Releases: bestpractical/rt
rt-4.2.14
sartak
Shawn M Moore
RT 4.2.14 -- 2017-07-26
We're pleased to announce the general availability of RT 4.2.14. This
release introduces several important security fixes as well as many
bugfixes.
The list of security fixes is included below, followed by other
improvements and bugfixes.
https://download.bestpractical.com/pub/rt/release/rt-4.2.14.tar.gz
https://download.bestpractical.com/pub/rt/release/rt-4.2.14.tar.gz.asc
SHA-256 sums
b3ee51d284001fe6938f879754a03866073aa48992fdd1709b1a54a1e6c6e614 rt-4.2.14.tar.gz
a5dd10fe84691a3f84e1d5983d8223c46a6b34eb20b92cbeca1c0a2f793d8e56 rt-4.2.14.tar.gz.asc
- Shawn M Moore, for Best Practical
Security
-
RT 4.0.0 and above are vulnerable to an information leak of cross-site
request forgery (CSRF) verification tokens if a user visits a specific
URL crafted by an attacker. This vulnerability is assigned
CVE-2017-5943. It was discovered by a third-party security researcher. -
RT 4.0.0 and above are vulnerable to a cross-site scripting (XSS) attack
if an attacker uploads a malicious file with a certain content type.
Installations which use the AlwaysDownloadAttachments config setting are
unaffected. This fix addresses all existant and future uploaded
attachments. This vulnerability is assigned CVE-2016-6127. This was
responsibly disclosed to us first by Scott Russo and the GE Application
Security Assessment Team. -
One of RT's dependencies, a Perl module named Email::Address, has a
denial of service vulnerability which could induce a denial of service
of RT itself. We recommend administrators install Email::Address version
1.908 or above, though we additionally provide a new workaround within
RT. The Email::Address vulnerability was assigned CVE-2015-7686. This
vulnerability's application to RT was brought to our attention by Pali
Rohár. -
RT 4.0.0 and above are vulnerable to timing side-channel attacks for
user passwords. By carefully measuring millions or billions of login
attempts, an attacker could crack a user's password even over the
internet. RT now uses a constant-time comparison algorithm for secrets
to thwart such attacks. This vulnerability is assigned CVE-2017-5361.
This was responsibly disclosed to us by Aaron Kondziela. -
RT's ExternalAuth feature is vulnerable to a similar timing side-channel
attack. Both RT 4.0/4.2 with the widely-deployed RT::Authen::ExternalAuth
extension, as well as the core ExternalAuth feature in RT 4.4 are
vulnerable. Installations which don't use ExternalAuth, or which use
ExternalAuth for LDAP/ActiveDirectory authentication, or which use
ExternalAuth for cookie-based authentication, are unaffected. Only
ExternalAuth in DBI (database) mode is vulnerable. -
RT 4.0.0 and above are potentially vulnerable to a remote code execution
attack in the dashboard subscription interface. A privileged attacker
can cause unexpected code to be executed through carefully-crafted saved
search names. Though we have not been able to demonstrate an actual
attack owing to other defenses in place, it could be possible. This fix
addresses all existant and future saved searches. This vulnerability is
assigned CVE-2017-5944. It was discovered by an internal security audit. -
RT 4.0.0 and above have misleading documentation which could reduce
system security. The RestrictLoginReferrer config setting (which has
security implications) was inconsistent with its implementation, which
checked for a slightly different variable name. RT will now check for the
incorrect name and produce an error message. This was responsibly
disclosed to us by Alex Vandiver.
General user UI
- Avoid divide-by-zero in charts with no data (I#32143)
- Remove dashboard from menu if it can't be loaded (I#29719)
- Avoid wrapping one-time recipient checkbox separately from its
label (I#32117) - Use only top-level attachments for generating one-time recipient lists
to avoid e.g. phishing addresses - Fix bulk update for asset custom fields (I#32509)
- Sort one-time recipient addresses (I#31879)
- Fix article quicksearch degrading the article menu (#31591)
- Avoid noisy "CF changed from 0 to 0" messages (I#32440)
- Avoid showing a truncated list of articles due to permissions (I#31989)
- Include the new Request Tracker logo
- Stop double-escaping HTML which is made into links (I#31169)
- Avoid overaggressively trimming whitespace from MIME encoded-words
- Add config option $OverrideMailPrecedence to help avoid out-of-office
autoreplies - Fix issues with encrypted attachments being unreadable/absent
Database
- Replace deprecated NOCREATEUSER with NOSUPERUSER for
Postgres 9.6 (I#32511)
rt-serializer/rt-importer
- Fix several incorrect references in output (I#31803, I#31804, I#31805,
I#31808) - Add --exclude-organization option (I#31812, I#31813)
- Add --limit-queues and --limit-cfs options
- Suppress semi-unmigrated link relationships by default
- Add --hyperlink-unmigrated option
- Fix queue change transactions to mention unmigrated queues by name
- Support for dashboards in menu preference (I#31810)
- Support for RT at a Glance preference (I#31809)
- Don't skip RT->System searches
