Releases: bestpractical/rt
rt-4.2.16
RT 4.2.16 -- 2019-03-05
We're pleased to announce the general availability of RT 4.2.16. It
mainly contains several security updates. The list of changes included
with this release is below.
https://download.bestpractical.com/pub/rt/release/rt-4.2.16.tar.gz
https://download.bestpractical.com/pub/rt/release/rt-4.2.16.tar.gz.asc
SHA-256 sums
1bbe619072b05efb55725c9df851363892b77ad6788dfd28eadce6a8f84a8209 rt-4.2.16.tar.gz
c7dedccdb6a5c96d20b418d10326dea0175fde0d09cfb47408ab472f696594ba rt-4.2.16.tar.gz.asc
Security Updates
-
One of RT's dependencies, the Perl module Email::Address, has a denial of service vulnerability which could induce a denial of service of RT itself. We recommend updating to Email::Address version 1.912 or later. The Email::Address vulnerabilities are assigned CVE-2015-7686 and CVE-2015-12558. CVE-2015-7686 was addressed in RT with a previous update. Email::Address version 1.912 addresses both of these CVEs with updates directly in the source module. Thanks to Ricardo Signes for helping us with these updates.
-
One of RT's dependencies, the Perl module Email::Address::List, relies on and operates similarly to Email::Address and therefore also has potential denial of service vulnerabilities. These vulnerabilities are assigned CVE-2018-18898. We recommend administrators install Email::Address::List version 0.06 or later. Thanks to Lukas Kramer for reporting the issue and Alex Vandiver for contributing fixes.
-
An optional RT dependency, HTML::Gumbo, incorrectly escaped HTML in some cases. Since RT relies on this module to escape HTML content, it's possible this issue could allow malicious HTML to be displayed in RT. For RT's using this optional module, we recommend administrators install HTML::Gumbo version 0.18 or later. Thanks to Ruslan Zakirov for updating this module.
-
The version of jQuery used in RT 4.2 and 4.4 has a Cross-site Scripting (XSS) vulnerability when using cross-domain Ajax requests. This vulnerability is assigned CVE-2015-9251. RT does not use this jQuery feature so it is not directly vulnerable. jQuery version 1.12 no longer receives official updates, however a fix was posted with recommendations for applications to patch locally, so RT will follow this recommendation and ship with a patched version.
A complete changelog is available from git by running:
git log rt-4.2.15..rt-4.2.16
or visiting
rt-4.2.15...rt-4.2.16
rt-4.4.3
RT 4.4.3 -- 2018-06-26
We're pleased to announce the general availability of RT 4.4.3. This
release introduces several new features and also bugfixes.
https://download.bestpractical.com/pub/rt/release/rt-4.4.3.tar.gz
https://download.bestpractical.com/pub/rt/release/rt-4.4.3.tar.gz.asc
SHA-256 sums
738ab43cac902420b3525459e288515d51130d85810659f6c8a7e223c77dadb1 rt-4.4.3.tar.gz
29e0f9c44e30fb8bb2d23448f1930593aef28e4b3faf5bd22619f52e53229c4f rt-4.4.3.tar.gz.asc
General user UI
- Show the Ticket's Subject when modifying the ticket.
- Re-format RT/Config.pm so the
# loccomment parses correctly. - Sort saved searches alphabetically by name rather than by id.
- In Self Service, provide a path to remove attachments from the session
when they are deleted from dropzone by the user (I#32663). - Fix evaluation of set vs. unset custom fields on display for correct hiding.
- Set dropzone attachment size based on RT's MaxAttachmentSize configuration.
- Add a configuration option TreatAttachedEmailAsFiles to treat attached email
as a file attachment instead of parsing as regular email. - Restore email header parsing for items like email addresses when
TreatAttachedEmailAsFiles is not set. This was disabled in a previous
version. - Respect default queue settings in Create linked ticket dropdown (I#32884).
- More fixes for recipient checkboxes on update. This version removes previous
problematic fixes and gives a visual indication (shading) when RT is updating
recipients in the background and checkboxes should not be changed (I#33027). - Provide a way to reset personal search preferences back to the RT system
default (I#32854). - Add an Untake action to the Actions tab.
- Add active and inactive status to query builder.
- Re-add Queue to 'Order by' dropdown in Search Builder.
- Make admin searches for queue and group case insensitive making it easier to
find groups. - When editing ticket basics, always add valid default value to queue selection,
taking into account SeeQueue rights. - Set dropzone parallelUploads to 1 to avoid losing attachments. Also
set parallelUploads when the dropzone object is created. - Correct error messages on user rights for CF admin UI.
- In ticket history, respect ShowHeaders option from request for
ScrollShowHistory (I#32699). - Fix ExtraArgs of callback ExtraShowHistoryArguments in ScrollShowHistory.
- In the ticket history with scroll set, continue to get transactions until all
have been shown, even if a block has been hidden for some reason (rights, etc.). - Add PreferDropzone config/pref option for users. Dropzone is not accessible
to screen readers and this enables the previous attachments interface which
is accessible. - In the query builder, set operator to "IS" or "IS NOT" for NULL values.
This fixes a regression from pre-4.4 RT behavior. - Don't create ticket if user clicks "Go" buttons of "Include Article".
- Fix CF name escape for asset search's spreadsheet download.
- Show the user in single member custom roles even if the user is
disabled (I#32949).
Administration
- Stop wrapping ShowUser in tags to avoid unnecessary nested links.
- When listing group members, sort by text-only representation of the
user, not HTML (I#30771) - In the group admin page, stop pre-computing ShowUser.
- In shredder, check for both id and name mismatches when loading objects.
- Add a new rt-passwd command to make it easy to reset passwords on the
command-line. - Support custom roles in RT serializer/importer tools.
- Support catalogs and assets in RT serializer/importer tools.
- Update RT's module dependencies for SSL (https) to align with updates
to the CPAN module ecosystem. - Add age, batchsize, and dry-run options to rt-externalize-attachments.
- Set proper HTTP Status codes on Abort.
- The value for converting the owner dropdown to an autocomplete textbox can
now be updated in configuration with DropdownMenuLimit. - Switch to Clone::clone to copy config structures in Obfuscate callbacks. This
restores support for REGEXP and CODE configuration on the System Configuration page. - Provide a way to pass more options to Net::LDAP from LDAPImport configuration.
- Provide more debug output on connection failures in LDAPImport.
- Store log messages until RT::Logger is initialized. This means messages logged
before the logger is available, like "Change of config option..." can now
respect the configured log level. - In shredder, check for both id and name mismatches when loading objects
- Retain scrip sort order in pagination links
Internals
- Cache OCFVs to improve performance searching for duplicates when adding
values. - Remove unused dependencies on File::Copy and Carp.
- On Oracle, return the empty string instead of undef for Subject when it
has no value on a ticket. - When linking, load assets by id to confirm the asset exists. This makes
asset link handling consistent with ticket handling. - Various fixes for compatibility with perl 5.26.
- Support unicode characters in constant time comparison function
- Allow merge for tickets only, not other types like reminders (I#32700).
- Preload Encode with UTF-8 to avoid masking other errors (I#32648).
- Process multiple links via the REST 1.0 interface.
- Add SLA field support on REST 1.0.
