RT 4.0.17 is now available.
This release fixes an important regression in the upgrade script
included in 4.0.14, 4.0.15, and 4.0.16. Attempting to upgrade from 3.x
would skip key upgrade steps. New installs, and sites upgrading from
within the 4.0.x series, are unaffected.
Affected installations (i.e., who upgraded from 3.x to 4.0.14, 4.0.15,
or 4.0.16) should install RT 4.0.17, and then run ‘make
upgrade-database‘, specifying versions 3.9.9 through 4.0.0 as the
versions to upgrade from and to. This should produce:
Going to apply following upgrades: * 4.0.0rc2 * 4.0.0rc4 * 4.0.0rc7
Due to the missed upgrade steps, passwords would work until after the
user first logged in, or until etc/upgrade/vulnerable-passwords was run.
Affected users may be found by running the following SQL query:
SELECT Name FROM Users WHERE Password LIKE '!sha512!%' AND LENGTH(Password) = 40;
After completing the upgrade steps mentioned above, passwords for
affected users should be restored from backups, the admin UI (assuming
an administrator can log in), or (as a last resort) setting them
explicitly via:
perl -I/opt/rt4/local/lib -I/opt/rt4/lib -MRT=-init \
-e 'my $u = RT::User->new( RT->SystemUser );' \
-e '($u->Load("username"))[0] or die "Failed to load user";' \
-e '$u->SetPassword("new_password");'
Adjust the username and password on the last two lines accordingly. You
may need to adjust /opt/rt4/local/lib and /opt/rt4/lib on the first
line if your RT is not installed into the default location of /opt/rt4
A complete changelog is available from git.