- Avoid breaking rights granted to users (I#31806)
Web Administration
- Add checkbox for selecting all custom field values in admin UI
- Log a history entry when adjusting whether a user is Privileged
- Log history entries when adding/removing a group member both to
the group and to the member - Hide disabled scrips by default, adding a "include disabled scrips"
checkbox (I#30131) - Add missing timezone field on user create/modify (I#29977)
- Add RT extension names and versions to System Configuration page (I#31482)
Server Administration
- Avoid error messages in 4.0.1 upgrade step
- Improve automatic identification of
findcommand - Add RefreshIntervals config option for managing homepage and
dashboard refresh - Log failure to unlink temp file after email parse (I#32142)
- Make automatically linking a used article to the ticket configurable
with $LinkArticlesOnInclude config - Avoid undef warnings with mbox MailCommand and FastCGI
- Avoid regex deprecation warnings on perl 5.21.1+
- Avoid issues with modern Perl versions excluding ./ from @inc
- Reduce log levels of custom field loading issues caused by ordinary
end-user actions (I#31742) - Adapt SMIME probe to work with openssl 1.1
- Double bcrypt cost for password hashing
- Avoid "Couldn't load object RT::Transaction #0" warnings (I#31548)
- Avoid broken DateTime::Locale versions (I#31542)
- Avoid incompatible DBD::mysql version (I#32670)
Developer
- Clarify the usage of skip_update in /Ticket/Update.html BeforeUpdate
callback - Fix whitespace-related test failures under Mojolicious 7.0
- Fix test failures when /usr/bin/sendmail absent
- Factor out _OutgoingMailFrom into a separate method for extensibility
- Ensure that Test::NoWarnings is skipped if skip_all is used
- Fix bug where RT::Ticket->Create's SquelchMailTo would squelch only
to the first address (I#31600) - Avoid test failure caused by hash randomization
- Set up default args for customizations calling SignEncrypt directly
- New callbacks:
/Elements/ShowCustomFieldWikitext WikiFormatArgs
/Search/Elements/Chart AfterChartTable - Improved callbacks:
/Elements/Tabs Privileged adds Search_Args and Has_Query parameters
Documentation
- Update links to the RT wiki
- Update mailing list references to point to community forum
- Improve documentation around creating a custom theme (I#31800)
- Document how to include custom fields in format strings
Internationalization
- Improve translatability of "Refresh home page every x minutes." now
that "x" is configurable with @RefreshIntervals - Update translations for: Brazilian Portuguese, Dutch, German, Latvian,
Macedonian, Russian, Serbian, Slovenian, and Spanish
A complete changelog is available from git by running:
git log rt-4.2.13..rt-4.2.14
or visiting
rt-4.2.13...rt-4.2.14
rt-4.0.25
sartak
Shawn M Moore
RT 4.0.25 -- 2017-07-26
We're pleased to announce the general availability of RT 4.0.25. This
release introduces several important security fixes as well as a handful
of bugfixes. Please be aware that we intend for the 4.0.25 release to be
the final release of the RT 4.0 series and no further security or bug
fixes will be published.
The list of security fixes is included below, followed by other
improvements and bugfixes.
https://download.bestpractical.com/pub/rt/release/rt-4.0.25.tar.gz
https://download.bestpractical.com/pub/rt/release/rt-4.0.25.tar.gz.sig
SHA-256 sums
69daa9b9e6c9acb4ca31ec1c3efc8bb4901cc7047eed784f2f91515815fdd4cd rt-4.0.25.tar.gz
cde49077cb7b125216cb264048fee9ad8961d227c5d24e93d7f7644c88b0a7d6 rt-4.0.25.tar.gz.sig
- Shawn M Moore, for Best Practical
Security
-
RT 4.0.0 and above are vulnerable to an information leak of cross-site
request forgery (CSRF) verification tokens if a user visits a specific
URL crafted by an attacker. This vulnerability is assigned
CVE-2017-5943. It was discovered by a third-party security researcher. -
RT 4.0.0 and above are vulnerable to a cross-site scripting (XSS) attack
if an attacker uploads a malicious file with a certain content type.
Installations which use the AlwaysDownloadAttachments config setting are
unaffected. This fix addresses all existant and future uploaded
attachments. This vulnerability is assigned CVE-2016-6127. This was
responsibly disclosed to us first by Scott Russo and the GE Application
Security Assessment Team. -
One of RT's dependencies, a Perl module named Email::Address, has a
denial of service vulnerability which could induce a denial of service
of RT itself. We recommend administrators install Email::Address version
1.908 or above, though we additionally provide a new workaround within
RT. The Email::Address vulnerability was assigned CVE-2015-7686. This
vulnerability's application to RT was brought to our attention by Pali
Rohár. -
RT 4.0.0 and above are vulnerable to timing side-channel attacks for
user passwords. By carefully measuring millions or billions of login
attempts, an attacker could crack a user's password even over the
internet. RT now uses a constant-time comparison algorithm for secrets
to thwart such attacks. This vulnerability is assigned CVE-2017-5361.
