Skip to content

rt-5.0.8
Compare
Choose a tag to compare
@sunnavy sunnavy released this 29 Apr 15:42
· 1003 commits to stable since this release
rt-5.0.8
This tag was signed with the committer’s verified signature.
sunnavy sunnavy
GPG key ID: 0DF0A283FEAC80B2
Verified
Learn about vigilant mode.
6388b74

RT 5.0.8 -- 2025-04-29

RT 5.0.8 is now available for general use. The list of changes
included with this release is below. In addition to a batch of
updates, new features, and fixes, several security issues are
addressed. See below for details.

https://download.bestpractical.com/pub/rt/release/rt-5.0.8.tar.gz
https://download.bestpractical.com/pub/rt/release/rt-5.0.8.tar.gz.asc

SHA-256 sums

0a12419c6111c37384e912432cec872109d528657079e363bbe4ddf613e42286 rt-5.0.8.tar.gz
55852e075c068f190444a372df02dae4f324d3c7bf7a4635886849f1805b88a6 rt-5.0.8.tar.gz.asc

Security

The following issues are addressed with these security updates:

  • RT 4.4 and 5.0 are vulnerable to Cross Site Scripting via injection
    of malicious parameters in a search URL. This vulnerability is assigned
    CVE-2025-30087. Thanks to Fabian Russwurm and the Siemens Red Team for
    reporting this finding.

  • RT 4.4 and 5.0 use the default OpenSSL cipher, 3DES (des3), for encrypting
    SMIME email. This is an outdated cipher algorithm, so the default is changed
    to aes-128-cbc. In addition, we have made this option configurable so you
    can pick an alternate cipher now or in the future, or revert to des3 if
    needed for compatibility. This vulnerability is assigned CVE-2025-2545.
    Thanks to Ángel González Berdasco and INCIBE-CERT - Spanish National CSIRT
    for reporting this finding.

Thanks to Benjamin Vermunicht and Elias Bout of the NATO Cyber Security
Centre (NCSC) for reporting the following two findings.

  • RT 5.0 is vulnerable to Cross Site Scripting via JavaScript injection in
    an Asset name. This vulnerability is assigned CVE-2025-31501.

  • RT 5.0 is vulnerable to Cross Site Scripting via JavaScript injection in
    an RT permalink. This vulnerability is assigned CVE-2025-31500.

General user features

  • Make all ckeditor toolbar groups the same height
  • Skip recipients with deferred email delivery on encryption check
  • Only store address part of emails for UpdateCc/UpdateBcc inputs
  • Keep all default values for email inputs
  • Disable InlineEdit/EnableJSChart for dashboard mail test via web UI
  • Handle an edge case where only search Order contains multiple values
  • Fix truncated labels in search filter modal
  • Skip rendering filter component for unsupported collections
  • Add Active/Inactive in Asset Query Builder status dropdown
  • Use the same "right" position value in css and js for topactions
  • Strip leading/trailing spaces from Queue name automatically on create/update
  • Add Nobody to autocompletion of assets single member roles
  • Show default queue name if possbile on ticket create
  • Add Catalog List portlets
  • Fix unbalanced divs in user anonymize modal
  • Add user specific fields back for multi-member role GroupBy in search charts
  • In ticket history, show scroll if needed for wide content
  • Add missing Link columnmap definitions for assets
  • Don't return a disabled Default Queue
  • Notify the admin if they disabled the system DefaultQueue
  • Add loading lazy attribute to img tags in transactions
  • Allow users to delete dashboard subscriptions
  • Support to specify ReverseHistoryOrderLink in history menu
  • Add name attribute to Create New Ticket button
  • Highlight active selectize dropdown elements in dark mode
  • Highlight autocomplete dropdown items on hover in dark mode
  • Fix overflow on ticket search filter modal
  • Use owner name instead of id for owner dropdown in search filter
  • Improve layout of user preferences page
  • Remove modal class selection for creating articles
  • Support PriorityAsString in search charts
  • Fix main nav overlap on dark theme mobile
  • Update prefs page to support single column layout
  • Fix resizing quick create asset button
  • Update asset simple search for single col layout
  • Fix resizing quick create article button
  • Update articles overview for single column layout
  • Fix titlebox-title overlap on dark theme mobile
  • Prevent users from untaking tickets owned by someone else
  • Consistently set both $DefaultClass and $ClassObj on article create

Documentation

  • Update Automating RT docs
  • Fix typo in shredder pod
  • Document Link filtering feature in search result Format
  • Fix WithMember arguments in CreateTickets template example
  • Include developer upgrade documents in static docs build
  • Update RTAddressRegexp docs to align with new IsRTAddress
  • Document RT's Unread Messages feature
  • Update simple search instructions
  • Add screenshot of approval page
  • Update asset images to be consistent with other docs

