Lifecycle Updates
RT 5.0.6 included some updates to RT internals to make lifecycles easier
to configure and manage. Once RT 5.0.6 was released and users started testing
with more complicated existing lifecycles, some bugs were discovered. The
following bugs are addressed in RT 5.0.7.
* Merge existing lifecycle mapping configuration on save. Previously, in some
cases, existing mappings would be incorrectly deleted.
* Restore loading lifecycle configuration from files and add a message to
admins to remove config files to delete. The previous change was introduced
to allow lifecycles to be deleted, but it also impacted loading new lifecycle
configurations from files, like when installing an extension. Now admins will be
warned on delete if a lifecycle is being loaded from a file on disk.
Additional Updates
* On the queue admin page, warn if queue addresses are the same as a user address
* In the reports menu, retain the desired order when adding reports
* Prevent Show/Hide "quoted text"/"full description" click events from propagating
* Tweak lifecycle delete button text to make it more clear it deletes the lifecycle
* Document db configs and also the merge behavior of hash configs
* Correct POD warnings in Config docs
* Avoid reloading configs multiple times on configuration content update
* Remove duplicate CLI options
* Do not cast as decimal if using "LIKE" operator for numeric custom fields
* Update the attribute of CustomFieldView to be the same as CustomField
- update to 5.0.6
OBS-URL: https://build.opensuse.org/package/show/devel:languages:perl/request-tracker?expand=0&rev=75
Security
* In previous versions, RT's native login system is vulnerable to user enumeration
through a timing side-channel attack. This means an external entity could try to
find valid usernames by attempting logins and comparing the time to evaluate each
login attempt for valid and invalid usernames. This vulnerability does not allow any
access to the RT system. This vulnerability is assigned CVE-2021-38562 and is fixed
in this release.
* RT uses the chart.js package and the previous version has vulnerabilities
described here: https://snyk.io/test/npm/chart.js/2.8.0 This RT release updates
chart.js to version 2.9.4 as recommended in that advisory.
General features and fixes
* Update Starts on SLA changes even if Starts was already set
* Accept usernames for email input fields on ticket create/update
* Support group:NAME and group:ID in non-single role input fields
* Create an autocompleter for Principals (works with both users and groups)
* Support more characters for user/group names in non-single role input fields
* Normalize and validate time inputs
* Support to generate different dashboard content for each recipient
* Use user timezone for date "=" queries in ticket search
* Add "Create Via Email" and "Create Via Web" conditions
* Fix table wrapping error in Ticket/Update.html
* Don't escape queue name in title generation stage as it'll be escaped later
* Allow to squelch recipients that also exist in one time inputs
* Show all valid statuses on Asset bulk update page
* In the datepicker, reset the time part after date input is cleared
* Support columns as values in ticket search (ticket values on right-hand side in searches)
* Support a friendly syntax for custom field columns as values in ticket search
* Allow to specify CF Content/LargeContent columns in the keyword part of SQL
* Support role searches like Owner = CF.cid or Owner = Creator
OBS-URL: https://build.opensuse.org/package/show/devel:languages:perl/request-tracker?expand=0&rev=73
- install GnuPG and SMIME directories
- recommend w3m, because of:
"Running with the internal HTML converter can result in performance
issues with some HTML. Install one of the following utilities with
your package manager to improve performance with an external tool:
w3m, elinks, links, html2text, lynx"
OBS-URL: https://build.opensuse.org/package/show/devel:languages:perl/request-tracker?expand=0&rev=70
Database Changes
+ For MySQL and MariaDB, the default character set has been updated to
utf8mb4 to accommodate more unicode characters including emojis.
See README.MySQL and README.MariaDB for details.
+ The Id field in some tables is changed from INT to BIGINT to accommodate
large RT systems that may hit the maximum number of ids. Because this
change touches large RT tables like Transactions and Attachments,
this upgrade step may take a while to run.
+ You also will need free disk space equal to the size of these tables
while running because MySQL, MariaDB, and Postgres will create a temporary
copy of the table while running. If you don't have sufficient space,
it can cause this step to fail.