This was responsibly disclosed to us by Aaron Kondziela. -
RT's ExternalAuth feature is vulnerable to a similar timing side-channel
attack. Both RT 4.0/4.2 with the widely-deployed RT::Authen::ExternalAuth
extension, as well as the core ExternalAuth feature in RT 4.4 are
vulnerable. Installations which don't use ExternalAuth, or which use
ExternalAuth for LDAP/ActiveDirectory authentication, or which use
ExternalAuth for cookie-based authentication, are unaffected. Only
ExternalAuth in DBI (database) mode is vulnerable. -
RT 4.0.0 and above are potentially vulnerable to a remote code execution
attack in the dashboard subscription interface. A privileged attacker
can cause unexpected code to be executed through carefully-crafted saved
search names. Though we have not been able to demonstrate an actual
attack owing to other defenses in place, it could be possible. This fix
addresses all existant and future saved searches. This vulnerability is
assigned CVE-2017-5944. It was discovered by an internal security audit. -
RT 4.0.0 and above have misleading documentation which could reduce
system security. The RestrictLoginReferrer config setting (which has
security implications) was inconsistent with its implementation, which
checked for a slightly different variable name. RT will now check for the
incorrect name and produce an error message. This was responsibly
disclosed to us by Alex Vandiver.
General user UI
- Make sub-menus accessible on screen-readers
- Respect the user's chosen units for Time Worked across page loads, instead
of always defaulting to minutes (I#17985) - In Jumbo, preserve ticket basics so in progress changes persist after
returning to the page - Fix a regression in 4.0.20 which caused some users to have
blank homepages (I#30106) - Include the new Request Tracker logo
Database
- We now correctly shred ObjectCustomFields records when shredding a
CustomField
Server Administration
- Avoid issues with dual-life module installation on older, patched perls
- Explicitly depend on Class::Accessor::Fast, not Class::Accessor
- Fix potential upgrade failure in e.g. etc/upgrade/upgrade-articles
- Avoid regex deprecation warnings on perl 5.21.1+
- Avoid issues with modern Perl versions excluding ./ from @inc
- Avoid broken DateTime::Locale versions (I#31542)
- Avoid incompatible DBD::mysql version (I#32670)
Developer
- Fix RT::Attribute->DeleteSubValue
- Remove duplicated content-encoding handling in OriginalContent
Documentation
- Update links to the RT wiki
- Update mailing list references to point to community forum
Internationalization
- Update translations for: Arabic, Catalan, Czech, Occitan, Persian,
Serbian, and Slovak
A complete changelog is available from git by running:
git log rt-4.0.24..rt-4.0.25
or visiting
rt-4.0.24...rt-4.0.25
rt-4.4.1
sartak
Shawn M Moore
RT 4.4.1 -- 2016-07-20
We're pleased to announce the availability of RT 4.4.1. This release
addresses several bugs in RT 4.4.0 and also adds a few small but important
features.
The list of new features is included below, followed by bugfixes.
https://download.bestpractical.com/pub/rt/release/rt-4.4.1.tar.gz
https://download.bestpractical.com/pub/rt/release/rt-4.4.1.tar.gz.asc
SHA1 sums
a3c7aa5398af4f53c947b4bee8c91cecd5beb432 rt-4.4.1.tar.gz
ae0308287bf1c42d2a3fe0a429f4c8715d15599d rt-4.4.1.tar.gz.asc
- Shawn M Moore, for Best Practical
New features
- Administrators and users can now choose to place signatures above
the quoted message in replies (RT_Config setting
"SignatureAboveQuote" and the similarly named user preference). This
also improves the specific spacing between quotes and signatures in
all configurations. (I#31877) - Users may now choose to suppress dashboard email when all of its
searches have no results. This is controlled by the new "Suppress if
empty" checkbox on the subscription page. (I#30078) - The Dashboard subscription recipient options have been greatly
expanded from a single text field (which happened to support multiple
email address separated with a comma) to a robust user/group search. - Users may now select a specific language for each dashboard email
subscription. Administrators can customize the method by which
dashboard email language is chosen (including specifying an ultimate
fallback other than English) with the @EmailDashboardLanguageOrder
RT_Config option. - The "hide unset fields" preference now also hides unset custom
fields, obsoleting RT::Extension::CustomField::HideEmptyValues.
Additionally there is now a toggle button at the top right of the
ticket display page for quickly toggling whether unset fields are
hidden or shown. (I#31523) - There is a new SetInitialCustomField right that permits setting
custom field values on records (tickets, assets, articles) while you
are creating them. It does not permit modifying custom field values
of existing records. Users with SetInitialCustomField but without
ShowCustomField will still be able to specify a custom field value
at create time but not see it afterwards. (I#14974) - Administrators and users can now choose to display queue dropdowns
as an autocomplete field (RT_Config setting "AutocompleteQueues"),
much like is available for Owners. If your RT instance has many
queues this option improves performance and usability. (I#31291) - New config for hiding time worked, time estimated, and time left
from unprivileged users in the self-service interface (RT_Config
setting "HideTimeWorkedForUnprivilegedUsers"). This also adds a hook
point RT::Ticket::CurrentUserCanSeeTime for further
customization. (I#31302) - Long attachment lists can now be truncated to show only the X newest
attachments, with an AJAX "Show all" link, (RT_Config setting
"AttachmentListCount"). This should improve the performance and
usability of both ticket display and ticket reply pages.