- Build table attributes for RT::Asset. This is needed to allow assets to work
properly with REST 2.0. - Avoid uninitialized value warnings with CustomField.
- Call DoAuth only if ExternalAuthPriority is not empty, allowing use of
ExternalAuthInfo without ExternalAuthPriority set. - Use "id asc" as the default sort order of GroupMembers for consistent ordering.
- Cache OCFVs to improve performance searching for duplicates on add.
- In CollectionAsTable, fix the uninitialized warning in case @order is empty.
- In rt-validator, update link checking regex to match asset links.
- Remove trailing "/" from RT::URI::asset::LocalURIPrefix for consistency.
- Use RT::Logger for EmailInputEncodings config warnings.
- "Die" properly when receiving an invalid query via to FromSQL.
Developer
- Avoid using $id in /Ticket/Display.html so callbacks can modify id in ARGS.
- Pass the MIME entity to ParseTicketId in addition to subject.
- Remove a 'This is scary' comment from code that has been running fine for
over 10 years. - Improve warning tracking for automated tests.
- Add an Initial callback to Bulk.html.
- Don't fail externalauth/auth_config.t tests if Net::LDAP is missing.
- Find an idle port for LDAP test server to avoid tests hanging when running
in parallel mode. - When testing, make sure DevelMode is on to catch compilation errors.
- Avoid uninitialized warnings of empty ticket subjects on Oracle.
- In the MessageBox template, default callback, pass $message by reference in
MessageRef, as the variable name implies. This will break previous use of
MessageRef as a scalar. - Add support for a NeverNotifyActor argument to Notify actions.
Documentation
- Mention the RT-Attach-Message: yes header in template docs.
- Fix incorrect path in portlet documentation.
- In $ParseNewMessageForTicketCcs docs, mention the RT::Action::AutoAddWatchers
extension. - Document queue-level template overrides.
- Document using prove and RT_TEST_PARALLEL for tests.
- Note in UPGRADING that RT::Extension::AdminConditionsAndActions is now in core.
- Remove unnecessary AUTHORS sections from docs.
- Update rt-static-docs documentation processing to fix broken links.
- Add MariaDB support to documentation and rt-setup-fulltext-index.
Internationalization
- Many changes to refactor sections of RT's internationalization code.
A complete changelog is available from git by running:
git log rt-4.4.2..rt-4.4.3
or visiting
rt-4.4.2...rt-4.4.3
rt-4.2.15
RT 4.2.15 -- 2018-06-19
We're pleased to announce the general availability of RT 4.2.15. It
contains several improvements and also a few bug fixes. The list of
changes included with this release is below.
https://download.bestpractical.com/pub/rt/release/rt-4.2.15.tar.gz
https://download.bestpractical.com/pub/rt/release/rt-4.2.15.tar.gz.asc
SHA-256 sums
3752a12eff67c640e577d2b5feda01c9f07e3b2e227eabf50089086e98038bba rt-4.2.15.tar.gz
e278f4335e86528356301bbf49b239f44caaedacab7caf1c34625d141ed3aa9c rt-4.2.15.tar.gz.asc
General user UI
- Show the Ticket's Subject when modifying the ticket.
- Re-format RT/Config.pm so the
# loccomment parses correctly.
Web Administration
- Stop wrapping ShowUser in tags to avoid unnecessary nested links.
- When listing group members, sort by text-only representation of the
user, not HTML (I#30771) - In the group admin page, stop pre-computing ShowUser.
- In shredder, check for both id and name mismatches when loading objects
- Retain scrip sort order in pagination links
Internals
- Cache OCFVs to improve performance searching for duplicates when adding
values. - Remove unused dependencies on File::Copy and Carp.
- On Oracle, return the empty string instead of undef for Subject when it
has no value on a ticket. - Handle alphabetic words in RT::Plugin::Version
Developer
- Avoid using $id in /Ticket/Display.html so callbacks can modify id in ARGS.
Documentation
- Mention the RT-Attach-Message: yes header in template docs.
- Fix incorrect path in portlet documentation.
Internationalization
- Many changes to refactor sections of RT's internationalization code.
A complete changelog is available from git by running:
git log rt-4.2.14..rt-4.2.15
or visiting
rt-4.2.14...rt-4.2.15
rt-4.4.2
sartak
Shawn M Moore
RT 4.4.2 -- 2017-07-26
We're pleased to announce the general availability of RT 4.4.2. This
release introduces several important security fixes, a handful of
new features, and many bugfixes.
We have redesigned how time worked is calculated per user and for
children tickets. As always please be sure to review the UPGRADING-4.4
document.
The list of security fixes is included below, followed by new features
then by other improvements and bugfixes.
https://download.bestpractical.com/pub/rt/release/rt-4.4.2.tar.gz
https://download.bestpractical.com/pub/rt/release/rt-4.4.2.tar.gz.asc
SHA-256 sums
b2e366e18c8cb1dfd5bc6c46c116fd28cfa690a368b13fbf3131b21a0b9bbe68 rt-4.4.2.tar.gz
2185c2be31b352ad0a7605f9a4e4720b2c3607df75aae1c0cbace9eb9e6fcef8 rt-4.4.2.tar.gz.asc
- Shawn M Moore, for Best Practical
Security
-
RT 4.0.0 and above are vulnerable to an information leak of cross-site
request forgery (CSRF) verification tokens if a user visits a specific
URL crafted by an attacker. This vulnerability is assigned
CVE-2017-5943. It was discovered by a third-party security researcher. -
RT 4.0.0 and above are vulnerable to a cross-site scripting (XSS) attack
if an attacker uploads a malicious file with a certain content type.
Installations which use the AlwaysDownloadAttachments config setting are
unaffected. This fix addresses all existant and future uploaded
attachments. This vulnerability is assigned CVE-2016-6127. This was
responsibly disclosed to us first by Scott Russo and the GE Application
Security Assessment Team. -
One of RT's dependencies, a Perl module named Email::Address, has a
denial of service vulnerability which could induce a denial of service
of RT itself. We recommend administrators install Email::Address version
1.908 or above, though we additionally provide a new workaround within
RT. The Email::Address vulnerability was assigned CVE-2015-7686. This
vulnerability's application to RT was brought to our attention by Pali
Rohár. -
RT 4.0.0 and above are vulnerable to timing side-channel attacks for
user passwords. By carefully measuring millions or billions of login
attempts, an attacker could crack a user's password even over the
internet. RT now uses a constant-time comparison algorithm for secrets
to thwart such attacks. This vulnerability is assigned CVE-2017-5361.
This was responsibly disclosed to us by Aaron Kondziela. -
RT's ExternalAuth feature is vulnerable to a similar timing side-channel
attack. Both RT 4.0/4.2 with the widely-deployed RT::Authen::ExternalAuth
extension, as well as the core ExternalAuth feature in RT 4.4 are
vulnerable. Installations which don't use ExternalAuth, or which use
ExternalAuth for LDAP/ActiveDirectory authentication, or which use
ExternalAuth for cookie-based authentication, are unaffected. Only
ExternalAuth in DBI (database) mode is vulnerable. -
RT 4.0.0 and above are potentially vulnerable to a remote code execution
attack in the dashboard subscription interface. A privileged attacker
can cause unexpected code to be executed through carefully-crafted saved
search names. Though we have not been able to demonstrate an actual
attack owing to other defenses in place, it could be possible. This fix
addresses all existant and future saved searches. This vulnerability is
assigned CVE-2017-5944. It was discovered by an internal security audit. -
RT 4.0.0 and above have misleading documentation which could reduce
system security. The RestrictLoginReferrer config setting (which has
security implications) was inconsistent with its implementation, which
checked for a slightly different variable name. RT will now check for the
incorrect name and produce an error message. This was responsibly
disclosed to us by Alex Vandiver.