Notable Changes
+ System configuration options can now be changed by SuperUsers via the
web UI. File-based configuration options are still loaded. Changes made
via the web UI take precedence over file-based options if both are set.
+ If you prefer to keep all configuration in files and disable editing in
the web UI, set this option to 0:
Set($ShowEditSystemConfig, 0);
+ The variables which alter the set of HTML elements allowed in HTML
scrubbing have moved; they have been renamed, and are now found under
RT::Interface::Web::Scrubber.
+ The articles interface on tickets has been simplified, now showing only
a dropdown for selecting articles. This dropdown converts to an autocomplete
box when the dropdown contains more than $DropdownMenuLimit items.
+ With this simplified interface, the "hotlist" feature is no longer
needed as all articles in classes applied to a given queue are available
in the dropdown/autocomplete field. To prevent articles in a class from
appearing for a queue, you can unapply the class from that queue.
OBS-URL: https://build.opensuse.org/package/show/devel:languages:perl/request-tracker?expand=0&rev=67
Security Updates
+ One of RT's dependencies, the Perl module Email::Address, has a denial
of service vulnerability which could induce a denial of service of RT
itself.
We recommend updating to Email::Address version 1.912 or later. The
Email::Address vulnerabilities are assigned CVE-2015-7686 and CVE-2015-12558.
CVE-2015-7686 was addressed in RT with a previous update.
Email::Address version 1.912 addresses both of these CVEs with updates
directly in the source module.
+ One of RT's dependencies, the Perl module Email::Address::List, relies
on and operates similarly to Email::Address and therefore also has
potential denial of service vulnerabilities.
These vulnerabilities are assigned CVE-2018-18898. We recommend
administrators install Email::Address::List version 0.06 or later.
+ An optional RT dependency, HTML::Gumbo, incorrectly escaped HTML in
some cases. Since RT relies on this module to escape HTML content,
it's possible this issue could allow malicious HTML to be displayed
in RT.
For RT's using this optional module, we recommend administrators
install HTML::Gumbo version 0.18 or later.
* The version of jQuery used in RT 4.2 and 4.4 has a Cross-site Scripting
(XSS) vulnerability when using cross-domain Ajax requests.
This vulnerability is assigned CVE-2015-9251.
RT does not use this jQuery feature so it is not directly vulnerable.
jQuery version 1.12 no longer receives official updates, however a
fix was posted with recommendations for applications to patch locally,
so RT will follow this recommendation and ship with a patched version.
EU General Data Protection Regulation (GDPR)
Several new features were added to support GDPR compliance and are summarized here.
OBS-URL: https://build.opensuse.org/package/show/devel:languages:perl/request-tracker?expand=0&rev=61
General user UI
* Show the Ticket's Subject when modifying the ticket.
* Re-format RT/Config.pm so the `# loc` comment parses correctly.
* Sort saved searches alphabetically by name rather than by id.
* In Self Service, provide a path to remove attachments from the session
when they are deleted from dropzone by the user (I#32663).
* Fix evaluation of set vs. unset custom fields on display for correct hiding.
* Set dropzone attachment size based on RT's MaxAttachmentSize configuration.
* Add a configuration option TreatAttachedEmailAsFiles to treat attached email
as a file attachment instead of parsing as regular email.
* Restore email header parsing for items like email addresses when
TreatAttachedEmailAsFiles is not set. This was disabled in a previous
version.
* Respect default queue settings in Create linked ticket dropdown (I#32884).
* More fixes for recipient checkboxes on update. This version removes previous
problematic fixes and gives a visual indication (shading) when RT is updating
recipients in the background and checkboxes should not be changed (I#33027).
* Provide a way to reset personal search preferences back to the RT system
default (I#32854).
* Add an Untake action to the Actions tab.
* Add active and inactive status to query builder.
* Re-add Queue to 'Order by' dropdown in Search Builder.
* Make admin searches for queue and group case insensitive making it easier to
find groups.