General user UI
- Eliminate console errors from Preview Scrip Recipients panel when there
are no recipients - Avoid URL length errors from Preview Scrip Recipients panel when the
messagebox has lots of content (I#31874) - Include MessageBoxRichText in JavaScript config to fix compatibility
for RT::Extension::QuoteSelection - Support autocomplete custom fields in bulk update (I#15259)
- Hint to the user that not all CF types are supported by bulk update,
instead of silently excluding them (I#15259) - Exclude One-Time Cc and One-Time Bcc addresses from
squelching (I#31386) - Restore behavior of $EditCustomFieldsSingleColumn config (I#18555)
- Improve "reuse existing attachments" UI to match existing
attachments UI (I#31709) - Improve ticket timer text-overflow styling (I#31713)
- Switch from generating an explicit list of statuses to Status =
'Active' and Status = 'Inactive' throughout the UI, both
improving performance and simplifying TicketSQL queries (I#31695 etc) - Switch queue search from queue ID to queue name for better usability
- Fix keyboard shortcut ? command in self-service UI (I#31535)
- Support / keyboard shortcut in self-service UI
- Add ticket SLA to display columns for search results (I#31831)
- Modernize UI of Articles display and modify
- Display creator, created, and updated metadata on Articles pages
- Fix searching for people associated with Assets (I#31546)
- Support 4.4 attachment uploader in self-service UI (I#31845)
- Fix bulk update check/clear all checkboxes (I#31667)
- Fix poor rendering of "create [relationship] ticket in [queue]" when
there are no existant links (I#31871) - Fix a regression with time zones in datetime custom fields (I#31674)
- Ticket timers no longer pause when JavaScript stops running (I#31707)
- Show the "include attachments" label on ticket reply only if there
are attachments to include - Avoid showing an empty custom fields panel on ticket edit pages when
user can see custom fields but cannot edit them - Fix new and existing charts that fail to render on dashboards (I#31557)
- Fix certain attachment links containing HTML metacharacters from
double escaping (I#31751) - Avoid failure to create tickets due to custom role rights (I#32069)
- Avoid SQL errors when using article quicksearch (I#31987)
Command-line
- Add new sbin/rt-search-attributes script for searching for
attributes matching criteria specified as Perl code (I#31294) - Fix issues around incorrect recipients in rt-crontool invocations
with multiple actions
Database
- Add $MaxFulltextAttachmentSize RT_Config option (default: 0 meaning
no limit) for tuning how very large attachments are included in the
full-text index - Avoid indexing EmailRecord transactions as they duplicate content
already available in the original Create, Correspond, and Comment
transactions. This improves both indexing time and index size
considerably. - Avoid creating transactions for, and bumping Last Updated of,
tickets when migrating RT::Extension::SLA custom field values to
the core SLA field (I#31924) - Add the new RT 4.4 Queue SortOrder column sooner in the 4.4 upgrade
process to improve extension compatibility - Avoid errors during
make initdbwhen ExternalAuth is enabled (I#32009)
Web Administration
- Add EscapeURI and EscapeHTML functions for use in email
templates (I#31442) - Add RT::Action::AddPriority action for use with rt-crontool which
simply increments the priority by $Argument every invocation
Server Administration
- Avoid DateTime::Locale version 1.01
https://rt.cpan.org/Public/Bug/Display.html?id=110244 - Have ./configure test whether to use GNU-style syntax or BSD-style
syntax forfind -perm - Several fixes around 4.0 and 4.2 upgrade scripts running under 4.4
- Fix migration of "SLA Disabled" for queues in the upgrade-sla
script (I#31703) - Avoid overloading error caused by certain versions of Email::Address
on Preview Scrips Recipients (I#31712) - Add explicit Pod::Select dependency since it was removed from Perl
5.18 (I#31873) - Add documentation for the now-core ExternalAuth and LDAPImport options
in RT_Config (I#31464) - Automatically enable ExternalAuth when the ExternalSettings config
option is declared, obviating the need for an explicit
Set($ExternalAuth, 1);(I#31689) - Remove unnecessary dependencies on FCGI::ProcManager and
Net::LDAP::Server::Test (I#31872) - Many cleanups in and improvements to our CPAN dependency install
toolchain
Developer
- Remove unused RT::Shredder::Record
- Add RT::Date->Strftime method (I#31435)
- If content_like (or similar) tests fail, output the page content
to a tmp file for debugging (I#31408) - Make autocomplete infrastructure more generic and extensible
- Add missing %ARGS to ShowHistoryPage call in ShowHistory, improving
RTIR compatibility - Fix missing CurrentUser parameter in RT::Interface::Email::Gateway
to improve RT::Extension::CommandByMail compatibility - Fix Queue SLADisabled _CoreAccessible metadata to match schema's default
value of 1 (I#31822) - Switch "hide unset fields" to be implemented with CSS for additional
flexibility - Add CSS classes (for example
.admincc) for many basic fields on
