rt-5.0.2

RT 5.0.2 -- 2021-09-14

We're pleased to announce the general availability of RT 5.0.2.
The list of changes included with this release is below. In addition
to a large number of updates and fixes, there are two security updates
provided in this release.

https://download.bestpractical.com/pub/rt/release/rt-5.0.2.tar.gz
https://download.bestpractical.com/pub/rt/release/rt-5.0.2.tar.gz.asc

SHA-256 sums

df915ae809277564d9b8a7192ced2517cf6bed6c0301786b69562c0ea9dd9e86 rt-5.0.2.tar.gz
ec462189a90728dcb76fd38a2e55a6c8bbb21f6f7c8fc4907e2cd0f2dcde005c rt-5.0.2.tar.gz.asc

Security

• In previous versions, RT's native login system is vulnerable to user enumeration
  through a timing side-channel attack. This means an external entity could try to
  find valid usernames by attempting logins and comparing the time to evaluate each
  login attempt for valid and invalid usernames. This vulnerability does not allow any
  access to the RT system. This vulnerability is assigned CVE-2021-38562 and is fixed
  in this release.

• RT uses the chart.js package and the previous version has vulnerabilities
  described here: https://snyk.io/test/npm/chart.js/2.8.0 This RT release updates
  chart.js to version 2.9.4 as recommended in that advisory.

General features and fixes

• Update Starts on SLA changes even if Starts was already set
• Accept usernames for email input fields on ticket create/update
• Support group:NAME and group:ID in non-single role input fields
• Create an autocompleter for Principals (works with both users and groups)
• Support more characters for user/group names in non-single role input fields
• Normalize and validate time inputs
• Support to generate different dashboard content for each recipient
• Use user timezone for date "=" queries in ticket search
• Add "Create Via Email" and "Create Via Web" conditions
• Fix table wrapping error in Ticket/Update.html
• Don't escape queue name in title generation stage as it'll be escaped later
• Allow to squelch recipients that also exist in one time inputs
• Show all valid statuses on Asset bulk update page
• In the datepicker, reset the time part after date input is cleared
• Support columns as values in ticket search (ticket values on right-hand side in searches)
• Support a friendly syntax for custom field columns as values in ticket search
• Allow to specify CF Content/LargeContent columns in the keyword part of SQL
• Support role searches like Owner = CF.cid or Owner = Creator
• Improve UI of unread messages notification
• Sync one time inputs back to checkboxes on ticket update page
• Automatically load more txns to fill browser window on scroll history mode
• Fix duplicated closing tag for attachment delete links
• Remove search string including numbers in ticket autocomplete search on select
• Fix RecentlyViewedTickets to deal with shredded/merged tickets
• Fix bug that kept 11 tickets in the "recently visited" list instead of 10
• Show dependencies (like dashboards) and confirm before deleting saved searches
• Fill up cells of record's last row in search results
• Add support of "Lifecycle =" and "Queue LIKE" to GetReferencedQueues for more search options
• Support copying saved charts like searches
• Fix wrongly duplicated one-time addresses on ticket update page
• Add various missing ColumnMap entries
• Fix error when removing multiple holders of an asset
• Add basic stacked bar chart support
• Remove extra closing div on Login/Logout pages
• Add option to disable ticket linking in articles by class
• Add entry hint as custom field tooltip
• Disable submit on enter when input's autocomplete list shows up
• Support quoted custom fields as values
• Exclude end time when limiting txn date to a day
• Trigger UpdateCc/UpdateBcc input change only once when clicking "All recipients"
• Sync one-time checkboxes to text inputs in a consistent way
• Translate selfservice articles search button (thanks, elacour!)
• Support shallow searches for ticket roles
• Support to search user defined group names in watcher limit
• Support order by watcher's custom fields for ticket search
• Support more watcher fields including user cfs in search result format
• Add more watcher fields including user cfs to OrderBy/Columns in search builder
• Upgrade OrderBy "Owner" to new version "Owner.Name" in saved searchs
• Create a standard RT Time Worked report
• Add grouping by custom roles for ticket search charts
• Reduce space used by Current search on Query Builder to avoid saved search overlap
• Group by direct members of role groups for ticket search charts
• Use Name as the default watcher field in search results
• Allow clearing roles on bulk updates page
• Remove unexpected leading spaces in user signature input
• Add label text to old-attach form for accessibility
• Add the missing "form-control" class to autocomplete cf inputs in query builder
• Fix EditSearches title after submission on Query Builder page
• Let article summary take the whole width in article list
• Pass all request arguments to /SelfService/Open.html
• Disable inline edit for related tickets in "Assets" widget of ticket display
• Transactions on History.html page should link to transaction display page
• Clear "Add Columns" select after change on Query Builder
• Translate selfservice articles search button
• Render a label for both cases when displaying shredder objects,
  making checkbox available to select objects to shred
• Align label/value columns for Assets widget in ticket display
• Use checkbox class for multi select list input
• Remove blue background on dropdown-item active
• Explicitly exclude "deleted" status from queue list portlet
• Require Name field when creating or editing Article
• Add QueueListAllStatuses portlet to show tickets info of all statuses
• In Self Service, don't explicitly call PageLayout as it's included already
• Remove extra closing div on Login/Logout pages
• Use 2/10 col layout for custom fields only in transaction display
• Use an independent col for each asset custom field grouping
• Add the missing from-control css class for queue autocomplete input
• Move asset field-specific css classes up to the row instead of just label
• Add autocomplete for assets input
• Don't change background color on click of dropdown items
• Load user-level search preferences for ticket searches only, fixing errors
  with custom search formats and transaction search results
• Add more ticket info to transaction display page
• Register the missing autocomplete handler for refreshed inline-edited row
• Add webpath to RelatedData href (thanks, jtlarson!)
• Update principal input labels to reference groups
• Always default to no value for select type CFs on bulk update
• Fix context quoting on ticket update with top-quoted signatures in rich text editor
• On the query builder, restore OR accidentally changed in bootstrap updates

Administration

• Generalize Owner logic in Shredder to any Single role group
• In shredder, remove SetWatcher rows in transaction history as well
• Add setting $AssetMultipleOwner to allow many owners on assets
• Default --libs-group value from "bin" to "root"
• Add --dry-run option to rt-crontool
• In validator, ensure tickets and queues have all of their default role groups, individually
• In validator, prompt to create missing default role groups
• Skip merged tickets in role groups validation
• Allow to create missing queue-level custom role groups when needed
• For external auth, support cf mappings like CF.foo and UserCF.foo
• Support array and code in attr_map of external auth
• Don't quote table names in shredder SQL output
• Avoid "Wide character in print" warnings when generating shredder SQL output
• Add QuoteWrapWidth option for text quoted during reply/comment
• Set the $AttachmentListCount config's default value to 5
• Clarify external auth logging when users are not found
• Fix removal of scrips when shredding queues
• Avoid errors in shredder when Organization has a hyphen
• Avoid errors in shredder when username has a hyphen
• Avoid errors in shredder when queue name have a hyphen
• Log number of records returned from LDAP search
• Support searching NULL(unset) values on user/group admin pages
• Only show hints for user CFs configured in external settings on create
• Fix removal of custom fields when shredding queues
• Add transaction records for dashboard/savedsearch changes
• For articles, do not encode HTML if skip Escape HTML option selected
• In rt-crontool, add reload-ticket option to refresh metadata before processing
• Avoid a known problem version of Mojo::DOM::CSS
• Update DBIx::SearchBuilder to 1.68 to avoid segfaults on MariaDB 10.2+
• Add parallel support for crontool
• Add Parallel::ForkManager to dependency for parallel crontool
• Log the object that exceeds DependenciesLimit in shredder
• Remove SetOwner rows in transaction history on user shred
• Add ExternalAuth to the exceptions for requiring a password
• Reset ObjectCustomField sort order when re-enabling a Custom Field
• Update ObjectCustomField sort order only if necessary on re-enable
• Pass SavedChartSearchId from chart portlet
• Skip rights check when setting default object custom field values
• Add support to clear mason cache via web interface
• Add LDAP email authentication to External Auth
• Don't shred subgroups' member relationships when shredding ticket role groups
• Provide a way to select privileged and unprivileged users in admin
• Remember IncludeSystemGroups value on page navigation
• Add statement-log option to render statement logs in CLI
• Support to set sort order of applied custom roles
• Show custom roles in correct order on queue watcher and ticket pages
• Add no-sqldump option to r...