* When editing ticket basics, always add valid default value to queue selection,
taking into account SeeQueue rights.
* Set dropzone parallelUploads to 1 to avoid losing attachments. Also
set parallelUploads when the dropzone object is created.
* Correct error messages on user rights for CF admin UI.
OBS-URL: https://build.opensuse.org/package/show/devel:languages:perl/request-tracker?expand=0&rev=53
Security
* RT 4.0.0 and above are vulnerable to an information leak of cross-site
request forgery (CSRF) verification tokens if a user visits a specific
URL crafted by an attacker. This vulnerability is assigned
CVE-2017-5943. It was discovered by a third-party security researcher.
* RT 4.0.0 and above are vulnerable to a cross-site scripting (XSS) attack
if an attacker uploads a malicious file with a certain content type.
Installations which use the AlwaysDownloadAttachments config setting are
unaffected. This fix addresses all existant and future uploaded
attachments. This vulnerability is assigned CVE-2016-6127. This was
responsibly disclosed to us first by Scott Russo and the GE Application
Security Assessment Team.
* One of RT's dependencies, a Perl module named Email::Address, has a
denial of service vulnerability which could induce a denial of service
of RT itself. We recommend administrators install Email::Address version
1.908 or above, though we additionally provide a new workaround within
RT. The Email::Address vulnerability was assigned CVE-2015-7686. This
vulnerability's application to RT was brought to our attention by Pali
Rohár.
* RT 4.0.0 and above are vulnerable to timing side-channel attacks for
user passwords. By carefully measuring millions or billions of login
attempts, an attacker could crack a user's password even over the
internet. RT now uses a constant-time comparison algorithm for secrets
to thwart such attacks. This vulnerability is assigned CVE-2017-5361.
This was responsibly disclosed to us by Aaron Kondziela.
* RT's ExternalAuth feature is vulnerable to a similar timing side-channel
attack. Both RT 4.0/4.2 with the widely-deployed RT::Authen::ExternalAuth
extension, as well as the core ExternalAuth feature in RT 4.4 are
vulnerable. Installations which don't use ExternalAuth, or which use
OBS-URL: https://build.opensuse.org/package/show/devel:languages:perl/request-tracker?expand=0&rev=52
General User UI
* Avoid race condition where a ticket's Started timestamp could be
before its Created timestamp
* Users without ability to update a saved search are no longer shown
an Update button
* IP custom field textboxes now wide enough for full IPv6 addresses (I#24565)
* Self-service Cc field now allows for autocompleting multiple users
* When possible sort charts numerically rather than ascii-betically
* QuickCreate now respects DefaultQueue and RememberDefaultQueue (I#30913)
* Make user preferences use label tags for better clickiness (I#30953)
* Hide "Transaction has no content" from Extract Article (I#31027)
* Improve CSRF detection by whitelisting more specific parameters (I#31090)
* Empty selection boxes no longer render 1px wide (I#31316)
* Show queue ID if the user can't see the queue name
* Search builder display format now properly supports "large" sizing
* Fix SMIME encoding issue (I#31155)
* Improve messaging and logging around reminders that users can't see
* Queue name on ticket display is now a link to a search for all active
tickets in that queue
* Support autocomplete custom fields in bulk update (I#15259)
* Hint to the user that not all CF types are supported by bulk update,
instead of silently excluding them (I#15259)
* Improve compliance with RFC4480 for GPG armor lines (I#30372)
* Restore behavior of $EditCustomFieldsSingleColumn config (I#18555)
* Fix a regression with time zones in datetime custom fields (I#31674)
* Fix certain attachment links containing HTML metacharacters from
double escaping (I#31751)
* Fix custom attachment URLs for self-service users (I#30960)
Database
OBS-URL: https://build.opensuse.org/package/show/devel:languages:perl/request-tracker?expand=0&rev=49
+ This release is a security release which addresses the following
vulnerabilities:
++ RT 4.0.0 and above are vulnerable to a cross-site scripting
(XSS) attack via the user and group rights management pages.
