-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
We have discovered a security vulnerability in RT 4.2.x, detailed below.
We are releasing RT version 4.2.8 to resolve this vulnerability, as well
as patches which apply atop all released versions of 4.2.
RT 4.2.0 and above may be vulnerable to
Versions of RT between 4.2.0 and 4.2.2 (inclusive) are vulnerable to a
denial-of-service attack via the email gateway; any installation which
accepts mail from untrusted sources is vulnerable, regardless of the
permissions configuration inside RT. This vulnerability is assigned
CVE-2014-1474.
Two of the May 2013 security vulnerabilities also affect the MobileUI
extension, which provides a mobile interface for RT versions 3.8.x. The
extension was merged with core RT starting in version 4.0.0, and the
respective vulnerabilies in RT 4.0.0 to 4.0.12 were fixed by the May
2013 patches and
All released versions of RT from 3.0.0 through 3.8.9rc1 use an
insecure hashing algorithm to store user passwords. If an attacker is
able to gain read access to RT's database, it would be possible for
the attacker to brute-force the hash and discover users' passwords.
CVE-2011-0009 has been