New features
-
Custom fields now have a "New values must be unique" option.
-
Custom fields now support value canonicalization (for example,
automatically changing input values to be all uppercase). See the
@CustomFieldValuesCanonicalizers config option. -
Ticket timers provide a comment box for quickly adding ticket comments
to describe your time worked. -
You can now set up default values for assets on a catalog level.
-
You can choose to display result counts on ticket search portlets using
the new $ShowSearchResultCount config setting. -
There is now a "Load all history" link for the "as you scroll" history
loading mode, to allow you to use browser-based text search. -
We now display a list of recently-viewed tickets in the
Search -> Tickets -> Recently Viewed menu. -
We have made RT::Extension::AdminConditionsAndActions part of core
RT, so you can now easily configure the conditions and actions of
your scrips right within the admin UI.
General user UI
- Avoid breaking sorting of non-ticket searches in dashboards
- Avoid duplicate one-time recipients (I#31938, I#31939)
- Suppress ticket Ccs and AdminCcs from one-time recipients
- Allow ordering assets with "CustomField.Foo" syntax
- Avoid divide-by-zero in charts with no data (I#32143)
- Add ability to link multiple assets to a new ticket from asset bulk
update - Add quick asset create portlet for user summary
- Add encrypt/sign controls to ticket forward page
- Fix browser-based search navigation link generation (I#32197)
- Remove self-service password change form under ExternalAuth
- Respect SetInitialCustomField right in self-service (I#32233)
- Declare page as being in user's language for browser spellcheck (I#32082)
- Fix error with merge tickets being used on bulk update (I#32237)
- Avoid overaggressively generating external attachment links
- Add $HideOneTimeSuggestions config to hide one-time recipient
addresses behind a click - Add "All recipients" checkboxes to modify people page and one-time
recipients on update - Dashboards are now displayed in alphabetically-sorted order
- Remove dashboard from menu if it can't be loaded (I#29719)
- Avoid wrapping one-time recipient checkbox separately from its
label (I#32117) - Use only top-level attachments for generating one-time recipient lists
to avoid e.g. phishing addresses - Fix accidental usage of server timezone for end users (I#32315)
- Add user preference for browser context menu instead of
CKEditor's, for native spellcheck (#32274) - QuickCreate on a dashboard no longer sends you to the homepage (I#25573)
- Respect HideTimeFieldsFromUnprivilegedUsers in correspond
transactions with time worked - Fix occasionally-missing background-color for comments
- Add a Timer column to search results for launching ticket timer
- Fix error preventing merging tickets with lazily-created watcher
groups (I#32490) - Add a CurrentUserName TicketSQL placeholder
- You can now search tickets using Queue LIKE '�' and Queue NOT LIKE '�'
- Make "Show all" link for attachment lists more prominent (I#32459)
- Respect SetInitialCustomField for multi-valued CFs (I#32491)
- Fix bulk update for asset custom fields (I#32509)
- Add support for CF grouping in asset bulk update (#32198)
- Add "reattach" as an attachment warning keyword
- Sort one-time recipient addresses (I#31879)
- Fix article quicksearch degrading the article menu (#31591)
- Avoid noisy "CF changed from 0 to 0" messages (I#32440)
- Avoid showing a truncated list of articles due to permissions (I#31989)
- Avoid double-encoded text attachments loaded from ExternalStorage
- You can now chart tickets by SLA (I#31824)
- Add "Show all" button for attachments on ticket forward page
- Relabel "Password" portlet on user page to "Access control" (I#31379)
- Fix UI for bulk update of "List"-type select-multiple CFs (I#32562)
- Avoid discarding checkbox changes in Recipients panel (I#32290)
- Clean up article custom fields display (I#32641)
- Add SLA field to bulk update if any queues have SLA enabled
- Include the new Request Tracker logo
- Fix overly-large bookmark star on mobile UI (I#32727)
- Stop double-escaping HTML which is made into links (I#31169)
- Fix keyboard shortcut UI for selecting tickets on old themes (I#32748)
- Add Reports menu with several predefined reports
Command-line
- Fix rt-ldapimporter --debug logging output (I#32196)
- Improve rt-ldapimporter documentation
- Produce output from etc/upgrade/upgrade-assets
- Avoid overaggressively trimming whitespace from MIME encoded-words
- Add config option $OverrideMailPrecedence to help avoid out-of-office
autoreplies - Fix issues with encrypted attachments being unreadable/absent
Database
- Skip DBA password prompt on SQLite
- Avoid warnings when upgrading old saved searches (I#32235)
- � and fix up those old saved searches (I#16856)
- Restart asset and catalog ID sequences for Pg and Oracle in
etc/upgrade/upgrade-assets - Add index on Attachments table column Filename (I#32033)
- Replace deprecated NOCREATEUSER with NOSUPERUSER for
Postgres 9.6 (I#32511) - Avoid deadlock in SetOwner race condition which we believe affected
only MySQL (I#32381) - The previous may have caused inconsistent ticket ownership, and so
the 4.4.2 upgrade step will find and fix such issues - Add rt-validator rules for possible issues around ticket owner
rt-serializer/rt-importer
- Fix several incorrect references in output (I#31803, I#31804, I#31805,
I#31808) - Add --exclude-organization option (I#31812, I#31813)
- Add --limit-queues and --limit-cfs options
- Suppress semi-unmigrated link relationships by default
- Add --hyperlink-unmigrated option
- Fix queue change transactions to mention unmigrated queues by name
- Support for dashboards in menu preference (I#31810)
- Support for RT at a Glance prefer...
rt-4.2.14
sartak
Shawn M Moore
RT 4.2.14 -- 2017-07-26
We're pleased to announce the general availability of RT 4.2.14. This
release introduces several important security fixes as well as many
bugfixes.
The list of security fixes is included below, followed by other
improvements and bugfixes.
https://download.bestpractical.com/pub/rt/release/rt-4.2.14.tar.gz
https://download.bestpractical.com/pub/rt/release/rt-4.2.14.tar.gz.asc
SHA-256 sums
b3ee51d284001fe6938f879754a03866073aa48992fdd1709b1a54a1e6c6e614 rt-4.2.14.tar.gz
a5dd10fe84691a3f84e1d5983d8223c46a6b34eb20b92cbeca1c0a2f793d8e56 rt-4.2.14.tar.gz.asc
- Shawn M Moore, for Best Practical
Security
-
RT 4.0.0 and above are vulnerable to an information leak of cross-site
request forgery (CSRF) verification tokens if a user visits a specific
URL crafted by an attacker. This vulnerability is assigned
CVE-2017-5943. It was discovered by a third-party security researcher. -
RT 4.0.0 and above are vulnerable to a cross-site scripting (XSS) attack
if an attacker uploads a malicious file with a certain content type.