This vulnerability is assigned CVE-2015-5475.
It was discovered and reported by Marcin Kopeć at Data Reliance
Shared Service Center.
++ RT 4.2.0 and above are vulnerable to a cross-site scripting (XSS)
attack via the cryptography interface. This vulnerability could
allow an attacker with a carefully-crafted key to inject JavaScript
into RT's user interface.
Installations which use neither GnuPG nor S/MIME are unaffected.
From 4.2.11:
+ improves indexing time for full-text search
+ improving support for Apache 2.4 and MySQL 5.5
+ Interactive command-line tools (including upgrade tools) will
now also default to displaying warnings to STDERR, to aid in
awareness of potential errors.
- refreshed request-tracker-use_local_lib.patch
OBS-URL: https://build.opensuse.org/package/show/devel:languages:perl/request-tracker?expand=0&rev=46
This release is primarily a security release; it addresses CVE-014-9472,
a denial-of-service via RT's email gateway, as well as CVE-2015-1165 and
CVE-2015-1464, which allow for information disclosure and session
hijacking via RT's RSS feeds.
+ General user UI
* Speed up the default simple search on all FTS-enabled installs by not
OR'ing it with a Subject match. This returns equivalent results for
almost all tickets, and allows the database to make full use of the
FTS index.
* Pressing enter in user preference form fields no longer instead
resets the auth token (#19431)
* Pressing enter in ticket create and modify form fields now creates or
updates the ticket, instead being equivalent to "add more
attachments", or the "search" on People pages (#19431)
* Properly encode headers in forwarded emails that contain non-ASCII
text (#29753)
* Allow users to customize visibility of chart/table/TicketSQL in saved
charts
* Allow groups to be added as requestors on tickets
* Perform group searches case-insensitively on People page (#27835)
* Ticket create transactions for tickets created via the web UI now
contain mocked-up From, To, and Date headers; this causes them to
render more correctly when forwarded
* Update wording of error message for saved searches without a
description (#30435)
* Flush TSV download every 10 rows, for responsiveness
* Retain values in Quick Create on homepage if it fails (#19431)
* Limit the custom field value autocomplete to 10 values, like other
autocompletes (#30190)
OBS-URL: https://build.opensuse.org/package/show/devel:languages:perl/request-tracker?expand=0&rev=44
+ General user UI
* Fix Subject header during ticket printing (#30362)
* Comparisons of long text Custom Fields were erroneously reporting
updates (#30378)
* Broken logo link for the mobile UI when used with $WebPath
* No longer leak base64 data to non-english users who change a Dashboard
subscription and futureproof for other Attribute updates (#24665)
* Previous column selection is remembered when updating search formats (#16972)
* Charts could return quadrupled data for aggregate data (such as Time
Worked) depending on your rights configuration.
* Charts can now be grouped by Priority
* Ticket Creation form now leaves Requestor blank on page reload if you
cleared it out.
+ Localizations
* "check to delete all values" is now localized
+ Command-line
* BeforeDue action now accepts 2D as well as 2d (#30449)
* bin/rt no longer shows a default Due date unless one is configured
on the Queue. Additionally, Starts and Due are served in your time
zone (#20334)
+ Admin
* Improvements to the layout of the Group Members page
+ Developer
* Fix tests that used send_via_mailgate to properly check returns (#19156)
* Improvements to rt-static-docs for generating online documentation
* Proper warnings testing for cf_date tests
* Remove unused code to render Rules during replies/comments
* Undo a regression that meant Custom Fields passed to Ticket->Create
needed to be readable by the user creating the ticket.
OBS-URL: https://build.opensuse.org/package/show/devel:languages:perl/request-tracker?expand=0&rev=42
This release is primarily a security release; it addresses
CVE-2014-7227, a vulnerability in RT's SMIME integration enabled by
CVE-2015-6271 and related vulnerabilities, known as "Shellshock."
Systems which have patched bash are not vulnerable to CVE-2014-7227.