ticket display - Allow setting SLA in RT::Queue->Create, which can be used in
initialdata files (I#31823) - Improve ShowHistory compatibility with RTIR
- Add stubs for the fields that had been removed from queues in 4.4 to
improve compatibility with extensions and customizations (I#32019) - Fix tests to enable ExternalAuth
- Added infrastructure for deprecating specific callbacks, as we
consider them to be part of our stable API
(RT::Interface::Web::Request %deprecated) - Deprecated callbacks:
/Admin/CustomFields/Modify.html AfterUpdateCustomFieldValue - New callbacks:
/Ticket/Update.html RightColumnBottom
/Admin/CustomFields/Modify.html EndOfPage
/Elements/CollectionAsTable/Row EachField
/Dashboards/Subscription.html SubscriptionFormEnd, SubscriptionFields,
and MassageSubscriptionFields
/Elements/SelectOwnerDropdown ModifyOwnerListRaw and ModifyOwnerListSorted
/Helpers/Autocomplete/Owners ModifyOwnerAutocompleteSearch
/Elements/ShowTransactionAttachments BeforeAttachment - Improved callbacks:
/Admin/CustomFields/Modify.html Initial adds $Results
/Elements/MessageBox Default adds $DefaultRef and $MessageRef - Adjust TicketHistoryPage to reuse existing callbacks for TicketHistory
Documentation
- Add documentation for 4.4's $ShowHistory scroll option in
RT_Config (I#31705) - Fix UPGRADING-4.2's description of PostgreSQL full-text search using
GiST; it uses GIN indexes (I#31844) - Link to RT::Authen::ExternalAuth as a local document like the rest
of RT's core modules, rather than as an external link to metacpan
like we do for extensions (I#31957) - Update docs/authentication.pod to reflect RT::Aut...
rt-4.2.13
sartak
Shawn M Moore
RT 4.2.13 -- 2016-07-20
We're pleased to announce the availability of RT 4.2.13. This release is a
bugfix release; most notably, values in charts are now sorted numerically,
and regression for time zones on date/time custom fields has been addressed.
A complete list of improvements follows.
https://download.bestpractical.com/pub/rt/release/rt-4.2.13.tar.gz
https://download.bestpractical.com/pub/rt/release/rt-4.2.13.tar.gz.asc
SHA1 sums
eb155493ae8aa965a9571be47abe95ce7dd7a70c rt-4.2.13.tar.gz
4b760717439c6971bd5849e1b3401e7d6bb404cb rt-4.2.13.tar.gz.asc
- Shawn M Moore, for Best Practical
General User UI
- Avoid race condition where a ticket's Started timestamp could be
before its Created timestamp - Users without ability to update a saved search are no longer shown
an Update button - IP custom field textboxes now wide enough for full IPv6 addresses (I#24565)
- Self-service Cc field now allows for autocompleting multiple users
- When possible sort charts numerically rather than ascii-betically
- QuickCreate now respects DefaultQueue and RememberDefaultQueue (I#30913)
- Make user preferences use label tags for better clickiness (I#30953)
- Hide "Transaction has no content" from Extract Article (I#31027)
- Improve CSRF detection by whitelisting more specific parameters (I#31090)
- Empty selection boxes no longer render 1px wide (I#31316)
- Show queue ID if the user can't see the queue name
- Search builder display format now properly supports "large" sizing
- Fix SMIME encoding issue (I#31155)
- Improve messaging and logging around reminders that users can't see
- Queue name on ticket display is now a link to a search for all active
tickets in that queue - Support autocomplete custom fields in bulk update (I#15259)
- Hint to the user that not all CF types are supported by bulk update,
instead of silently excluding them (I#15259) - Improve compliance with RFC4480 for GPG armor lines (I#30372)
- Restore behavior of $EditCustomFieldsSingleColumn config (I#18555)
- Fix a regression with time zones in datetime custom fields (I#31674)
- Fix certain attachment links containing HTML metacharacters from
double escaping (I#31751) - Fix custom attachment URLs for self-service users (I#30960)
Database
- "schema" upgrade files no longer issue CREATE INDEX statements, instead
there are now "indexes" upgrade files that describe the end state of the
indexes RT requires. This better handles indexes that may have been
deployed by hand or otherwise already exist. - We now correctly shred ObjectCustomFields records when shredding a
CustomField - Add $MaxFulltextAttachmentSize RT_Config option (default: 0 meaning
no limit) for tuning how very large attachments are included in the
full-text index - Improve 4.0 upgrade scripts running under 4.2
Web Administration
- We now record transactions for changes to queues
- Improve visual design of Shredder forms
Server Administration
- Add missing dependency on Encode 2.64
- New RT_SiteConfig.pm files now get a "use utf8;" by default to allow
config options to use Unicode - bcrypt cost has been doubled on schedule to improve password hashing
security - Allow multiple --action and --action-arg options in rt-crontool
- Fix "use of localtime without parentheses" warning
- rt-email-dashboards now has a --log parameter for setting log level
- Add config %ReferrerComponents to provide fine-grained control over
referrer checking behavior - Clarify web config validation log messages (I#31117)
- Add a no_ticket_transactions option to user shredder