Installations which use the AlwaysDownloadAttachments config setting are
unaffected. This fix addresses all existant and future uploaded
attachments. This vulnerability is assigned CVE-2016-6127. This was
responsibly disclosed to us first by Scott Russo and the GE Application
Security Assessment Team. -
One of RT's dependencies, a Perl module named Email::Address, has a
denial of service vulnerability which could induce a denial of service
of RT itself. We recommend administrators install Email::Address version
1.908 or above, though we additionally provide a new workaround within
RT. The Email::Address vulnerability was assigned CVE-2015-7686. This
vulnerability's application to RT was brought to our attention by Pali
Rohár. -
RT 4.0.0 and above are vulnerable to timing side-channel attacks for
user passwords. By carefully measuring millions or billions of login
attempts, an attacker could crack a user's password even over the
internet. RT now uses a constant-time comparison algorithm for secrets
to thwart such attacks. This vulnerability is assigned CVE-2017-5361.
This was responsibly disclosed to us by Aaron Kondziela. -
RT's ExternalAuth feature is vulnerable to a similar timing side-channel
attack. Both RT 4.0/4.2 with the widely-deployed RT::Authen::ExternalAuth
extension, as well as the core ExternalAuth feature in RT 4.4 are
vulnerable. Installations which don't use ExternalAuth, or which use
ExternalAuth for LDAP/ActiveDirectory authentication, or which use
ExternalAuth for cookie-based authentication, are unaffected. Only
ExternalAuth in DBI (database) mode is vulnerable. -
RT 4.0.0 and above are potentially vulnerable to a remote code execution
attack in the dashboard subscription interface. A privileged attacker
can cause unexpected code to be executed through carefully-crafted saved
search names. Though we have not been able to demonstrate an actual
attack owing to other defenses in place, it could be possible. This fix
addresses all existant and future saved searches. This vulnerability is
assigned CVE-2017-5944. It was discovered by an internal security audit. -
RT 4.0.0 and above have misleading documentation which could reduce
system security. The RestrictLoginReferrer config setting (which has
security implications) was inconsistent with its implementation, which
checked for a slightly different variable name. RT will now check for the
incorrect name and produce an error message. This was responsibly
disclosed to us by Alex Vandiver.
General user UI
- Avoid divide-by-zero in charts with no data (I#32143)
- Remove dashboard from menu if it can't be loaded (I#29719)
- Avoid wrapping one-time recipient checkbox separately from its
label (I#32117) - Use only top-level attachments for generating one-time recipient lists
to avoid e.g. phishing addresses - Fix bulk update for asset custom fields (I#32509)
- Sort one-time recipient addresses (I#31879)
- Fix article quicksearch degrading the article menu (#31591)
- Avoid noisy "CF changed from 0 to 0" messages (I#32440)
- Avoid showing a truncated list of articles due to permissions (I#31989)
- Include the new Request Tracker logo
- Stop double-escaping HTML which is made into links (I#31169)
- Avoid overaggressively trimming whitespace from MIME encoded-words
- Add config option $OverrideMailPrecedence to help avoid out-of-office
autoreplies - Fix issues with encrypted attachments being unreadable/absent
Database
- Replace deprecated NOCREATEUSER with NOSUPERUSER for
Postgres 9.6 (I#32511)
rt-serializer/rt-importer
- Fix several incorrect references in output (I#31803, I#31804, I#31805,
I#31808) - Add --exclude-organization option (I#31812, I#31813)
- Add --limit-queues and --limit-cfs options
- Suppress semi-unmigrated link relationships by default
- Add --hyperlink-unmigrated option
- Fix queue change transactions to mention unmigrated queues by name
- Support for dashboards in menu preference (I#31810)
- Support for RT at a Glance preference (I#31809)
- Don't skip RT->System searches
- Avoid breaking rights granted to users (I#31806)
Web Administration
- Add checkbox for selecting all custom field values in admin UI
- Log a history entry when adjusting whether a user is Privileged
- Log history entries when adding/removing a group member both to
the group and to the member - Hide disabled scrips by default, adding a "include disabled scrips"
checkbox (I#30131) - Add missing timezone field on user create/modify (I#29977)
- Add RT extension names and versions to System Configuration page (I#31482)
Server Administration
- Avoid error messages in 4.0.1 upgrade step
- Improve automatic identification of
findcommand - Add RefreshIntervals config option for managing homepage and
dashboard refresh - Log failure to unlink temp file after email parse (I#32142)
- Make automatically linking a used article to the ticket configurable
with $LinkArticlesOnInclude config - Avoid undef warnings with mbox MailCommand and FastCGI
- Avoid regex deprecation warnings on perl 5.21.1+
- Avoid issues with modern Perl versions excluding ./ from @inc
- Reduce log levels of custom field loading issues caused by ordinary
end-user actions (I#31742) - Adapt SMIME probe to work with openssl 1.1
- Double bcrypt cost for password hashing
- Avoid "Couldn't load object RT::Transaction #0" warnings (I#31548)
- Avoid broken DateTime::Locale versions (I#31542)
- Avoid incompatible DBD::mysql version (I#32670)
Developer
- Clarify the usage of skip_update in /Ticket/Update.html BeforeUpdate
callback - Fix whitespace-related test failures under Mojolicious 7.0
- Fix test failures when /usr/bin/sendmail absent
- Factor out _OutgoingMailFrom into a separate method for extensibility
- Ensure that Test::NoWarnings is skipped if skip_all is used
- Fix bug where RT::Ticket->Create's SquelchMailTo would squelch only
to the first address (I#31600) - Avoid test failure caused by hash randomization
- Set up default args for customizations calling SignEncrypt directly
- New callbacks:
/Elements/ShowCustomFieldWikitext WikiFormatArgs
/Search/Elements/Chart AfterChartTable - Improved callbacks:
/Elements/Tabs Privileged adds Search_Args and Has_Query parameters
Documentation
- Update links to the RT wiki
- Update mailing list references to point to community forum
- Improve documentation around creating a custom theme (I#31800)
- Document how to include custom fields in format strings
Internationalization
- Improve translatability of "Refresh home page every x minutes." now
that "x" is configurable with @RefreshIntervals - Update translations for: Brazilian Portuguese, Dutch, German, Latvian,
Macedonian, Russian, Serbian, Slovenian, and Spanish
A complete changelog is available from git by running:
git log rt-4.2.13..rt-4.2.14
or visiting
rt-4.2.13...rt-4.2.14
rt-4.0.25
sartak
Shawn M Moore
RT 4.0.25 -- 2017-07-26
We're pleased to announce the general availability of RT 4.0.25. This
release introduces several important security fixes as well as a handful
of bugfixes. Please be aware that we intend for the 4.0.25 release to be
the final release of the RT 4.0 series and no further security or bug
fixes will be published.
The list of security fixes is included below, followed by other
improvements and bugfixes.
https://download.bestpractical.com/pub/rt/release/rt-4.0.25.tar.gz
https://download.bestpractical.com/pub/rt/release/rt-4.0.25.tar.gz.sig
SHA-256 sums
69daa9b9e6c9acb4ca31ec1c3efc8bb4901cc7047eed784f2f91515815fdd4cd rt-4.0.25.tar.gz
cde49077cb7b125216cb264048fee9ad8961d227c5d24e93d7f7644c88b0a7d6 rt-4.0.25.tar.gz.sig
- Shawn M Moore, for Best Practical
Security
-
RT 4.0.0 and above are vulnerable to an information leak of cross-site
request forgery (CSRF) verification tokens if a user visits a specific
URL crafted by an attacker. This vulnerability is assigned
CVE-2017-5943. It was discovered by a third-party security researcher. -
RT 4.0.0 and above are vulnerable to a cross-site scripting (XSS) attack
if an attacker uploads a malicious file with a certain content type.