rt-4.4.5

RT 4.4.5 -- 2021-09-14

We're pleased to announce the general availability of RT 4.4.5.
The list of changes included with this release is below. In addition
to a large number of updates and fixes, there is one security update
provided in this release.

https://download.bestpractical.com/pub/rt/release/rt-4.4.5.tar.gz
https://download.bestpractical.com/pub/rt/release/rt-4.4.5.tar.gz.asc

SHA-256 sums

c3025d5fe5bf5479d07318652fa904f4940f5172801a2aae4e397779b519556e rt-4.4.5.tar.gz
a00b68c84b8285ee4a2d104ca8f70dc5e4ea478dfd1a5378bcf7369259e10ac0 rt-4.4.5.tar.gz.asc

Security

• In previous versions, RT's native login system is vulnerable to user enumeration
  through a timing side-channel attack. This means an external entity could try to
  find valid usernames by attempting logins and comparing the time to evaluate each
  login attempt for valid and invalid usernames. This vulnerability does not allow any
  access to the RT system. This vulnerability is assigned CVE-2021-38562 and is fixed
  in this release.

General user features

• Update Starts on SLA changes even if Starts was already set
• Accept usernames for email input fields on ticket create/update
• Support group:NAME and group:ID in non-single role input fields
• Create an autocompleter for Principals (works with both users and groups)
• Support more characters for user/group names in non-single role input fields
• Normalize and validate time inputs
• Support to generate different dashboard content for each recipient
• Use user timezone for date "=" queries in ticket search
• Add "Create Via Email" and "Create Via Web" conditions
• Fix table wrapping error in Ticket/Update.html
• Don't escape queue name in title generation stage as it'll be escaped later
• Allow to squelch recipients that also exist in one time inputs
• Show all valid statuses on Asset bulk update page
• In the datepicker, reset the time part after date input is cleared
• Support columns as values in ticket search (ticket values on right-hand side in searches)
• Support a friendly syntax for custom field columns as values in ticket search
• Allow to specify CF Content/LargeContent columns in the keyword part of SQL
• Support role searches like Owner = CF.cid or Owner = Creator
• Improve UI of unread messages notification
• Sync one time inputs back to checkboxes on ticket update page
• Automatically load more txns to fill browser window on scroll history mode
• Fix duplicated closing tag for attachment delete links
• Remove search string including numbers in ticket autocomplete search on select
• Fix RecentlyViewedTickets to deal with shredded/merged tickets
• Fix bug that kept 11 tickets in the "recently visited" list instead of 10
• Show dependencies (like dashboards) and confirm before deleting saved searches
• Fill up cells of record's last row in search results
• Add support of "Lifecycle =" and "Queue LIKE" to GetReferencedQueues for more search options
• Support copying saved charts like searches
• Fix wrongly duplicated one-time addresses on ticket update page
• Add various missing ColumnMap entries
• Fix error when removing multiple holders of an asset
• Add basic stacked bar chart support
• Remove extra closing div on Login/Logout pages
• Add option to disable ticket linking in articles by class
• Add entry hint as custom field tooltip
• Disable submit on enter when input's autocomplete list shows up
• Support quoted custom fields as values
• Exclude end time when limiting txn date to a day
• Trigger UpdateCc/UpdateBcc input change only once when clicking "All recipients"
• Sync one-time checkboxes to text inputs in a consistent way
• Translate selfservice articles search button
• Support shallow searches for ticket roles
• Support to search user defined group names in watcher limit
• Support order by watcher's custom fields for ticket search
• Support more watcher fields including user cfs in search result format
• Add more watcher fields including user cfs to OrderBy/Columns in search builder
• Upgrade OrderBy "Owner" to new version "Owner.Name" in saved searchs
• Create a standard RT Time Worked report
• Add grouping by custom roles for ticket search charts
• Reduce space used by Current search on Query Builder to avoid saved search overlap
• Group by direct members of role groups for ticket search charts
• Use Name as the default watcher field in search results
• Allow clearing roles on bulk updates page

Administration

• Generalize Owner logic in Shredder to any Single role group
• In shredder, remove SetWatcher rows in transaction history as well
• Add setting $AssetMultipleOwner to allow many owners on assets
• Default --libs-group value from "bin" to "root"
• Add --dry-run option to rt-crontool
• In validator, ensure tickets and queues have all of their default role groups, individually
• In validator, prompt to create missing default role groups
• Skip merged tickets in role groups validation
• Allow to create missing queue-level custom role groups when needed
• For external auth, support cf mappings like CF.foo and UserCF.foo
• Support array and code in attr_map of external auth
• Don't quote table names in shredder SQL output
• Avoid "Wide character in print" warnings when generating shredder SQL output
• Add QuoteWrapWidth option for text quoted during reply/comment
• Set the $AttachmentListCount config's default value to 5
• Clarify external auth logging when users are not found
• Fix removal of scrips when shredding queues
• Avoid errors in shredder when Organization has a hyphen
• Avoid errors in shredder when username has a hyphen
• Avoid errors in shredder when queue name have a hyphen
• Log number of records returned from LDAP search
• Support searching NULL(unset) values on user/group admin pages
• Only show hints for user CFs configured in external settings on create
• Fix removal of custom fields when shredding queues
• Add transaction records for dashboard/savedsearch changes
• For articles, do not encode HTML if skip Escape HTML option selected
• In rt-crontool, add reload-ticket option to refresh metadata before processing
• Avoid a known problem version of Mojo::DOM::CSS
• Update DBIx::SearchBuilder to 1.68 to avoid segfaults on MariaDB 10.2+
• Add parallel support for crontool
• Add Parallel::ForkManager to dependency for parallel crontool
• Log the object that exceeds DependenciesLimit in shredder
• Remove SetOwner rows in transaction history on user shred
• Add ExternalAuth to the exceptions for requiring a password
• Reset ObjectCustomField sort order when re-enabling a Custom Field
• Update ObjectCustomField sort order only if necessary on re-enable
• Pass SavedChartSearchId from chart portlet
• Skip rights check when setting default object custom field values
• Add support to clear mason cache via web interface
• Add LDAP email authentication to External Auth
• Don't shred subgroups' member relationships when shredding ticket role groups
• Provide a way to select privileged and unprivileged users in admin
• Remember IncludeSystemGroups value on page navigation
• Add statement-log option to render statement logs in CLI
• Support to set sort order of applied custom roles
• Show custom roles in correct order on queue watcher and ticket pages
• Add no-sqldump option to rt-shredder to avoid generating backups
• Add paging support for group Members page
• Tweak css for page links to not overflow in Firefox
• Add $ShowSearchNavigation option to skip building search navigation links
• Add ability to search for disabled users