- Remove now-unnecessary dependency on Apache::DBI (I#31210)
- Avoid DateTime::Locale versions 1.00 and 1.01
https://rt.cpan.org/Public/Bug/Display.html?id=110244 - Have ./configure test whether to use GNU-style syntax or BSD-style
syntax forfind -perm(I#31308)
Developer
- Improve test compatibility with File::Which 1.17
- Improve test compatibility with HTML::FormatText::WithLinks::AndTables
- Remove unused RT::Shredder::Record
- Transactions now have a ColumnMap
- New callbacks:
/Ticket/Create.html MassageCloneArgs
/Admin/Queues/Modify.html FormStart
/Ticket/Elements/ShowBasics AfterTimeLeft, AfterPriority, AfterQueue,
and AfterTable
/Ticket/Elements/ShowSummary AfterBasics, AfterPeople, AfterReminders,
and AfterDates
/Ticket/Graphs/index.html BeforeActionList, FormStart, AfterForm, and
Default
/Ticket/Update.html RightColumnBottom
/Admin/CustomFields/Modify.html EndOfPage
/Elements/CollectionAsTable/Row EachField
/Dashboards/Subscription.html SubscriptionFormEnd, SubscriptionFields,
and MassageSubscriptionFields
/Elements/ShowTransactionAttachments BeforeAttachment - Improved callbacks:
/Admin/CustomFields/Modify.html Initial adds $Results
Documentation
- New documentation on format strings (docs/format-strings.pod) for
controlling how search results are displayed - Update documentation to expect that most installations will deploy
fulltext search - Also remind users that they should set up backups in the README
- Fix UPGRADING-4.2's description of PostgreSQL full-text search using
GiST; it uses GIN indexes (I#31844)
Internationalization
- Adjust the string "CustomFields" to instead use the existing
"Custom Fields" to ease translation - We now display translated ticket properties and statuses on graphs
- Update translations for: Brazilian Portuguese, Czech, Finnish, French,
German, Greek, Hungarian, Japanese, Latvian, Lithuanian, Occitan, Polish,
Russian, Spanish, Swedish, and Turkish
A complete changelog is available from git by running:
git log rt-4.2.12..rt-4.2.13
or visiting
rt-4.2.12...rt-4.2.13
rt-4.4.0
sartak
Shawn M Moore
RT 4.4.0 -- 2016-02-04
We're thrilled to announce the availability of RT 4.4.0! This is
the first release for the next major version of RT. The focus of
this release series is quality-of-life improvements for both users
and administrators.
When upgrading, please be sure to review the upgrading documentation
available in docs/UPGRADING-4.4, as there are a number of
backward-incompatible changes that come along with the new version
number. Upgrading documentation is also available at
http://www.bestpractical.com/docs/rt/latest/UPGRADING-4.4.html
https://download.bestpractical.com/pub/rt/release/rt-4.4.0.tar.gz
https://download.bestpractical.com/pub/rt/release/rt-4.4.0.tar.gz.asc
3bfeeac1e7a7cd4b1a042db04459f0e87c2b5fbb rt-4.4.0.tar.gz
a4a15d41d9ae663d4fda6c2f5246cc0cf26127ac rt-4.4.0.tar.gz.asc
A list of the major new features in RT 4.4.0 is included below. Many
of the new features are described and demoed in a series of
blog posts on http://blog.bestpractical.com/ with still more to come.
Finally, we'd like to invite you to attend our next training session in
Hamburg, Germany, which covers the new features in RT 4.4 as well as
RTIR and its next version. Visit http://bestpractical.com/training for
more.
- Shawn M Moore, for Best Practical
- RT now includes the Assets extension for tracking your physical and
digital resources. - Attachments can now be stored outside of the database either on disk, in
Dropbox, or on Amazon S3. Attachments can also be directly served from S3. - SLA tracking is now part of core RT. You can define many different service
levels that take your business hours and holidays into account. - External authentication and LDAP integration are now shipped as core RT
features. - RT now has support for custom roles, along the lines of Requestor, Owner,
Cc, and AdminCc. These roles can be single-member or multi-member.
Privileges can be assigned to members of custom roles, you can search based
on custom role membership, you can notify custom role members in
scrips, and so on. - RT now has a modern file upload interface which allows you to select
multiple files in one fell swoop, drag and drop attachments onto RT, and
inline preview certain file types like images. - We've added a "scroll" option for gradually loading in ticket history as
the user scrolls down, much like "infinite scroll". This considerably
improves perceived performance. - Existing attachments on a ticket can be reused in subsequent replies,
so you don't have to upload them again. - We now provide some basic Articles configuration for new deploys so that
you can start using the feature immediately. - You can now break up your RT_SiteConfig.pm file into logically-related
chunks under the RT_SiteConfig.d/ directory. - You can now specify default values at the queue level for certain ticket
fields, including custom fields. - RT now warns you when you write the word "attach" (or "attached", etc)
but haven't provided any attachments yet, to avoid "sorry, I forgot this
attachment" followup mail. - RT now understands many more types of "human" date strings.