Installations which use the AlwaysDownloadAttachments config setting are
unaffected. This fix addresses all existant and future uploaded
attachments. This vulnerability is assigned CVE-2016-6127. This was
responsibly disclosed to us first by Scott Russo and the GE Application
Security Assessment Team. -
One of RT's dependencies, a Perl module named Email::Address, has a
denial of service vulnerability which could induce a denial of service
of RT itself. We recommend administrators install Email::Address version
1.908 or above, though we additionally provide a new workaround within
RT. The Email::Address vulnerability was assigned CVE-2015-7686. This
vulnerability's application to RT was brought to our attention by Pali
Rohár. -
RT 4.0.0 and above are vulnerable to timing side-channel attacks for
user passwords. By carefully measuring millions or billions of login
attempts, an attacker could crack a user's password even over the
internet. RT now uses a constant-time comparison algorithm for secrets
to thwart such attacks. This vulnerability is assigned CVE-2017-5361.
This was responsibly disclosed to us by Aaron Kondziela. -
RT's ExternalAuth feature is vulnerable to a similar timing side-channel
attack. Both RT 4.0/4.2 with the widely-deployed RT::Authen::ExternalAuth
extension, as well as the core ExternalAuth feature in RT 4.4 are
vulnerable. Installations which don't use ExternalAuth, or which use
ExternalAuth for LDAP/ActiveDirectory authentication, or which use
ExternalAuth for cookie-based authentication, are unaffected. Only
ExternalAuth in DBI (database) mode is vulnerable. -
RT 4.0.0 and above are potentially vulnerable to a remote code execution
attack in the dashboard subscription interface. A privileged attacker
can cause unexpected code to be executed through carefully-crafted saved
search names. Though we have not been able to demonstrate an actual
attack owing to other defenses in place, it could be possible. This fix
addresses all existant and future saved searches. This vulnerability is
assigned CVE-2017-5944. It was discovered by an internal security audit. -
RT 4.0.0 and above have misleading documentation which could reduce
system security. The RestrictLoginReferrer config setting (which has
security implications) was inconsistent with its implementation, which
checked for a slightly different variable name. RT will now check for the
incorrect name and produce an error message. This was responsibly
disclosed to us by Alex Vandiver.
General user UI
- Make sub-menus accessible on screen-readers
- Respect the user's chosen units for Time Worked across page loads, instead
of always defaulting to minutes (I#17985) - In Jumbo, preserve ticket basics so in progress changes persist after
returning to the page - Fix a regression in 4.0.20 which caused some users to have
blank homepages (I#30106) - Include the new Request Tracker logo
Database
- We now correctly shred ObjectCustomFields records when shredding a
CustomField
Server Administration
- Avoid issues with dual-life module installation on older, patched perls
- Explicitly depend on Class::Accessor::Fast, not Class::Accessor
- Fix potential upgrade failure in e.g. etc/upgrade/upgrade-articles
- Avoid regex deprecation warnings on perl 5.21.1+
- Avoid issues with modern Perl versions excluding ./ from @inc
- Avoid broken DateTime::Locale versions (I#31542)
- Avoid incompatible DBD::mysql version (I#32670)
Developer
- Fix RT::Attribute->DeleteSubValue
- Remove duplicated content-encoding handling in OriginalContent
Documentation
- Update links to the RT wiki
- Update mailing list references to point to community forum
Internationalization
- Update translations for: Arabic, Catalan, Czech, Occitan, Persian,
Serbian, and Slovak
A complete changelog is available from git by running:
git log rt-4.0.24..rt-4.0.25
or visiting
rt-4.0.24...rt-4.0.25
rt-4.4.1
sartak
Shawn M Moore
RT 4.4.1 -- 2016-07-20
We're pleased to announce the availability of RT 4.4.1. This release
addresses several bugs in RT 4.4.0 and also adds a few small but important
features.
The list of new features is included below, followed by bugfixes.
https://download.bestpractical.com/pub/rt/release/rt-4.4.1.tar.gz
https://download.bestpractical.com/pub/rt/release/rt-4.4.1.tar.gz.asc
SHA1 sums
a3c7aa5398af4f53c947b4bee8c91cecd5beb432 rt-4.4.1.tar.gz
ae0308287bf1c42d2a3fe0a429f4c8715d15599d rt-4.4.1.tar.gz.asc
- Shawn M Moore, for Best Practical
New features
- Administrators and users can now choose to place signatures above
the quoted message in replies (RT_Config setting
"SignatureAboveQuote" and the similarly named user preference). This
also improves the specific spacing between quotes and signatures in
all configurations. (I#31877) - Users may now choose to suppress dashboard email when all of its
searches have no results. This is controlled by the new "Suppress if
empty" checkbox on the subscription page. (I#30078) - The Dashboard subscription recipient options have been greatly
expanded from a single text field (which happened to support multiple
email address separated with a comma) to a robust user/group search. - Users may now select a specific language for each dashboard email
subscription. Administrators can customize the method by which
dashboard email language is chosen (including specifying an ultimate
fallback other than English) with the @EmailDashboardLanguageOrder
RT_Config option. - The "hide unset fields" preference now also hides unset custom
fields, obsoleting RT::Extension::CustomField::HideEmptyValues.
Additionally there is now a toggle button at the top right of the
ticket display page for quickly toggling whether unset fields are
hidden or shown. (I#31523) - There is a new SetInitialCustomField right that permits setting
custom field values on records (tickets, assets, articles) while you
are creating them. It does not permit modifying custom field values
of existing records. Users with SetInitialCustomField but without
ShowCustomField will still be able to specify a custom field value
at create time but not see it afterwards. (I#14974) - Administrators and users can now choose to display queue dropdowns
as an autocomplete field (RT_Config setting "AutocompleteQueues"),
much like is available for Owners. If your RT instance has many
queues this option improves performance and usability. (I#31291) - New config for hiding time worked, time estimated, and time left
from unprivileged users in the self-service interface (RT_Config
setting "HideTimeWorkedForUnprivilegedUsers"). This also adds a hook
point RT::Ticket::CurrentUserCanSeeTime for further
customization. (I#31302) - Long attachment lists can now be truncated to show only the X newest
attachments, with an AJAX "Show all" link, (RT_Config setting
"AttachmentListCount"). This should improve the performance and
usability of both ticket display and ticket reply pages.