Email Encryption/Signing

• Support separate certificates for SMIME encryption and signing
• Add encryption and signing options for digest email
• Provide an option to skip GnuPG tests
• Handle encrypted outgoing emails in digest email
• Add OtherCertificatesToSend option for SMIME
• Set path to GnuPG binary in GnuPG::Interface constructor
• Fix uninitialized warnings of $latest_user_main_key for gpg 2.2
• Handle FAILURE keyword for gpg 2.2
• Add gpg.conf for gpg 2.2 so we can specify passphrase in command line
• Update warning message tests for gpg 2.2
• Don't override fingerprint if it exists already
• Make t/mail/crypt-gnupg.t pass with gpg 2.2
• Quit gpg-agent after tests for gpg 2.2
• Move signed_old_style_with_attachment.eml to emails directory
• Always use temp gpg homedir to get a cleaner env
• Add extra ignored keywords for gnupg 2.2.x
• Fix unit test to cope with variations in how different versions of OpenSSL print certificates
• Default cert-digest-algo from SHA1 to SHA256
• Bump GnuPG::Interface to 1.00 to support gpg 2.2
• Report the cert authority in an "assured by ..." clause
• Report the S/MIME signer correctly when there is no EmailAddress
• Fix a bug in the logic that suppresses the "email is unsigned" warning
• Add AgorithmName to info returned by ParseKeysInfo
• For GnuPG, add a tooltip with additional info about the signature
• Add ability to download GnuPG public keys
• Store and display additional info about S/MIME signatures
• Extract email addresses from S/MIME certificates as specified in RFC 5750
• Support SMIME certificate revocation using OCSP/CRL
• Add deprecation warnings to RT::Test::GnuPG and RT::Test::SMIME.
• Allow specification of outbound signing/encryption protocol on a per-queue basis
• In Admin/Users/Keys.html, do not call "UseForOutgoing" when we have no $Queue object
• Explain conversion of legacy list args to a hash in CheckRecipients
• Add RT::Attachment->CryptStatus method
• Fix error if a CA certificate does not define CRLDistributionPoints
• Keep entire GnuPG fingerprint; don't truncate to 8 characters
• Include S/MIME certificate serial number in tooltip
• Add ability to download S/MIME c...

rt-4.2.17

RT 4.2.17 -- 2021-09-14

RT 4.2.17 is now available. This is the last release in the
RT 4.2 series. Users should plan to upgrade soon to a supported
release of RT 4.4 or 5.0. The list of changes included with this
release is below.

This release also includes a security fix described below.

https://download.bestpractical.com/pub/rt/release/rt-4.2.17.tar.gz
https://download.bestpractical.com/pub/rt/release/rt-4.2.17.tar.gz.asc

SHA-256 sums

177b7e004b90ec7faaac8e21e11b7bc33bd129aba2d512e4b011c37995f8480c rt-4.2.17.tar.gz
95215dd19b46c01303470b8681d27626d3cb6c88a50491d6d5a9c8c7072bebe3 rt-4.2.17.tar.gz.asc

Security:

• In previous versions, RT's native login system is vulnerable to user enumeration
  through a timing side-channel attack. This means an external entity could try to
  find valid usernames by attempting logins and comparing the time to evaluate each
  login attempt for valid and invalid usernames. This vulnerability does not allow any
  access to the RT system. This vulnerability is assigned CVE-2021-38562 and is fixed
  in this release.

Updates:

• Remove search string including numbers in ticket autocomplete search on select
• Use the correct CurrentUserCanSetOwner return value.
• Find full path for processing acl files on upgrade
• Find full path for processing index files on upgrade
• Convert to abs path before executing initialdata files
• Remove extra closing div on Login/Logout pages

A complete changelog is available from git by running:
git log rt-4.2.16..rt-4.2.17
or visiting
rt-4.2.16...rt-4.2.17

rt-5.0.1

RT 5.0.1 -- 2021-01-29

We're pleased to announce the general availability RT 5.0.1.
The list of changes included with this release is below. This is
mostly a bugfix release but it also includes some additional
improvements that were not ready in time for the previous release.

https://download.bestpractical.com/pub/rt/release/rt-5.0.1.tar.gz
https://download.bestpractical.com/pub/rt/release/rt-5.0.1.tar.gz.asc

SHA-256 sums

6c181cc592c48a2cba8b8df1d45fda0938d70f84ceeba1afc436f16a6090f556 rt-5.0.1.tar.gz
4b7a40a648e2e82575bcfa9d289b4b87129d3a437d0f0161666595cc8a373907 rt-5.0.1.tar.gz.asc

General Updates and Fixes

• Don't display a dropdown in transaction history header if it is empty
• Fix width/max-width for .width-md/.max-width-md
• Switch to the correct *width-lg for existing *width-md elements
• Add the OwnerNameEdit column as an option in the format dropdown in the query builder
• Fix alignment for ticket creation on the group summary page
• Fix radio/checkbox inputs for "click" panel behavior of inline edit
• Preserve message quoting levels when converting HTML to plain text on comment/reply
• In the lifecycle editor, confirm the actions config array value exists
• Fix dark theme pagenum background color overlap
• Fix dark theme action-private color in RichText editor
• Show group tickets on self service closed tickets page
• Restore Total Time Worked to previous position on Ticket Display page
• Search group itself for SelfService "My group's tickets"
• Fix the input name to delete group members on group admin page
• On date selectors, fix the wrongly quoted date input id
• Add RT::Extension::FormattedTransaction to core
• Update HTML in transaction display to remove table-based layout
• Set diff text style rules more specifically
• In ticket search results, don't generate inline editing HTML if inline edit is disabled
• Fix TimeUnits overlap for dark-theme
• Fix dropdown toggle for dark-theme
• Add ability to serve a custom dashboard as the SelfService home page
• Fix datepicker icons for dark-theme
• Add UI for editing and displaying the SortOrder associated with an article
• Fix colors for selectionbox for dark-theme
• Fix bootstrap tooltip colors for dark-theme
• Fix dropzone colors for dark-theme
• Fix EditConfig tab and active colors for dark-theme
• Fix a:visited color change for dark-theme
• Tweak error widget styles to improve display in elevator themes
• Widen input box in Find a user portlet on RT at a Glance
• Use ticket update page layout for "Update ticket" portlet on jumbo page
• Align "Time to display" in footer
• Fix upload file type custom fields in inline edit forms
• Add "CustomFieldView" column type for view-only custom field values in search results
• Fix an error loading the SavedSearches component on the RT at a glance page
• Center comment/reply messagebox on bulk update
• Replace cf hints with tooltips on bulk update
• Fix padding for custom field inputs on bulk update
• In lifecycle editor, update mapping form submission parsing to handle '-' in lifecycle name
• Add new article portlets to the available self service components
• Add Top and Newest Articles portlets for self service
• Add a Home menu item to self service to mirror regular RT
• Display article content in a titlebox container
• Reduce the min-width of self service article list
• Fix naming mismatch preventing system txn/asset/chart saved searches from being added to dashboards
• Order articles in SelfServiceTopArticles by SortOrder
• Fix col layout for transaction custom field values
• On approval ticket display, switch to div to not create illegal nested links
• Make pagination with many linked tickets in linked queue portlet work
• Fix overlap of wrapped long values in forms
• Remove extra, unmatched closing div on Login/Logout pages
• Handle multipart attached emails when TreatAttachedEmailAsFiles is enabled

REST2 API

• Add basic article/class endpoints to REST2
• Add REST2 support for fetching attachment details with selected fields
• Attachment content is now base64 encoded when returned
• Abstract code to process file uploads to avoid duplication for REST2
• In REST2, handle lazy-created custom role groups that don't exist
• Add support for merging tickets in REST2
• Support take/untake/steal for tickets in REST2
• Accept an array of link params on record create for linking multiple tickets
• Add support for updating record links
• Allow attachments to be added when a ticket is created (thanks gibus and puck!)