- Users can now choose any subset of the seven weekdays to receive their
daily dashboard subscriptions. - The query builder display format panel has seen several improvements;
most importantly adjusting the display columns no longer reloads the
entire page. - We've added a popout ticket timer for helping you track time inside RT.
The timer is associated with a ticket and will add the time to to it for
you. - RT now ships with keyboard shortcuts for primarily for navigating ticket
search results. - We ship a (disabled-for-upgrades, enabled-for-new-deploys) scrip for
carrying over time worked to parent tickets. Similarly, we ship a scrip for
tracking time worked per user. - We've added a way to quickly create new linked tickets in queues other than
the one that the current ticket is in. - There's a new site-level config setting and user preference for hiding
unset fields on ticket display pages. - Custom fields now have a customizable "entry hint" for helping users
understand what they should be entering as values. - TicketSQL and the search builder now support Status = 'Active' and
Status = 'Inactive' type queries, so you no longer need to enumerate
all statuses likeStatus = 'new' OR Status = 'open' OR Status = 'stalled' - The mailgate has been completely redesigned and modernized.
- RT now includes the Assets extension for tracking your physical and
Additional changes:
General user UI
- Improve and unify display of topactions (new ticket in, simple search,
article search, etc) - Empty selection boxes no longer render 1px wide (#31316)
- Replace singular use of "Administrative Cc" with "AdminCc"
- Don't display "check box to delete" for every group on queue watcher page
- Don't render empty "Ticket #:" results in bulk update
- Improved the paging links in collection lists (#30374)
- IPv6 custom fields are rendered in their compressed representation
- Queue name on ticket display is now a link to a search for all active
tickets in that queue - Search builder display format now properly supports "large" sizing
- Display more "show columns" in search builder
- Record transactions for queue changes
- Show queue ID if the user can't see the queue name
- New, modern bookmark star icons to better match ticket timer icon
- If there's a single pending ticket, just show the ticket number (#30692)
- Improve messaging for enabling and disabling custom fields
- Improve messaging for applying a custom field to a queue (#31128)
- Mention which principal and right was granted instead of simply saying
"Right Granted" - Improve "user already has right" error
- Gray out "(no value)" for custom fields
- Hide "transaction has no content" entries from extract as article
- Improve CSRF whitelist (#31090)
- Make user preferences use label tags for better clickiness (#30953)
- Rename "Quicksearch" (the table of queues) to "QueueList" (#18514)
- When possible sort charts numerically rather than ascii-betically
- Self-service Cc field now allows for autocompleting multiple users
- IP custom field textboxes now wide enough for full IPv6 addresses (#24565)
- Move attachments to below messagebox on bulk update for consistency
- Stop rounding large numbers of hours worked into days
- Add a "chosen" UI for making long lists of select custom field values more
friendly - Search builder now uses the "chosen" UI for selecting display columns
- Increase MaxInlineBody
- Improved management of mail recipients
- Stop cloning time fields when creating child tickets
- Improve datepicker usage for relative date strings
- Squelching now applies to all updates in the request, instead of only the
initial correspond/comment transaction. - Sync scrip recipients with non-wysiwyg plaintext editor
Command-line
- Fix for "0" values in bin/rt (#31290)
- rt-email-dashboards now has a --log option
- rt-crontool now allows multiple actions
- Improve structure of multipart mail
Web Administration
- Rights management pages now have gray callout for sections that have
rights granted - For new installs we now provide a General topic and Content CF for Articles
- Query log now supports Undup and ShowElem params
- Queues now have a sort order
- We no longer delete articles but instead just disable them to help maintain
auditability (#19323) - Allow ModifyTicket to change nobody to someone else, without OwnTicket
- Select CFs will now suppress "(no value)" option when it's invalid
- Add new ShowAssetsMenu right to manage visibility of Assets feature
Server Administration
- Use MiB rather than MB for attachment size config (GitHub #162)
- ReferrerComponents lets you fine-tune CSRF whitelist and blacklist
- The user shredder now supports a no_ticket_transactions option
- Avoid warnings if users don't have sufficient rights on reminders
- Fix decoding issues (#31155)
- Removed redundant Apache::DBI dependencies (#31210)
- Shred object custom fields when shredding a custom field
- Improve compat and docs for Apache 2.4
- Put temporary files for email parsing in /tmp
- Allow deep namespaces for ScripActions and Conditions
- Copy rt-ldapimport into install-tree sbin
- Avoid DateTime::Locale 1.00 and 1.01; earlier and later versions are OK
Developer
- Upgrade jQuery from 1.9.1 to 1.11.3
- Upgrade jQuery UI from 1.10.0 to 1.11.4
- Upgrade CKEditor from 4.0.1 to 4.5.3
- Removed many unused fields on tickets and users
- Added a Group->Label method for displaying groups in the UI
- Ticket Modify now processes watcher updates
- Support optional inclusion of RT-System and Nobody users in autocomplete
- Transactions now have a ColumnMap
- /User/Prefs.html became /Prefs/AboutMe.html for consistency (#14200)
- We now warn when you forget to undef $mech in tests, which can
cause spurious failures - Additional callbacks
- Remove mostly-duplicate code for Rules which can never trigger
Documentation
- We've written new documentation for the query builder, dashboards,
reporting, and other related features - SLA cookbook
- Update documentation to expect that most installations will deploy
fulltext search - Also remind users that they should set up backups in the README
- Clarify "otherwise your internal links may be broken" (#31117)
- Unify our documentation for upgrading cored extensions
- Switch example for Plugins in RT_Config from ExternalAuth to JSGantt
Internationalization
- Graphing now uses the localization engine in more places
- Update translations for: Basque, Bulgarian, Catalan, Simplified and
Traditional Chinese, Croatian, Czech, Danish, Dutch, Estonian, Finnish,
French, German, Greek, Hungarian, Icelandic, Indonesian, Italian, Japanese,
Latvian, Lithuanian, Norwegian (Bokmal and Nynorsk), Persian, Polish,
Portuguese, Russian, Serbian, Slovak, Slovenian, Spanish, Swedish, and
Turkish...
