated cipher algorithm, so the default is changed to
aes-128-cbc. In addition, we have made this option configurable so you can
pick an alternate cipher now or in the future, or revert to des3 if needed
for compatibility. This vulnerability is assigned CVE-2025-2545. Thanks
to Ángel González Berdasco and INCIBE-CERT - Spanish National CSIRT for
reporting this finding.

Additional Changes

* Add "all" option to rt-clean-sessions to clean all sessions
* Update tests for new warning messages in gpg 2.4+
* Drop unnecessary and outdated version requirement of DBIx::SearchBuilder


A complete changelog is available from git by running:
    git log rt-4.4.7..rt-4.4.8
or visiting
    https://github.com/bestpractical/rt/compare/rt-4.4.7...rt-4.4.8

Security contact information
© 2002-2025 Best Practical Solutions LLC.