Administration

• On the RT Portal admin page, set parent height to make iframe take up the whole height
• On user admin page, fix user data link overlap for dark-theme
• 'use' REST2 in web handler as PSGIWrap needs it for the web installer
• Make GnuPG file extensions more easily configurable
• Add .gpg file extension support to RT::Crypt::GnuPG
• Bump DBD::Pg to 3.8.0+
• Allow updating a lifecycle from an invalid value to a valid option on queue admin pages
• Add ShowEditLifecycleConfig option to disable lifecycle admin pages
• Obfuscate passphrase in %SMIME, %GnuPG and %GnuPGOptions on system config page
• In the rt-munge-attachments utility, allow header and content munging to be disabled by flags
• Allow specifying of transactions for rt-munge-attachments to munge
• Make inputs wider on scrip create/modify pages
• Center content on scrip create/modify pages
• Add SelfServiceShowArticleSearch configuration option
• Display TreatAttachedEmailAsFiles as boolean in web UI
• Add option to disable password prompt when creating tokens
• Mark config items containing regexp immutable
• Use JSON format for array/hash items in system config edit web UI
• Find full path for processing acl files on upgrade to work with newer perls

Internals

• Refactor code so we can add history endpoints to new classes more easily
• Avoid permission check to get CF type in CustomFieldValueIsEmpty
• Avoid permission check to get CF CanonicalizeClass
• Confirm the queue default value in %ServiceAgreements is a hash before using it as one
• Extract PriorityAsString config mapping in a method
• Accept string priority values in SetPriority
• Convert to absolute path before executing initialdata files
• In lifecycle mappings, move 'MaybeRedirectForResults' code after mapping updates
• Cache custom field values in mason to improve performance of inline edit
• Allow class-level rights to show self service articles
• Switch to Obfuscate callback for $DatabasePassword/$LDAPPassword configs
• Remove special handling of password like core variables on configuration page
• Fix uninitialized warnings for empty nested dependency
• In ShowCustomFieldCustomGroupings, accept arg for inline edit form action URL
• Drop useless queue parameter in loc call that doesn't have placeholders
• Fall back to "RT::Ticket" item for extended classes in %InlineEditPanelBehavior
• Respect extra query params to build page menus for all search pages
• Check "ShowArticle" right beforehand to get accurate number of articles

Documentation

• Document new FileExtensions config option for GnuPG
• Add missing mapping to lifecycle docs example
• Update existing lifecycle docs screenshots
• Update screenshots in docs with 5.0 versions.
• Fix the image path for subscriptions in feeds doc
• Update README link to backups doc
• Add support for linking POD in subdirectories for README/UPGRADING docs
• Fix MimeType in REST2 doc example
• Move asset examples to their own section in docs
• Update lifecycle docs for lifecycle UI
• Fix asset search endpoint in doc examples
• Fix rt-setup-fulltext-index --dry-run flag docs
• Update instructions for lifecycle mapping page to mention assets
• Document steps to fix home pages with saved search errors
• Document time zone dependencies in MariaDB for charts
• Document switch to JSON instead of Perl for System Configuration editor
• Document the options for modifying links via REST2
• Add take, untake, steal endpoints to docs
• Add documentation for using attachments via REST2

Testing and Developer

• Don't clean gpg stuff if tests are skipped
• Skip gpg homedir creation if tests are going to be skipped
• Add REST2 tests for articles/classes
• Add callback for modifying the group query on self service tickets page
• Add tests to delete group members from web UI
• Add test for the formatted transaction output.
• Add callback to modify CSS files loaded in header
• Test setting lifecycle from an invalid value to default on queue admin page
• Test ticket custom field updates with names containing spaces in REST2
• Fix BeforeMessageBox callback location on Bulk Update page
• Make sure $user always exists to simplify Obfuscate callback a bit
• Test tickets with custom roles applied later
• Add tests for the lifecycle Mappings.html page
• Fix typo in lifecycle_mappings test
• Make admin_queue_lifecycle.t happy when RT_TEST_DEVEL is not enabled
• Update dashboard tests for the format change of system saved searches
• Add tests for system non-ticket saved searches in dashboards
• Add tests for system non-ticket saved searches in MyRT
• Update unit test for JSON entry of hashes/arrays rather than Perl
• Test ticket merge in REST2
• Test ticket steal/take/untake in REST2
• Add REST2 tests for ticket link updates
• Test custom field uploads on ticket create for REST2
• Skip "links" html formatter tests if it's actually "elinks"
• Add AfterQueueAddresses callback for queue admin page

A complete changelog is available from git by running:
git log rt-5.0.0..rt-5.0.1
or visiting
rt-5.0.0...rt-5.0.1

rt-5.0.0

RT 5.0.0 -- 2020-07-17

We're pleased to announce the general availability of RT 5.0.0. This
release introduces a major update of the web UI as RT now uses
the popular open source Bootstrap front-end toolkit. This brings
to RT a modern, responsive layout with all of the power and familiar
features of RT. Details on this and other changes and new features
are below.

You can get the new version here:

https://download.bestpractical.com/pub/rt/release/rt-5.0.0.tar.gz
https://download.bestpractical.com/pub/rt/release/rt-5.0.0.tar.gz.asc

SHA-256 sums

781ac6e21d8e1cf3514ddc6a71418cefde903df241d4e7011e75f90eb62a952e rt-5.0.0.tar.gz
f3fe75aca612cbd7904877fa2951be691f5451ef11b4048e7906700d42853975 rt-5.0.0.tar.gz.asc

Although only noted in a few items in the list below, the Bootstrap
update alone accounted for hundreds of commits and thousands of lines
of code updates. We hope the update to a very popular web framework
will make it even easier for users to create (and share!) new
themes.

In addition to that major UI update, this release also contains many
other big new features including a new charting library, a graphical
lifecycle builder, and new web access for admins to update RT's
many configuration options. This new version of RT contains changes
and improvements from over 1,500 git commits.

We have also added configuration to run RT's 35,000+ tests using
TravisCI, so you can now see our test runs from GitHub.

A list of changes included in this release is below.

New features

• Convert to Bootstrap as base web design framework
• Remove table-based page layout and make design responsive
• Create new elevator-light and elevator-dark themes
• Convert many on-screen hints/help to tooltips
• Add Fontawesome and update all icons to svg
• Allow CustomDateRanges to be defined in configuration for
  use in ticket search results
• Support BusinessHours times in CustomDateRanges
• Support default dates when not defined for CustomDateRanges
• Add linking support to groups
• New Group Summary page (similar to User Summary)
• Add group-scoped options for default ticket listings on
  Self Service pages
• New transaction query builder for searching transactions
• New asset query builder for searching assets, support for AssetSQL
• RT configuration is now available to SuperUsers in the web interface
• CKEditor updated to 4.13, re-styled for new themes
• Update chart UI to use chart.js
• Add CustomDateRanges and BusinessHours support to charts
• Add line charts to chart options
• Inline edit is now available on ticket display and in ticket
  listings (search results, saved searches, etc.)
• Add jGrowl for pop-up style result messages
• Ticket priority can now be set and managed using text priority
  options like Low, Medium, High (configurable)
• New graphical UI for building and editing lifecycles (workflow)
  and lifecycle settings
• LinkedQueuePortlets allows you to add a section to ticket display
  with linked tickets from another queue

General user UI

• Add asset display menu actions to ShowAssets template
• Relabel 'Password' box on /Prefs/AboutMe to 'Access control'
• Default search result count display to on
• Add default value for Articles in Queues
• Add autocomplete for articles
• Refactor ticket create and update to use new SelectArticle, merging
  previous 3 form controls for articles to one
• Update article select to automatically show dropdown or autocomplete
  box based on DropdownMenuLimit
• Remove article hotlist configuration since all articles in a class
  are available to associated queues
• Queue can now be selected directly on the ticket create page and changed
  before creating a ticket
• Catalog can now be selected on the asset create page and changed
  before creating an asset
• Re-designed listing and selection UI for RT at a glance edit page and
  dashboard edit pages
• New Selectize "bubbles" when entering users in Requestors, Cc, etc. on
  ticket create and update pages
• Add configuration to hide custom roles from some pages like the ticket
  create page, etc.
• Select one value custom fields now default to Dropdown
• Content selected on ticket display is quoted on reply/comment
• Add unread message count as an option for unread messages on RT at a glance
• Display current queue on ticket update page (reply/comment)
• Add Create Ticket option to Home menu so it is available when in assets, articles, etc.
• New page option to reverse transaction sort on current ticket while viewing
• Convert logos and images to svg
• Adding/deleting values for custom fields now uses ajax to update
  in-page without a full page refresh
• Move user-generated dashboards from the Home menu to Reports menu
• Make Reports menu configurable, including removing default reports and
  adding/removing dashboards (like previous functionality in Home)
• Support for filtering by lifecycle in ticket query builder
• Default mobile devices to full (now responsive) RT web UI. Mobile
  optimized UI still available by setting $ShowMobileSite
• Fix table wrapping error in Ticket/Update.html
• Don't double-escape queue name in title generation stage
• On ticket update, defer AJAX recipients update briefly to get form's latest status
• Improve UI of unread messages notification
• Omit groups in saved search privacy menu if user doesn't have rights
  to save searches for that group
• Sync one time inputs back to checkboxes on ticket update page
• Support searches on NULL(unset) values on user/group admin pages
• Fill up cells of record's last row in search results
• Add a display only Owner column as an alternative to OwnerName
• Fix mobile home navigation for iOS