General user UI
- Eliminate console errors from Preview Scrip Recipients panel when there
are no recipients - Avoid URL length errors from Preview Scrip Recipients panel when the
messagebox has lots of content (I#31874) - Include MessageBoxRichText in JavaScript config to fix compatibility
for RT::Extension::QuoteSelection - Support autocomplete custom fields in bulk update (I#15259)
- Hint to the user that not all CF types are supported by bulk update,
instead of silently excluding them (I#15259) - Exclude One-Time Cc and One-Time Bcc addresses from
squelching (I#31386) - Restore behavior of $EditCustomFieldsSingleColumn config (I#18555)
- Improve "reuse existing attachments" UI to match existing
attachments UI (I#31709) - Improve ticket timer text-overflow styling (I#31713)
- Switch from generating an explicit list of statuses to Status =
'Active' and Status = 'Inactive' throughout the UI, both
improving performance and simplifying TicketSQL queries (I#31695 etc) - Switch queue search from queue ID to queue name for better usability
- Fix keyboard shortcut ? command in self-service UI (I#31535)
- Support / keyboard shortcut in self-service UI
- Add ticket SLA to display columns for search results (I#31831)
- Modernize UI of Articles display and modify
- Display creator, created, and updated metadata on Articles pages
- Fix searching for people associated with Assets (I#31546)
- Support 4.4 attachment uploader in self-service UI (I#31845)
- Fix bulk update check/clear all checkboxes (I#31667)
- Fix poor rendering of "create [relationship] ticket in [queue]" when
there are no existant links (I#31871) - Fix a regression with time zones in datetime custom fields (I#31674)
- Ticket timers no longer pause when JavaScript stops running (I#31707)
- Show the "include attachments" label on ticket reply only if there
are attachments to include - Avoid showing an empty custom fields panel on ticket edit pages when
user can see custom fields but cannot edit them - Fix new and existing charts that fail to render on dashboards (I#31557)
- Fix certain attachment links containing HTML metacharacters from
double escaping (I#31751) - Avoid failure to create tickets due to custom role rights (I#32069)
- Avoid SQL errors when using article quicksearch (I#31987)
Command-line
- Add new sbin/rt-search-attributes script for searching for
attributes matching criteria specified as Perl code (I#31294) - Fix issues around incorrect recipients in rt-crontool invocations
with multiple actions
Database
- Add $MaxFulltextAttachmentSize RT_Config option (default: 0 meaning
no limit) for tuning how very large attachments are included in the
full-text index - Avoid indexing EmailRecord transactions as they duplicate content
already available in the original Create, Correspond, and Comment
transactions. This improves both indexing time and index size
considerably. - Avoid creating transactions for, and bumping Last Updated of,
tickets when migrating RT::Extension::SLA custom field values to
the core SLA field (I#31924) - Add the new RT 4.4 Queue SortOrder column sooner in the 4.4 upgrade
process to improve extension compatibility - Avoid errors during
make initdbwhen ExternalAuth is enabled (I#32009)
Web Administration
- Add EscapeURI and EscapeHTML functions for use in email
templates (I#31442) - Add RT::Action::AddPriority action for use with rt-crontool which
simply increments the priority by $Argument every invocation
Server Administration
- Avoid DateTime::Locale version 1.01
https://rt.cpan.org/Public/Bug/Display.html?id=110244 - Have ./configure test whether to use GNU-style syntax or BSD-style
syntax forfind -perm - Several fixes around 4.0 and 4.2 upgrade scripts running under 4.4
- Fix migration of "SLA Disabled" for queues in the upgrade-sla
script (I#31703) - Avoid overloading error caused by certain versions of Email::Address
on Preview Scrips Recipients (I#31712) - Add explicit Pod::Select dependency since it was removed from Perl
5.18 (I#31873) - Add documentation for the now-core ExternalAuth and LDAPImport options
in RT_Config (I#31464) - Automatically enable ExternalAuth when the ExternalSettings config
option is declared, obviating the need for an explicit
Set($ExternalAuth, 1);(I#31689) - Remove unnecessary dependencies on FCGI::ProcManager and
Net::LDAP::Server::Test (I#31872) - Many cleanups in and improvements to our CPAN dependency install
toolchain
Developer
- Remove unused RT::Shredder::Record
- Add RT::Date->Strftime method (I#31435)
- If content_like (or similar) tests fail, output the page content
to a tmp file for debugging (I#31408) - Make autocomplete infrastructure more generic and extensible
- Add missing %ARGS to ShowHistoryPage call in ShowHistory, improving
RTIR compatibility - Fix missing CurrentUser parameter in RT::Interface::Email::Gateway
to improve RT::Extension::CommandByMail compatibility - Fix Queue SLADisabled _CoreAccessible metadata to match schema's default
value of 1 (I#31822) - Switch "hide unset fields" to be implemented with CSS for additional
flexibility - Add CSS classes (for example
.admincc) for many basic fields on
ticket display - Allow setting SLA in RT::Queue->Create, which can be used in
initialdata files (I#31823) - Improve ShowHistory compatibility with RTIR
- Add stubs for the fields that had been removed from queues in 4.4 to
improve compatibility with extensions and customizations (I#32019) - Fix tests to enable ExternalAuth
- Added infrastructure for deprecating specific callbacks, as we
consider them to be part of our stable API
(RT::Interface::Web::Request %deprecated) - Deprecated callbacks:
/Admin/CustomFields/Modify.html AfterUpdateCustomFieldValue - New callbacks:
/Ticket/Update.html RightColumnBottom
/Admin/CustomFields/Modify.html EndOfPage
/Elements/CollectionAsTable/Row EachField
/Dashboards/Subscription.html SubscriptionFormEnd, SubscriptionFields,
and MassageSubscriptionFields
/Elements/SelectOwnerDropdown ModifyOwnerListRaw and ModifyOwnerListSorted
/Helpers/Autocomplete/Owners ModifyOwnerAutocompleteSearch
/Elements/ShowTransactionAttachments BeforeAttachment - Improved callbacks:
/Admin/CustomFields/Modify.html Initial adds $Results
/Elements/MessageBox Default adds $DefaultRef and $MessageRef - Adjust TicketHistoryPage to reuse existing callbacks for TicketHistory
Documentation
- Add documentation for 4.4's $ShowHistory scroll option in
RT_Config (I#31705) - Fix UPGRADING-4.2's description of PostgreSQL full-text search using
GiST; it uses GIN indexes (I#31844) - Link to RT::Authen::ExternalAuth as a local document like the rest
of RT's core modules, rather than as an external link to metacpan
like we do for extensions (I#31957) - Update docs/authentication.pod to reflect RT::Aut...
rt-4.2.13
sartak
Shawn M Moore
RT 4.2.13 -- 2016-07-20
We're pleased to announce the availability of RT 4.2.13. This release is a
bugfix release; most notably, values in charts are now sorted numerically,
and regression for time zones on date/time custom fields has been addressed.
