RT: Request Tracker

RT 4.4.9 Release Notes

RT 4.4.9 -- 2025-10-22
======================

RT 4.4.9 is now available for general use. This release contains just
one security update.

With the release of RT 6 in May 2025, this is the last planned release
for the RT 4.4 series. Users should upgrade to RT 5 or RT 6.

https://download.bestpractical.com/pub/rt/release/rt-4.4.9.tar.gz
https://download.bestpractical.com/pub/rt/release/rt-4.4.9.tar.gz.asc

SHA-256 sums

cb7c4dffb4879e95d190e5d919bc13870926578394d3f0cd14f15b15dfedea8b  rt-4.4.9.tar.gz
7c039d333e641c4a40c0dd929e24f10840a53aa89a3d698fd2e583001e191a80  rt-4.4.9.tar.gz.asc

Security

The following security issue is fixed in this release.

* RT 4.4 is vulnerable to CSV injection via ticket values with special
characters that are exported to a TSV from search results. This
vulnerability is assigned CVE-2025-61873. Thanks to Gareth Watkin-Jones
from 4armed for reporting this finding.

A complete changelog is available from git by running:
    git log rt-4.4.8..rt-4.4.9
or visiting
    https://github.com/bestpractical/rt/compare/rt-4.4.8...rt-4.4.9

Security contact information
© 2002-2025 Best Practical Solutions LLC.