Extensions Added to Core

• RT::Extension::QuoteSelection
• RT::Extension::RightsInspector
• RT::Extension::ConfigInDatabase
• RT::Extension::CustomRole::Visibility
• RT::Extension::PriorityAsString
• RT::Extension::AssetSQL
• RT::Extension::LifecycleUI
• RT::Extension::REST2
• RT::Authen::Token

Command-line

• Move perl dependencies to cpanfile
• Many improvements to information and output of rt-test-dependencies (make testdeps)
• Many updates to module dependency lists, versions, etc.
• Add support for JSON-formatted initialdata
• Support assets and catalogs in initialdata
• Support ObjectCustomFieldValues in initialdata
• Support Articles in initialdata
• New rt-dump-initialdata script to export RT objects to initialdata files
• Add documentation for serializer/importer process

Internals

• Clear Subject header from auto-generated text email part
• Respect AllowUserAutocompleteForUnprivileged for email inputs in self service UI
• Convert summary page asset searches to use AssetSQL
• Multiple changes to RT query builder to allow for customization
  in extensions (specifically RTIR)
• Migrate owner autocomplete to the general autocomplete
• Support gpg 2.2 for email encryption
• Allow extensions to add custom field groupings to queue defaults
• Allow a Limit value to be passed to tickets autocomplete
• Add ExternalAuth support for attribute mappings to user CFs
• Add ExternalAuth support for coderefs in attr_map
• Add DisplayTotalTimeWorked to RT_Config.pm
• Add $QuoteWrapWidth option for wrap length when quoting on ticket reply
• Fix uninitialized warning in ticket searches with active and inactive items
• Use system user to get custom field objects to inspect in searches
• Set a default for $AttachmentListCount
• Clarify external auth logging when users are not found
• Default lifecyle type to ticket on SelectStatus
• Move SignatureAboveQuote to Message box properties
• Add support for setting user CFs on create
• Add sort for external custom field values
• Fix removal of scrips when shredding queues
• Restore mistakenly translated quant function in German translation
• Handle subject tags prefixed with http:// by email clients
• Remove duplicated closing tag for attachment delete links
• Correctly handle custom field MaxValues
• Update default rights check to false to correctly handle custom
  role edit rights checks on tickets
• Add multipart/form-data encoding to EditAboutMe form
• Fix removal of custom fields when shredding queues
• Remove search string including numbers in ticket autocomplete search on select
• Update RecentlyViewedTickets to deal with shredded/merged tickets
• Fix bug that kept 11 tickets in the "recently visited" list instead of 10
• Filter queues by checking "CreateTicket" right on ticket create page

Database

• Drop HotList column for Classes
• Update to utf8mb4 charset on MySQL/MariaDB
• Update id size to BigInt for some tables that get large in big RTs

Server Administration

• Make RT logout link configurable
• Add %ThemeJSFiles config to serve different js for different themes
• Remove references to end-of-life versions and software
• Document a fix for perl module permissions problem
• Avoid upgrade warning of "no such table: Configurations" before it's created
• Document and log information on external HTML formatters

Developer

• Move RT menu building logic from Mason templates into Perl
  library files
• Refactor asset menu logic into separate functions
• Deprecate RT::Article::LoadByInclude that was for old article selection UI
• Pass ShowHints via a callback to provide a way to hide hints
• Document additional plackup options via rt-server
• Load Test::MockTime earlier to fully replace time functions in core
• Allow RT_HOST to be set via environment variable for testing
• Add docker and travis configuration to run RT tes...

rt-4.4.4

RT 4.4.4 -- 2019-03-05

We're pleased to announce the general availability of RT 4.4.4. The
list of changes included with this release is below. The most notable
changes in this release are security updates and the addition of new
features to address GDPR compliance.

https://download.bestpractical.com/pub/rt/release/rt-4.4.4.tar.gz
https://download.bestpractical.com/pub/rt/release/rt-4.4.4.tar.gz.asc

SHA-256 sums

34c316a4a78d7ee9b95d4391530f9bb3ff3edd99ebbebfac6354ed173e940884 rt-4.4.4.tar.gz
d42447ab929129a79b5029857556934c592c608013ebbcfd6eb069020a023de8 rt-4.4.4.tar.gz.asc

Security Updates

• One of RT's dependencies, the Perl module Email::Address, has a denial of service vulnerability which could induce a denial of service of RT itself. We recommend updating to Email::Address version 1.912 or later. The Email::Address vulnerabilities are assigned CVE-2015-7686 and CVE-2015-12558. CVE-2015-7686 was addressed in RT with a previous update. Email::Address version 1.912 addresses both of these CVEs with updates directly in the source module. Thanks to Ricardo Signes for helping us with these updates.

• One of RT's dependencies, the Perl module Email::Address::List, relies on and operates similarly to Email::Address and therefore also has potential denial of service vulnerabilities. These vulnerabilities are assigned CVE-2018-18898. We recommend administrators install Email::Address::List version 0.06 or later. Thanks to Lukas Kramer for reporting the issue and Alex Vandiver for contributing fixes.

• An optional RT dependency, HTML::Gumbo, incorrectly escaped HTML in some cases. Since RT relies on this module to escape HTML content, it's possible this issue could allow malicious HTML to be displayed in RT. For RT's using this optional module, we recommend administrators install HTML::Gumbo version 0.18 or later. Thanks to Ruslan Zakirov for updating this module.

• The version of jQuery used in RT 4.2 and 4.4 has a Cross-site Scripting (XSS) vulnerability when using cross-domain Ajax requests. This vulnerability is assigned CVE-2015-9251. RT does not use this jQuery feature so it is not directly vulnerable. jQuery version 1.12 no longer receives official updates, however a fix was posted with recommendations for applications to patch locally, so RT will follow this recommendation and ship with a patched version.

EU General Data Protection Regulation (GDPR)

Several new features were added to support GDPR compliance and are summarized here.
See the new GDPR documentation for details on the new features.

• Provide ways to download user data to format-neutral tsv files.
• Provide ways to anonymize or remove users.
• Provide a tool to remove PII from transaction history.
• Allow self service users to optionally view and edit their personal data.

General user UI

• Don't skip sending mail if there are attached tickets.
• Handle legacy PGP Partitioned format for Outlook-style messages.
• Improve visuals of self service "Go to Ticket" box (I#31794).
• Add SLA to query builder options.
• Improve message when applying/removing custom roles from queues (I#32695).
• Wipe out related transactions on custom field shred.
• Add option to disable escaping HTML in articles (I#32374).
• Add keyboard shortcuts for reply and comment on ticket display page.
• Improve message for adding/deleting a new custom field value (I#32695).
• Make each transaction in history display below previous transactions (CSS bug fix).
• Avoid overflowing ticket subject in "Recently Viewed" menu on ballard theme.
• Better align input boxes and login button.
• Omit disabled users and groups from dashboard subscription page.
• Don't return search results for disabled custom fields (I#33972).
• Add some style to web UI shredder pages.
• Render charts properly when searching with queue custom fields (#I32564).
• On user prefs page, show system default values for Timezone and Lang when unset.