+ General user UI
* Properly hide ticket list when MoreAboutRequestorTicketList is set to
"None"
+ Localizations
* Allow text in Squelch box on ModifyPeople page to be translatable.
* Updated German, Basque, French, Hungarian, and Russian translations.
+ Admin
* Allow $OverrideOutgoingMailFrom to key by queue id, as an alternative
to name
* Stop calling the deprecated _SQLLimit method when limiting by
transaction date
* Stop hiding the value of the AllowLoginPasswordAutoComplete setting
in System Configuration (#30417)
* Resolve CVE-2014-7227, arbitrary execution of code by privileged
users via SMIME by way of CVE-2015-6271.
+ Developer
* Add a ModifyMaxResults callback for Autocomplete endpoints
* Properly pass collection class to ColumnMap in /Elements/TSVExport
+ Documentation
* Update POD for AddRoleMember/DeleteRoleMember being in
RT::Record::Role::Roles now, not RT::Record.
A complete changelog is available from git by running:
git log rt-4.2.7..rt-4.2.8
or visiting
https://github.com/bestpractical/rt/compare/rt-4.2.7...rt-4.2.8
OBS-URL: https://build.opensuse.org/package/show/devel:languages:perl/request-tracker?expand=0&rev=41
+ General user UI
* Fix algorithm for determining which links to display in ticket
relationship graphs with a MaxDepth
* Use "Correspondence added" or "Comment added" rather than the general
"Message recorded"
* Loading saved charts should load all of their settings (#29015)
* Stop fixing the width of "New ticket in" button (#27649)
* Record transactions in ticket history when attachments were dropped
or truncated due to $MaxAttachmentSize
* Still delay transaction loading when "full headers" have been
requested
* Add an "overdue" class on Due columns, to match DueRelative columns.
* Only show "overdue" class if the ticket status is still active
* Fix styling of "There are unread messages" box in aileron
* Keep date and datetime custom field inputs during failed ticket
creation
* Silence warnings from emails without Content-Transfer-Encoding
headers
* Silence warnings on user modify pages for disabled users
* Let custom field grouping boxes link on Display pages link to the
appropriate anchor on editing pages (#30195)
+ Localizations
* Localize "Recursive" column title in group memberships page
* Additional missing locstrings for numerous titleboxes
* Stop translating titles piecemeal in SelfService (#14736)
* Updated Catalan, German, Basque, Italian, Japanese, Dutch, Brazilian
Portuguese, and Russian translations
+ Command-line
* Reduce values queried using "rt ls" to only those displayed; this
OBS-URL: https://build.opensuse.org/package/show/devel:languages:perl/request-tracker?expand=0&rev=40
+ General web UI
* Fix a regression introduced in 4.2.4, which caused lack of formatting
of plain text when responding via the rich text editor.
* Allow tables in HTML mail if the optional HTML::Gumbo dependency is
installed
* Fix a regression in 4.2.5 which prevented core date fields (Due,
Starts, etc) from being unset (#30180)
* Hide empty transaction custom fields when they have no value; this
fixes a regression in 4.2.1 where transaction custom fields began
displaying on all transactions. (#29757)
* Allow searching on requestor city, state, zip, and country in query
builder (#26960)
* Don't attempt to parse IP/Date(time) CFs if the value is NULL; this
prevents warnings.
* Remove border-radius: 0 to allow Firefox to use native text entry
widgets (#28233)
* Allow Firefox to reflow the data table below the chart on rudder
* Whitelist user search from CSRF restrictions
* Only include closing paren in MakeClicky link if it included an open
paren (#29064)
* Canonicalize CF values (including dates, IP addresses, and IP ranges)
before comparing to the database value; this prevents spurious
"changed from a to a" messages.