Administration

  • Add Scheduled Processes feature to schedule rt-crontool from the web UI
  • Check thoroughly if an email is an RT address
  • Internally, always pass import flag value within LDAP import
  • Remove duplicate CLI options
  • Show system config values instead of user overridden ones on configuration page
  • Drop unnecessary and outdated version requirement of DBIx::SearchBuilder
  • Migrate rt-externalize-attachments to use RT::Interface::CLI
  • Skip unnecessary post actions when importing cloned serialized data
  • Support to shred external contents of attachments/objectcustomfieldvalues
  • Switch to WebService::Dropbox to use Dropbox API v2
  • Implement Delete for Dropbox external storage
  • Support updating user data from environment variables
  • Set LOCAL_PLUGIN_PATH based on customplugindir in config.layout
  • Cache clear output to avoid unnecessary system calls for better performance
  • Fix endless loop when using --ids
  • Add cgm-only mode to rt-validator
  • Quote new references to the Groups table for MySQL 8
  • Add REST2 /users/privileged and /users/unprivileged endpoints
  • Add /Admin/Global/RightsHistory.html page
  • Add menu page options for global rights changes history
  • Refresh system attributes so new logo can show up right after submission
  • Revert "Drop unused submit trigger in lifecycle UI" to allow saves of layout changes
  • Add a Custom Role selection page to the Catalog admin pages
  • Add LocalizedDate date formatter
  • Make the Timezone config option a Select widget
  • Add Shredder Plugin for Transactions
  • Add Shredder Plugin for Assets
  • Add shredder links to Asset and Transaction search
  • Add quiet mode for rt-ldapimport for use in cron
  • Prevent uninitialized warnings on Logout page
  • Wipeout full text index records during shredding
  • Quote tables names in shredder generated SQL file

Internals

  • Enable SMIME tests
  • Document environment variables for Crypt tests
  • Update expired test revoked certs by generating them by ourselves
  • Make SMIME revocation check with OSCP work with OpenSSL 3
  • Test smime encryption behavior for deferred recipients without valid keys
  • Test IsRTAddress with queue addresses
  • Fix IsRTAddress in CanonicalizePrincipal in case User param is an object
  • Test order loop on search result headers where OrderBy contains only one value
  • Test config values are not overridden by user prefs on configuration page
  • Check singleton before fully loading RT
  • Allow user override in RightsInspector Search method
  • Update tests as we added ExternalStorageDump plugin
  • Test shredding external contents
  • Move check for objects referencing external content
  • Fix call to _EncodeLOB for ObjectCustomFieldValue records
  • Update tests as we added WebRemoteUserAdditionalMapping config
  • Add logging for user attribute setting during auto-creation
  • Unset input name of custom field value placeholders in query builder
  • Add Content arg to ReplaceContent method
  • Check OwnTicket on ticket level in case the right is granted on ticket roles
  • Test automatic owner change on queue change
  • Test chart to group by requestor email
  • Change free port detection to how PSGI binds to a port
  • Drop unused CGM joins for recursive role member searches
  • Do not check Content-Type.charset when guessing charset of email headers
  • Pass $self to RT::Group::_AddMember to connect created txns with current object
  • Pass queue info to SelectOwner in FilterTickets
  • Refactor SQL of RT::Users::WhoHaveGroupRight for better performance
  • Update test image with new HTML-RewriteAttributes
  • Set obsolete Pragma header only if the content should not be cached
  • Cache binary attachments for better performance
  • Add tests for Rights Inspector
  • Test REST2 /users/privileged and /users/unprivileged endpoints
  • Support empty DisplayPath to indicate current URL
  • Add Initial callback to /Helpers/Autocomplete/Owners
  • Stop using the session to pass report info to JS Chart
  • Limit LookupType in search for custom roles applied on a specified object
  • Do not override passed in $Transactions in /Elements/ShowHistoryPage
  • Clean up unused declared arguments in /Elements/ShowHistory
  • Update tests for the deletion of article PreCreate page
  • Add overlays support to most RT modules that do not have it yet
  • Test overlays of RT packages
  • Index Via column of CachedGroupMembers
  • Implement cascaded deletion of cached group members on DB level
  • Test cascaded deletion of cached group members
  • Optimize TicketSQL with watcher bundling for queries without parens
  • Access queue name directly when checking configuration settings
  • Remove wrongly quoted formats on web config update
  • Show unquoted string values on system configuration page
  • Update tests for removed quotes
  • Remove undesired attributes like "array(0x...)" in link autocomplete inputs

A complete changelog is available from git by running:
git log rt-5.0.7..rt-5.0.8
or visiting
rt-5.0.7...rt-5.0.8

Assets 3
Loading