Administration

• Templatize and install rt-search-attributes utility.
• Allow rt-setup-fulltext-index to prompt for dba password.
• Allow rt-validator to delete txns of reminder changes if reminders don't exist.
• Allow rt-validator to delete txns of custom field changes if CFs don't exist.
• Let rt-validator check more owner change txns.
• Add default CSS in theme editor for heading font colors.
• Pass UTF-8 decoded data to Create method for rt-importer on Pg.
• Check SeeGroup on individual group admin pages.
• Standardize error message for failed dashboard load.
• Clarify email recipients in dryrun debug message for dashboard email.
• Skip disabled users when sending dashboard subscriptions.
• Allow multiple search criteria on group and user admin pages.
• Fix cursor url for #logo-color-picker on theme editor page.
• Fix logo color picker setup for Chrome.
• Use full path for processing index files on upgrades.
• Update rt-dump-metadata for the AppliedTo => AddedTo method name change.
• Filter out expired SMIME keys.
• Add script to automatically update DB sequences to the next available value.
  Useful when using serializer/importer to clone from one DB type to another.

Internals

• Include only ticket lifecycles for Status = 'Active'.
• Update article postfix loops from using $_ to a named variable.
• Avoid duplicated items in index.html when generating online docs.
• Don't endlessly try to terminate apache processes in tests.
• Provide a results array to pass messages to ListActions for asset create.
• Copy lifecycle array before iterating and possibly modifying.
• Load RT::ObjectCustomFieldValues to prevent web installer errors.
• Add a class based on custom field name to allow for easier custom styling.
• Test lifecycle rights with optional context object to allow for role rights.
• Remove signature feature from SelfService prefs since self service users can't have a sig.
• Don't search empty attribute values in CanonicalizeUserInfoFromExternalAuth.
• Add column to transaction column map for content.
• Update AddTicket to force multipart/mixed email when attaching tickets to email.
• Require Encode::HanExtra in RT::Attachment::EncodedHeaders when necessary.
• Add caching to the queue list portlet to improve performance on RT at a glance.
• Update session testing method when testing on Oracle to avoid hanging tests

Developer

• Add callbacks for modifying custom role lists.
• Add ARGSRef parameter to the IncludeArticle callback.
• Add callback 'BeforeTitle' to change history titlebox.
• Add BeforeCreate callback for user admin page.
• Apply dynamic tr classes on NEWLINE in Row callback (thanks to Michael Friedrich).
• Add BeforeDeleteLink callback for AddAttachments.

Documentation

• Add GDPR documentation.
• Add custom roles documentation.
• Update query builder docs to explain NOT NULL in CF searches.
• Update database version notes in README.
• Add and display a Synopsis for the user shredder plugin.
• Clarify failed resolver error message for user shredder plugin.

A complete changelog is available from git by running:
git log rt-4.4.3..rt-4.4.4
or visiting
rt-4.4.3...rt-4.4.4

rt-4.2.16

RT 4.2.16 -- 2019-03-05

We're pleased to announce the general availability of RT 4.2.16. It
mainly contains several security updates. The list of changes included
with this release is below.

https://download.bestpractical.com/pub/rt/release/rt-4.2.16.tar.gz
https://download.bestpractical.com/pub/rt/release/rt-4.2.16.tar.gz.asc

SHA-256 sums

1bbe619072b05efb55725c9df851363892b77ad6788dfd28eadce6a8f84a8209 rt-4.2.16.tar.gz
c7dedccdb6a5c96d20b418d10326dea0175fde0d09cfb47408ab472f696594ba rt-4.2.16.tar.gz.asc

Security Updates

• One of RT's dependencies, the Perl module Email::Address, has a denial of service vulnerability which could induce a denial of service of RT itself. We recommend updating to Email::Address version 1.912 or later. The Email::Address vulnerabilities are assigned CVE-2015-7686 and CVE-2015-12558. CVE-2015-7686 was addressed in RT with a previous update. Email::Address version 1.912 addresses both of these CVEs with updates directly in the source module. Thanks to Ricardo Signes for helping us with these updates.

• One of RT's dependencies, the Perl module Email::Address::List, relies on and operates similarly to Email::Address and therefore also has potential denial of service vulnerabilities. These vulnerabilities are assigned CVE-2018-18898. We recommend administrators install Email::Address::List version 0.06 or later. Thanks to Lukas Kramer for reporting the issue and Alex Vandiver for contributing fixes.

• An optional RT dependency, HTML::Gumbo, incorrectly escaped HTML in some cases. Since RT relies on this module to escape HTML content, it's possible this issue could allow malicious HTML to be displayed in RT. For RT's using this optional module, we recommend administrators install HTML::Gumbo version 0.18 or later. Thanks to Ruslan Zakirov for updating this module.

• The version of jQuery used in RT 4.2 and 4.4 has a Cross-site Scripting (XSS) vulnerability when using cross-domain Ajax requests. This vulnerability is assigned CVE-2015-9251. RT does not use this jQuery feature so it is not directly vulnerable. jQuery version 1.12 no longer receives official updates, however a fix was posted with recommendations for applications to patch locally, so RT will follow this recommendation and ship with a patched version.

A complete changelog is available from git by running:
git log rt-4.2.15..rt-4.2.16
or visiting
rt-4.2.15...rt-4.2.16

rt-4.4.3

RT 4.4.3 -- 2018-06-26

We're pleased to announce the general availability of RT 4.4.3. This
release introduces several new features and also bugfixes.

https://download.bestpractical.com/pub/rt/release/rt-4.4.3.tar.gz
https://download.bestpractical.com/pub/rt/release/rt-4.4.3.tar.gz.asc

SHA-256 sums

738ab43cac902420b3525459e288515d51130d85810659f6c8a7e223c77dadb1 rt-4.4.3.tar.gz
29e0f9c44e30fb8bb2d23448f1930593aef28e4b3faf5bd22619f52e53229c4f rt-4.4.3.tar.gz.asc

General user UI

• Show the Ticket's Subject when modifying the ticket.
• Re-format RT/Config.pm so the # loc comment parses correctly.
• Sort saved searches alphabetically by name rather than by id.
• In Self Service, provide a path to remove attachments from the session
  when they are deleted from dropzone by the user (I#32663).
• Fix evaluation of set vs. unset custom fields on display for correct hiding.
• Set dropzone attachment size based on RT's MaxAttachmentSize configuration.
• Add a configuration option TreatAttachedEmailAsFiles to treat attached email
  as a file attachment instead of parsing as regular email.
• Restore email header parsing for items like email addresses when
  TreatAttachedEmailAsFiles is not set. This was disabled in a previous
  version.
• Respect default queue settings in Create linked ticket dropdown (I#32884).
• More fixes for recipient checkboxes on update. This version removes previous
  problematic fixes and gives a visual indication (shading) when RT is updating
  recipients in the background and checkboxes should not be changed (I#33027).
• Provide a way to reset personal search preferences back to the RT system
  default (I#32854).
• Add an Untake action to the Actions tab.
• Add active and inactive status to query builder.
• Re-add Queue to 'Order by' dropdown in Search Builder.
• Make admin searches for queue and group case insensitive making it easier to
  find groups.
• When editing ticket basics, always add valid default value to queue selection,
  taking into account SeeQueue rights.
• Set dropzone parallelUploads to 1 to avoid losing attachments. Also
  set parallelUploads when the dropzone object is created.
• Correct error messages on user rights for CF admin UI.
• In ticket history, respect ShowHeaders option from request for
  ScrollShowHistory (I#32699).
• Fix ExtraArgs of callback ExtraShowHistoryArguments in ScrollShowHistory.
• In the ticket history with scroll set, continue to get transactions until all
  have been shown, even if a block has been hidden for some reason (rights, etc.).
• Add PreferDropzone config/pref option for users. Dropzone is not accessible
  to screen readers and this enables the previous attachments interface which
  is accessible.
• In the query builder, set operator to "IS" or "IS NOT" for NULL values.
  This fixes a regression from pre-4.4 RT behavior.
• Don't create ticket if user clicks "Go" buttons of "Include Article".
• Fix CF name escape for asset search's spreadsheet download.
• Show the user in single member custom roles even if the user is
  disabled (I#32949).