A complete list of improvements follows.
https://download.bestpractical.com/pub/rt/release/rt-4.2.13.tar.gz
https://download.bestpractical.com/pub/rt/release/rt-4.2.13.tar.gz.asc
SHA1 sums
eb155493ae8aa965a9571be47abe95ce7dd7a70c rt-4.2.13.tar.gz
4b760717439c6971bd5849e1b3401e7d6bb404cb rt-4.2.13.tar.gz.asc
- Shawn M Moore, for Best Practical
General User UI
- Avoid race condition where a ticket's Started timestamp could be
before its Created timestamp - Users without ability to update a saved search are no longer shown
an Update button - IP custom field textboxes now wide enough for full IPv6 addresses (I#24565)
- Self-service Cc field now allows for autocompleting multiple users
- When possible sort charts numerically rather than ascii-betically
- QuickCreate now respects DefaultQueue and RememberDefaultQueue (I#30913)
- Make user preferences use label tags for better clickiness (I#30953)
- Hide "Transaction has no content" from Extract Article (I#31027)
- Improve CSRF detection by whitelisting more specific parameters (I#31090)
- Empty selection boxes no longer render 1px wide (I#31316)
- Show queue ID if the user can't see the queue name
- Search builder display format now properly supports "large" sizing
- Fix SMIME encoding issue (I#31155)
- Improve messaging and logging around reminders that users can't see
- Queue name on ticket display is now a link to a search for all active
tickets in that queue - Support autocomplete custom fields in bulk update (I#15259)
- Hint to the user that not all CF types are supported by bulk update,
instead of silently excluding them (I#15259) - Improve compliance with RFC4480 for GPG armor lines (I#30372)
- Restore behavior of $EditCustomFieldsSingleColumn config (I#18555)
- Fix a regression with time zones in datetime custom fields (I#31674)
- Fix certain attachment links containing HTML metacharacters from
double escaping (I#31751) - Fix custom attachment URLs for self-service users (I#30960)
Database
- "schema" upgrade files no longer issue CREATE INDEX statements, instead
there are now "indexes" upgrade files that describe the end state of the
indexes RT requires. This better handles indexes that may have been
deployed by hand or otherwise already exist. - We now correctly shred ObjectCustomFields records when shredding a
CustomField - Add $MaxFulltextAttachmentSize RT_Config option (default: 0 meaning
no limit) for tuning how very large attachments are included in the
full-text index - Improve 4.0 upgrade scripts running under 4.2
Web Administration
- We now record transactions for changes to queues
- Improve visual design of Shredder forms
Server Administration
- Add missing dependency on Encode 2.64
- New RT_SiteConfig.pm files now get a "use utf8;" by default to allow
config options to use Unicode - bcrypt cost has been doubled on schedule to improve password hashing
security - Allow multiple --action and --action-arg options in rt-crontool
- Fix "use of localtime without parentheses" warning
- rt-email-dashboards now has a --log parameter for setting log level
- Add config %ReferrerComponents to provide fine-grained control over
referrer checking behavior - Clarify web config validation log messages (I#31117)
- Add a no_ticket_transactions option to user shredder
- Remove now-unnecessary dependency on Apache::DBI (I#31210)
- Avoid DateTime::Locale versions 1.00 and 1.01
https://rt.cpan.org/Public/Bug/Display.html?id=110244 - Have ./configure test whether to use GNU-style syntax or BSD-style
syntax forfind -perm(I#31308)
Developer
- Improve test compatibility with File::Which 1.17
- Improve test compatibility with HTML::FormatText::WithLinks::AndTables
- Remove unused RT::Shredder::Record
- Transactions now have a ColumnMap
- New callbacks:
/Ticket/Create.html MassageCloneArgs
/Admin/Queues/Modify.html FormStart
/Ticket/Elements/ShowBasics AfterTimeLeft, AfterPriority, AfterQueue,
and AfterTable
/Ticket/Elements/ShowSummary AfterBasics, AfterPeople, AfterReminders,
and AfterDates
/Ticket/Graphs/index.html BeforeActionList, FormStart, AfterForm, and
Default
/Ticket/Update.html RightColumnBottom
/Admin/CustomFields/Modify.html EndOfPage
/Elements/CollectionAsTable/Row EachField
/Dashboards/Subscription.html SubscriptionFormEnd, SubscriptionFields,
and MassageSubscriptionFields
/Elements/ShowTransactionAttachments BeforeAttachment - Improved callbacks:
/Admin/CustomFields/Modify.html Initial adds $Results
Documentation
- New documentation on format strings (docs/format-strings.pod) for
controlling how search results are displayed - Update documentation to expect that most installations will deploy
fulltext search - Also remind users that they should set up backups in the README
- Fix UPGRADING-4.2's description of PostgreSQL full-text search using
GiST; it uses GIN indexes (I#31844)
Internationalization
- Adjust the string "CustomFields" to instead use the existing
"Custom Fields" to ease translation - We now display translated ticket properties and statuses on graphs
- Update translations for: Brazilian Portuguese, Czech, Finnish, French,
German, Greek, Hungarian, Japanese, Latvian, Lithuanian, Occitan, Polish,
Russian, Spanish, Swedish, and Turkish
A complete changelog is available from git by running:
git log rt-4.2.12..rt-4.2.13
or visiting
rt-4.2.12...rt-4.2.13
rt-4.4.0
sartak
Shawn M Moore
RT 4.4.0 -- 2016-02-04
We're thrilled to announce the availability of RT 4.4.0! This is
the first release for the next major version of RT. The focus of
this release series is quality-of-life improvements for both users
and administrators.
When upgrading, please be sure to review the upgrading documentation
available in docs/UPGRADING-4.4, as there are a number of
backward-incompatible changes that come along with the new version
number. Upgrading documentation is also available at
http://www.bestpractical.com/docs/rt/latest/UPGRADING-4.4.html
https://download.bestpractical.com/pub/rt/release/rt-4.4.0.tar.gz
https://download.bestpractical.com/pub/rt/release/rt-4.4.0.tar.gz.asc
3bfeeac1e7a7cd4b1a042db04459f0e87c2b5fbb rt-4.4.0.tar.gz
a4a15d41d9ae663d4fda6c2f5246cc0cf26127ac rt-4.4.0.tar.gz.asc
A list of the major new features in RT 4.4.0 is included below. Many
of the new features are described and demoed in a series of
blog posts on http://blog.bestpractical.com/ with still more to come.
Finally, we'd like to invite you to attend our next training session in
Hamburg, Germany, which covers the new features in RT 4.4 as well as
RTIR and its next version. Visit http://bestpractical.com/training for
more.
- Shawn M Moore, for Best Practical
- RT now includes the Assets extension for tracking your physical and
digital resources. - Attachments can now be stored outside of the database either on disk, in
Dropbox, or on Amazon S3. Attachments can also be directly served from S3. - SLA tracking is now part of core RT. You can define many different service
levels that take your business hours and holidays into account. - External authentication and LDAP integration are now shipped as core RT
features. - RT now has support for custom roles, along the lines of Requestor, Owner,
Cc, and AdminCc. These roles can be single-member or multi-member.
Privileges can be assigned to members of custom roles, you can search based
on custom role membership, you can notify custom role members in
scrips, and so on. - RT now has a modern file upload interface which allows you to select
multiple files in one fell swoop, drag and drop attachments onto RT, and
inline preview certain file types like images. - We've added a "scroll" option for gradually loading in ticket history as
the user scrolls down, much like "infinite scroll". This considerably
improves perceived performance. - Existing attachments on a ticket can be reused in subsequent replies,
so you don't have to upload them again. - We now provide some basic Articles configuration for new deploys so that
you can start using the feature immediately. - You can now break up your RT_SiteConfig.pm file into logically-related
chunks under the RT_SiteConfig.d/ directory. - You can now specify default values at the queue level for certain ticket
fields, including custom fields. - RT now warns you when you write the word "attach" (or "attached", etc)
but haven't provided any attachments yet, to avoid "sorry, I forgot this
attachment" followup mail. - RT now understands many more types of "human" date strings.
