RT 4.4.8 -- 2025-04-29

RT 4.4.8 is now available for general use. The list of changes
included with this release is below. This release primarily provides
security updates. See below for details.

Note that with the upcoming release of RT 6.0.0, the RT 4.4 series
will soon reach end of life. Users should soon plan to upgrade to
RT 5 or RT 6.

https://download.bestpractical.com/pub/rt/release/rt-4.4.8.tar.gz
https://download.bestpractical.com/pub/rt/release/rt-4.4.8.tar.gz.asc

SHA-256 sums

b5ea3d861549f18ae144caacb37b2f1d7c231c18c0352fe657095e32af48ab4a rt-4.4.8.tar.gz
e0972fcdc43ecc5a3a2be4e4444102391cb05e20e842daaf5455ab25994e9d34 rt-4.4.8.tar.gz.asc

Security

The following security issues are fixed in this release.

• RT 4.4 is vulnerable to Cross Site Scripting via injection of malicious
  parameters in a search URL. This vulnerability is assigned CVE-2025-30087.
  Thanks to Fabian Russwurm and the Siemens Red Team for reporting this
  finding.

• RT 4.4 uses the default OpenSSL cipher, 3DES (des3), for encrypting SMIME
  email. This is an outdated cipher algorithm, so the default is changed to
  aes-128-cbc. In addition, we have made this option configurable so you can
  pick an alternate cipher now or in the future, or revert to des3 if needed
  for compatibility. This vulnerability is assigned CVE-2025-2545. Thanks
  to Ángel González Berdasco and INCIBE-CERT - Spanish National CSIRT for
  reporting this finding.

Additional Changes

• Add "all" option to rt-clean-sessions to clean all sessions
• Update tests for new warning messages in gpg 2.4+
• Drop unnecessary and outdated version requirement of DBIx::SearchBuilder

A complete changelog is available from git by running:
git log rt-4.4.7..rt-4.4.8
or visiting
rt-4.4.7...rt-4.4.8