Administration

• Stop wrapping ShowUser in tags to avoid unnecessary nested links.
• When listing group members, sort by text-only representation of the
  user, not HTML (I#30771)
• In the group admin page, stop pre-computing ShowUser.
• In shredder, check for both id and name mismatches when loading objects.
• Add a new rt-passwd command to make it easy to reset passwords on the
  command-line.
• Support custom roles in RT serializer/importer tools.
• Support catalogs and assets in RT serializer/importer tools.
• Update RT's module dependencies for SSL (https) to align with updates
  to the CPAN module ecosystem.
• Add age, batchsize, and dry-run options to rt-externalize-attachments.
• Set proper HTTP Status codes on Abort.
• The value for converting the owner dropdown to an autocomplete textbox can
  now be updated in configuration with DropdownMenuLimit.
• Switch to Clone::clone to copy config structures in Obfuscate callbacks. This
  restores support for REGEXP and CODE configuration on the System Configuration page.
• Provide a way to pass more options to Net::LDAP from LDAPImport configuration.
• Provide more debug output on connection failures in LDAPImport.
• Store log messages until RT::Logger is initialized. This means messages logged
  before the logger is available, like "Change of config option..." can now
  respect the configured log level.
• In shredder, check for both id and name mismatches when loading objects
• Retain scrip sort order in pagination links

Internals

• Cache OCFVs to improve performance searching for duplicates when adding
  values.
• Remove unused dependencies on File::Copy and Carp.
• On Oracle, return the empty string instead of undef for Subject when it
  has no value on a ticket.
• When linking, load assets by id to confirm the asset exists. This makes
  asset link handling consistent with ticket handling.
• Various fixes for compatibility with perl 5.26.
• Support unicode characters in constant time comparison function
• Allow merge for tickets only, not other types like reminders (I#32700).
• Preload Encode with UTF-8 to avoid masking other errors (I#32648).
• Process multiple links via the REST 1.0 interface.
• Add SLA field support on REST 1.0.
• Build table attributes for RT::Asset. This is needed to allow assets to work
  properly with REST 2.0.
• Avoid uninitialized value warnings with CustomField.
• Call DoAuth only if ExternalAuthPriority is not empty, allowing use of
  ExternalAuthInfo without ExternalAuthPriority set.
• Use "id asc" as the default sort order of GroupMembers for consistent ordering.
• Cache OCFVs to improve performance searching for duplicates on add.
• In CollectionAsTable, fix the uninitialized warning in case @order is empty.
• In rt-validator, update link checking regex to match asset links.
• Remove trailing "/" from RT::URI::asset::LocalURIPrefix for consistency.
• Use RT::Logger for EmailInputEncodings config warnings.
• "Die" properly when receiving an invalid query via to FromSQL.

Developer

• Avoid using $id in /Ticket/Display.html so callbacks can modify id in ARGS.
• Pass the MIME entity to ParseTicketId in addition to subject.
• Remove a 'This is scary' comment from code that has been running fine for
  over 10 years.
• Improve warning tracking for automated tests.
• Add an Initial callback to Bulk.html.
• Don't fail externalauth/auth_config.t tests if Net::LDAP is missing.
• Find an idle port for LDAP test server to avoid tests hanging when running
  in parallel mode.
• When testing, make sure DevelMode is on to catch compilation errors.
• Avoid uninitialized warnings of empty ticket subjects on Oracle.
• In the MessageBox template, default callback, pass $message by reference in
  MessageRef, as the variable name implies. This will break previous use of
  MessageRef as a scalar.
• Add support for a NeverNotifyActor argument to Notify actions.

Documentation

• Mention the RT-Attach-Message: yes header in template docs.
• Fix incorrect path in portlet documentation.
• In $ParseNewMessageForTicketCcs docs, mention the RT::Action::AutoAddWatchers
  extension.
• Document queue-level template overrides.
• Document using prove and RT_TEST_PARALLEL for tests.
• Note in UPGRADING that RT::Extension::AdminConditionsAndActions is now in core.
• Remove unnecessary AUTHORS sections from docs.
• Update rt-static-docs documentation processing to fix broken links.
• Add MariaDB support to documentation and rt-setup-fulltext-index.

Internationalization

• Many changes to refactor sections of RT's internationalization code.

A complete changelog is available from git by running:
git log rt-4.4.2..rt-4.4.3
or visiting
rt-4.4.2...rt-4.4.3

rt-4.2.15

RT 4.2.15 -- 2018-06-19

We're pleased to announce the general availability of RT 4.2.15. It
contains several improvements and also a few bug fixes. The list of
changes included with this release is below.

https://download.bestpractical.com/pub/rt/release/rt-4.2.15.tar.gz
https://download.bestpractical.com/pub/rt/release/rt-4.2.15.tar.gz.asc

SHA-256 sums

3752a12eff67c640e577d2b5feda01c9f07e3b2e227eabf50089086e98038bba rt-4.2.15.tar.gz
e278f4335e86528356301bbf49b239f44caaedacab7caf1c34625d141ed3aa9c rt-4.2.15.tar.gz.asc

General user UI

• Show the Ticket's Subject when modifying the ticket.
• Re-format RT/Config.pm so the # loc comment parses correctly.

Web Administration

• Stop wrapping ShowUser in tags to avoid unnecessary nested links.
• When listing group members, sort by text-only representation of the
  user, not HTML (I#30771)
• In the group admin page, stop pre-computing ShowUser.
• In shredder, check for both id and name mismatches when loading objects
• Retain scrip sort order in pagination links

Internals

• Cache OCFVs to improve performance searching for duplicates when adding
  values.
• Remove unused dependencies on File::Copy and Carp.
• On Oracle, return the empty string instead of undef for Subject when it
  has no value on a ticket.
• Handle alphabetic words in RT::Plugin::Version

Developer

• Avoid using $id in /Ticket/Display.html so callbacks can modify id in ARGS.

Documentation

• Mention the RT-Attach-Message: yes header in template docs.
• Fix incorrect path in portlet documentation.

Internationalization

• Many changes to refactor sections of RT's internationalization code.

A complete changelog is available from git by running:
git log rt-4.2.14..rt-4.2.15
or visiting
rt-4.2.14...rt-4.2.15

rt-4.4.2

RT 4.4.2 -- 2017-07-26

We're pleased to announce the general availability of RT 4.4.2. This
release introduces several important security fixes, a handful of
new features, and many bugfixes.

We have redesigned how time worked is calculated per user and for
children tickets. As always please be sure to review the UPGRADING-4.4
document.

The list of security fixes is included below, followed by new features
then by other improvements and bugfixes.

https://download.bestpractical.com/pub/rt/release/rt-4.4.2.tar.gz
https://download.bestpractical.com/pub/rt/release/rt-4.4.2.tar.gz.asc

SHA-256 sums

b2e366e18c8cb1dfd5bc6c46c116fd28cfa690a368b13fbf3131b21a0b9bbe68 rt-4.4.2.tar.gz
2185c2be31b352ad0a7605f9a4e4720b2c3607df75aae1c0cbace9eb9e6fcef8 rt-4.4.2.tar.gz.asc

• Shawn M Moore, for Best Practical

Security

• RT 4.0.0 and above are vulnerable to an information leak of cross-site
  request forgery (CSRF) verification tokens if a user visits a specific
  URL crafted by an attacker. This vulnerability is assigned
  CVE-2017-5943. It was discovered by a third-party security researcher.