- Users can now choose any subset of the seven weekdays to receive their
daily dashboard subscriptions. - The query builder display format panel has seen several improvements;
most importantly adjusting the display columns no longer reloads the
entire page. - We've added a popout ticket timer for helping you track time inside RT.
The timer is associated with a ticket and will add the time to to it for
you. - RT now ships with keyboard shortcuts for primarily for navigating ticket
search results. - We ship a (disabled-for-upgrades, enabled-for-new-deploys) scrip for
carrying over time worked to parent tickets. Similarly, we ship a scrip for
tracking time worked per user. - We've added a way to quickly create new linked tickets in queues other than
the one that the current ticket is in. - There's a new site-level config setting and user preference for hiding
unset fields on ticket display pages. - Custom fields now have a customizable "entry hint" for helping users
understand what they should be entering as values. - TicketSQL and the search builder now support Status = 'Active' and
Status = 'Inactive' type queries, so you no longer need to enumerate
all statuses likeStatus = 'new' OR Status = 'open' OR Status = 'stalled' - The mailgate has been completely redesigned and modernized.
- RT now includes the Assets extension for tracking your physical and
Additional changes:
General user UI
- Improve and unify display of topactions (new ticket in, simple search,
article search, etc) - Empty selection boxes no longer render 1px wide (#31316)
- Replace singular use of "Administrative Cc" with "AdminCc"
- Don't display "check box to delete" for every group on queue watcher page
- Don't render empty "Ticket #:" results in bulk update
- Improved the paging links in collection lists (#30374)
- IPv6 custom fields are rendered in their compressed representation
- Queue name on ticket display is now a link to a search for all active
tickets in that queue - Search builder display format now properly supports "large" sizing
- Display more "show columns" in search builder
- Record transactions for queue changes
- Show queue ID if the user can't see the queue name
- New, modern bookmark star icons to better match ticket timer icon
- If there's a single pending ticket, just show the ticket number (#30692)
- Improve messaging for enabling and disabling custom fields
- Improve messaging for applying a custom field to a queue (#31128)
- Mention which principal and right was granted instead of simply saying
"Right Granted" - Improve "user already has right" error
- Gray out "(no value)" for custom fields
- Hide "transaction has no content" entries from extract as article
- Improve CSRF whitelist (#31090)
- Make user preferences use label tags for better clickiness (#30953)
- Rename "Quicksearch" (the table of queues) to "QueueList" (#18514)
- When possible sort charts numerically rather than ascii-betically
- Self-service Cc field now allows for autocompleting multiple users
- IP custom field textboxes now wide enough for full IPv6 addresses (#24565)
- Move attachments to below messagebox on bulk update for consistency
- Stop rounding large numbers of hours worked into days
- Add a "chosen" UI for making long lists of select custom field values more
friendly - Search builder now uses the "chosen" UI for selecting display columns
- Increase MaxInlineBody
- Improved management of mail recipients
- Stop cloning time fields when creating child tickets
- Improve datepicker usage for relative date strings
- Squelching now applies to all updates in the request, instead of only the
initial correspond/comment transaction. - Sync scrip recipients with non-wysiwyg plaintext editor
Command-line
- Fix for "0" values in bin/rt (#31290)
- rt-email-dashboards now has a --log option
- rt-crontool now allows multiple actions
- Improve structure of multipart mail
Web Administration
- Rights management pages now have gray callout for sections that have
rights granted - For new installs we now provide a General topic and Content CF for Articles
- Query log now supports Undup and ShowElem params
- Queues now have a sort order
- We no longer delete articles but instead just disable them to help maintain
auditability (#19323) - Allow ModifyTicket to change nobody to someone else, without OwnTicket
- Select CFs will now suppress "(no value)" option when it's invalid
- Add new ShowAssetsMenu right to manage visibility of Assets feature
Server Administration
- Use MiB rather than MB for attachment size config (GitHub #162)
- ReferrerComponents lets you fine-tune CSRF whitelist and blacklist
- The user shredder now supports a no_ticket_transactions option
- Avoid warnings if users don't have sufficient rights on reminders
- Fix decoding issues (#31155)
- Removed redundant Apache::DBI dependencies (#31210)
- Shred object custom fields when shredding a custom field
- Improve compat and docs for Apache 2.4
- Put temporary files for email parsing in /tmp
- Allow deep namespaces for ScripActions and Conditions
- Copy rt-ldapimport into install-tree sbin
- Avoid DateTime::Locale 1.00 and 1.01; earlier and later versions are OK
Developer
- Upgrade jQuery from 1.9.1 to 1.11.3
- Upgrade jQuery UI from 1.10.0 to 1.11.4
- Upgrade CKEditor from 4.0.1 to 4.5.3
- Removed many unused fields on tickets and users
- Added a Group->Label method for displaying groups in the UI
- Ticket Modify now processes watcher updates
- Support optional inclusion of RT-System and Nobody users in autocomplete
- Transactions now have a ColumnMap
- /User/Prefs.html became /Prefs/AboutMe.html for consistency (#14200)
- We now warn when you forget to undef $mech in tests, which can
cause spurious failures - Additional callbacks
- Remove mostly-duplicate code for Rules which can never trigger
Documentation
- We've written new documentation for the query builder, dashboards,
reporting, and other related features - SLA cookbook
- Update documentation to expect that most installations will deploy
fulltext search - Also remind users that they should set up backups in the README
- Clarify "otherwise your internal links may be broken" (#31117)
- Unify our documentation for upgrading cored extensions
- Switch example for Plugins in RT_Config from ExternalAuth to JSGantt
Internationalization
- Graphing now uses the localization engine in more places
- Update translations for: Basque, Bulgarian, Catalan, Simplified and
Traditional Chinese, Croatian, Czech, Danish, Dutch, Estonian, Finnish,
French, German, Greek, Hungarian, Icelandic, Indonesian, Italian, Japanese,
Latvian, Lithuanian, Norwegian (Bokmal and Nynorsk), Persian, Polish,
Portuguese, Russian, Serbian, Slovak, Slovenian, Spanish, Swedish, and
Turkish...
rt-4.2.12
sartak
Shawn M Moore
RT 4.2.12 -- 2015-08-12
RT 4.2.12 contains important security fixes.
https://download.bestpractical.com/pub/rt/release/rt-4.2.12.tar.gz
https://download.bestpractical.com/pub/rt/release/rt-4.2.12.tar.gz.asc
SHA1 sums
ddbf70752c2b96354caf7687534addf075859d4d rt-4.2.12.tar.gz
8e76c69a56a60afbe0a75673874a1f4510355350 rt-4.2.12.tar.gz.asc
This release is a security release which addresses the following
vulnerabilities:
RT 4.0.0 and above are vulnerable to a cross-site scripting (XSS) attack via
the user and group rights management pages. This vulnerability is assigned
CVE-2015-5475. It was discovered and reported by Marcin Kopeć at Data Reliance
Shared Service Center.
RT 4.2.0 and above are vulnerable to a cross-site scripting (XSS) attack
via the cryptography interface. This vulnerability could allow an attacker
with a carefully-crafted key to inject JavaScript into RT's user interface.
Installations which use neither GnuPG nor S/MIME are unaffected.
A complete changelog is available from git by running:
git log rt-4.2.11..rt-4.2.12
or visiting
rt-4.2.11...rt-4.2.12