* Allow downloading 0-length files if they have a filename (#9050)
* Quick Create now defaults to the lifecycle's default create status,
instead of hardcoding "new"
* Show Wikitext CFs in bulk update
* Add autocompletion to link boxes on bulk update
OBS-URL: https://build.opensuse.org/package/show/devel:languages:perl/request-tracker?expand=0&rev=39
+ Updated dependencies
* Updated Email::Address::List dependency, to resolve CVE-2014-1474,
as was previously announced in
http://blog.bestpractical.com/2014/01/security-vulnerability-in-rt-42.html
* Bump CGI dependency (under perl 5.20 and above, only) to quash
warnings about CGI.pm's deprecation in core (#29053)
+ Serializer/Importer
* Serialize binary data as binary, not as UTF-8 codepoints; this fixes
a regression introduced in 4.2.3 which corrupted all binary data in
serialized data.
* Serialize ObjectScrips when cloning, which had been mistakenly
omitted; this only partially resolves#29949, as it does not address
serialization of ObjectScrips when not cloning.
+ General web UI
* Force CKEDITOR_BASEPATH; this fixes errors during pasting into the
Rich Text editor (#29780, #29987)
* Ticket autocompletion (for links) is more predictable when completing
on strings containing numbers (#25755)
* Fix "Show Outgoing Email" and Reply/Comment/Forward links in
Approvals (#29800)
* Correctly decode text/html parts of old (RT 3.6.5 and prior) emails
+ Internationalization
* Updated localizations (German, Greek, Slovak, Lithuanian)
+ Web administration
* Display clean Stage name in ColumnMaps (#28739)
* Add Scrips Select/Create menu, and maintain context on which list of
OBS-URL: https://build.opensuse.org/package/show/devel:languages:perl/request-tracker?expand=0&rev=38
+ Administrator tasks
* Avoid starting a FastCGI process manager in the common case of the
FastCGI process being started by the webserver, and communicating
over STDIN. This restores the behavior from 4.0, where the process
name is the full path to rt-server.fcgi, and not the static string
"perl-fcgi-pm" or "perl-fcgi".
* Automatically clean out Mason cache when updated HTML is installed
during upgrades; this should prevent a common class of errors.
* Fix paths in rt-importer when importing from a serialized dump which
was written to an absolute path.
* Additional optional upgrade script for users upgrading from RT 3.8
who previously used RT::Extension::CustomField::Checkbox.
* Pass characters, not bytes, to _EncodeLOB during de-serialization;
this prevents invalid UTF-8 from a serialized dump from entering the
new database.
* Catch and warn of additional common misconfigurations of GPG/SMIME
integration.
* Prevent a possible infinite loop in rt-validator --resolve if
Principal records were missing; default to forcing their creation.
+ Localization
* Localization updates from Launchpad.
+ General user UI
* Date and DateTime customfields now pass "mandatory" validation if
unchanged.
* "1970-01-01" is now treated as "unset" for purposes of Date and
DateTime validation.
* Add Date and DateTime fields to bulk update.
* Don't conduct a user search if no string was entered.
* Signal if a user is disabled at the top of User Summary pages.
OBS-URL: https://build.opensuse.org/package/show/devel:languages:perl/request-tracker?expand=0&rev=37
+ Oracle:
* Resolve numerous issues with the 4.0 -> 4.2 upgrade steps on Oracle
* In-database sessions on Oracle are no longer truncated at 8k,
leading to spurious logouts
+ Internet Explorer:
* Fix submission issues under Internet Explorer
+ Rich text editor:
* If returning to a reply/correspond page with the back button, the
rich text editor will no longer double-escape previously written
content.
+ REST:
* Fix an empty 'text/plain' part when tickets are created using the
REST interface.
+ Other bugfixes:
* Optimize transaction display code to speed up long ticket displays
by short-circuiting transaction custom field checking.
* Supply a default $PATH for SMIME and GnuPG under FastCGI
* Support index upgrade steps on Pg when in a custom schema
* Close a memory leak in ColumnMap
A complete changelog is available from git by running:
git log rt-4.2.0..rt-4.2.1
or visiting
https://github.com/bestpractical/rt/compare/rt-4.2.0...rt-4.2.1
OBS-URL: https://build.opensuse.org/package/show/devel:languages:perl/request-tracker?expand=0&rev=36