• RT 4.0.0 and above are vulnerable to a cross-site scripting (XSS) attack
  if an attacker uploads a malicious file with a certain content type.
  Installations which use the AlwaysDownloadAttachments config setting are
  unaffected. This fix addresses all existant and future uploaded
  attachments. This vulnerability is assigned CVE-2016-6127. This was
  responsibly disclosed to us first by Scott Russo and the GE Application
  Security Assessment Team.

• One of RT's dependencies, a Perl module named Email::Address, has a
  denial of service vulnerability which could induce a denial of service
  of RT itself. We recommend administrators install Email::Address version
  1.908 or above, though we additionally provide a new workaround within
  RT. The Email::Address vulnerability was assigned CVE-2015-7686. This
  vulnerability's application to RT was brought to our attention by Pali
  Rohár.

• RT 4.0.0 and above are vulnerable to timing side-channel attacks for
  user passwords. By carefully measuring millions or billions of login
  attempts, an attacker could crack a user's password even over the
  internet. RT now uses a constant-time comparison algorithm for secrets
  to thwart such attacks. This vulnerability is assigned CVE-2017-5361.
  This was responsibly disclosed to us by Aaron Kondziela.

• RT's ExternalAuth feature is vulnerable to a similar timing side-channel
  attack. Both RT 4.0/4.2 with the widely-deployed RT::Authen::ExternalAuth
  extension, as well as the core ExternalAuth feature in RT 4.4 are
  vulnerable. Installations which don't use ExternalAuth, or which use
  ExternalAuth for LDAP/ActiveDirectory authentication, or which use
  ExternalAuth for cookie-based authentication, are unaffected. Only
  ExternalAuth in DBI (database) mode is vulnerable.

• RT 4.0.0 and above are potentially vulnerable to a remote code execution
  attack in the dashboard subscription interface. A privileged attacker
  can cause unexpected code to be executed through carefully-crafted saved
  search names. Though we have not been able to demonstrate an actual
  attack owing to other defenses in place, it could be possible. This fix
  addresses all existant and future saved searches. This vulnerability is
  assigned CVE-2017-5944. It was discovered by an internal security audit.

• RT 4.0.0 and above have misleading documentation which could reduce
  system security. The RestrictLoginReferrer config setting (which has
  security implications) was inconsistent with its implementation, which
  checked for a slightly different variable name. RT will now check for the
  incorrect name and produce an error message. This was responsibly
  disclosed to us by Alex Vandiver.

New features

• Custom fields now have a "New values must be unique" option.

• Custom fields now support value canonicalization (for example,
  automatically changing input values to be all uppercase). See the
  @CustomFieldValuesCanonicalizers config option.

• Ticket timers provide a comment box for quickly adding ticket comments
  to describe your time worked.

• You can now set up default values for assets on a catalog level.

• You can choose to display result counts on ticket search portlets using
  the new $ShowSearchResultCount config setting.

• There is now a "Load all history" link for the "as you scroll" history
  loading mode, to allow you to use browser-based text search.

• We now display a list of recently-viewed tickets in the
  Search -> Tickets -> Recently Viewed menu.

• We have made RT::Extension::AdminConditionsAndActions part of core
  RT, so you can now easily configure the conditions and actions of
  your scrips right within the admin UI.

General user UI

• Avoid breaking sorting of non-ticket searches in dashboards
• Avoid duplicate one-time recipients (I#31938, I#31939)
• Suppress ticket Ccs and AdminCcs from one-time recipients
• Allow ordering assets with "CustomField.Foo" syntax
• Avoid divide-by-zero in charts with no data (I#32143)
• Add ability to link multiple assets to a new ticket from asset bulk
  update
• Add quick asset create portlet for user summary
• Add encrypt/sign controls to ticket forward page
• Fix browser-based search navigation link generation (I#32197)
• Remove self-service password change form under ExternalAuth
• Respect SetInitialCustomField right in self-service (I#32233)
• Declare page as being in user's language for browser spellcheck (I#32082)
• Fix error with merge tickets being used on bulk update (I#32237)
• Avoid overaggressively generating external attachment links
• Add $HideOneTimeSuggestions config to hide one-time recipient
  addresses behind a click
• Add "All recipients" checkboxes to modify people page and one-time
  recipients on update
• Dashboards are now displayed in alphabetically-sorted order
• Remove dashboard from menu if it can't be loaded (I#29719)
• Avoid wrapping one-time recipient checkbox separately from its
  label (I#32117)
• Use only top-level attachments for generating one-time recipient lists
  to avoid e.g. phishing addresses
• Fix accidental usage of server timezone for end users (I#32315)
• Add user preference for browser context menu instead of
  CKEditor's, for native spellcheck (#32274)
• QuickCreate on a dashboard no longer sends you to the homepage (I#25573)
• Respect HideTimeFieldsFromUnprivilegedUsers in correspond
  transactions with time worked
• Fix occasionally-missing background-color for comments
• Add a Timer column to search results for launching ticket timer
• Fix error preventing merging tickets with lazily-created watcher
  groups (I#32490)
• Add a CurrentUserName TicketSQL placeholder
• You can now search tickets using Queue LIKE 'â�¦' and Queue NOT LIKE 'â�¦'
• Make "Show all" link for attachment lists more prominent (I#32459)
• Respect SetInitialCustomField for multi-valued CFs (I#32491)
• Fix bulk update for asset custom fields (I#32509)
• Add support for CF grouping in asset bulk update (#32198)
• Add "reattach" as an attachment warning keyword
• Sort one-time recipient addresses (I#31879)
• Fix article quicksearch degrading the article menu (#31591)
• Avoid noisy "CF changed from 0 to 0" messages (I#32440)
• Avoid showing a truncated list of articles due to permissions (I#31989)
• Avoid double-encoded text attachments loaded from ExternalStorage
• You can now chart tickets by SLA (I#31824)
• Add "Show all" button for attachments on ticket forward page
• Relabel "Password" portlet on user page to "Access control" (I#31379)
• Fix UI for bulk update of "List"-type select-multiple CFs (I#32562)
• Avoid discarding checkbox changes in Recipients panel (I#32290)
• Clean up article custom fields display (I#32641)
• Add SLA field to bulk update if any queues have SLA enabled
• Include the new Request Tracker logo
• Fix overly-large bookmark star on mobile UI (I#32727)
• Stop double-escaping HTML which is made into links (I#31169)
• Fix keyboard shortcut UI for selecting tickets on old themes (I#32748)
• Add Reports menu with several predefined reports

Command-line

• Fix rt-ldapimporter --debug logging output (I#32196)
• Improve rt-ldapimporter documentation
• Produce output from etc/upgrade/upgrade-assets

Email

• Avoid overaggressively trimming whitespace from MIME encoded-words
• Add config option $OverrideMailPrecedence to help avoid out-of-office
  autoreplies
• Fix issues with encrypted attachments being unreadable/absent

Database

• Skip DBA password prompt on SQLite
• Avoid warnings when upgrading old saved searches (I#32235)
• â�¦ and fix up those old saved searches (I#16856)
• Restart asset and catalog ID sequences for Pg and Oracle in
  etc/upgrade/upgrade-assets
• Add index on Attachments table column Filename (I#32033)
• Replace deprecated NOCREATEUSER with NOSUPERUSER for
  Postgres 9.6 (I#32511)
• Avoid deadlock in SetOwner race condition which we believe affected
  only MySQL (I#32381)
• The previous may have caused inconsistent ticket ownership, and so
  the 4.4.2 upgrade step will find and fix such issues
• Add rt-validator rules for possible issues around ticket owner

rt-serializer/rt-importer

• Fix several incorrect references in output (I#31803, I#31804, I#31805,
  I#31808)
• Add --exclude-organization option (I#31812, I#31813)
• Add --limit-queues and --limit-cfs options
• Suppress semi-unmigrated link relationships by default
• Add --hyperlink-unmigrated option
• Fix queue change transactions to mention unmigrated queues by name
• Support for dashboards in menu preference (I#31810)
• Support for RT at a Glance prefer...