rt-4.2.12
sartak
Shawn M Moore
RT 4.2.12 -- 2015-08-12
RT 4.2.12 contains important security fixes.
https://download.bestpractical.com/pub/rt/release/rt-4.2.12.tar.gz
https://download.bestpractical.com/pub/rt/release/rt-4.2.12.tar.gz.asc
SHA1 sums
ddbf70752c2b96354caf7687534addf075859d4d rt-4.2.12.tar.gz
8e76c69a56a60afbe0a75673874a1f4510355350 rt-4.2.12.tar.gz.asc
This release is a security release which addresses the following
vulnerabilities:
RT 4.0.0 and above are vulnerable to a cross-site scripting (XSS) attack via
the user and group rights management pages. This vulnerability is assigned
CVE-2015-5475. It was discovered and reported by Marcin Kopeć at Data Reliance
Shared Service Center.
RT 4.2.0 and above are vulnerable to a cross-site scripting (XSS) attack
via the cryptography interface. This vulnerability could allow an attacker
with a carefully-crafted key to inject JavaScript into RT's user interface.
Installations which use neither GnuPG nor S/MIME are unaffected.
A complete changelog is available from git by running:
git log rt-4.2.11..rt-4.2.12
or visiting
rt-4.2.11...rt-4.2.12
rt-4.0.24
sartak
Shawn M Moore
RT 4.0.24 -- 2015-08-12
RT 4.0.24 contains an important security fix.
https://download.bestpractical.com/pub/rt/release/rt-4.0.24.tar.gz
https://download.bestpractical.com/pub/rt/release/rt-4.0.24.tar.gz.sig
SHA1 sums
0588b678cc1f13ae1504e9fffede1b8485d172f7 rt-4.0.24.tar.gz
8f8b69532112aa01d6fe540478de6a7046ad6fb0 rt-4.0.24.tar.gz.sig
This release is a security release which addresses the following
vulnerability:
RT 4.0.0 and above are vulnerable to a cross-site scripting (XSS) attack via
the user and group rights management pages. This vulnerability is assigned
CVE-2015-5475. It was discovered and reported by Marcin Kopeć at Data Reliance
Shared Service Center.
A complete changelog is available from git by running:
git log rt-4.0.23..rt-4.0.24
or visiting
rt-4.0.23...rt-4.0.24
rt-4.2.11
RT 4.2.11 -- 2015-05-07
RT 4.2.11 is now available.
https://download.bestpractical.com/pub/rt/release/rt-4.2.11.tar.gz
https://download.bestpractical.com/pub/rt/release/rt-4.2.11.tar.gz.asc
SHA1 sums
c40063b4265a983343804f2056b22964a8ba7be9 rt-4.2.11.tar.gz
d34d6694462d597d14a474390d335bd2b58f42b8 rt-4.2.11.tar.gz.asc
This release is a bugfix release; most notably, it improves indexing
time for full-text search, as well as improving support for Apache 2.4
and MySQL 5.5. Interactive command-line tools (including upgrade tools)
will now also default to displaying warnings to STDERR, to aid in
awareness of potential errors.
The complete list of changes includes:
General user UI
- If storing a transaction failed, note the failure obviously in the
ticket history (#30419) - Make sub-menus accessible on screen-readers
- Prevent Dashboard portlet from rendering with too many columns
- Hint that a transaction is Correspondence, using red background, on Jumbo
and Bulk Update pages as well. - Articles distinction between "no classes exist" and "none visible to user"
(#30638) - Skip Articles Class selection page if there is only one valid option
(#29975) - For consistency with other roles, don't attempt to send email
notifications to owners that are disabled - Improve search performance when searching custom field values on users
- Allow ModifyTicket to change nobody -> someone else, without OwnTicket
- Allow HTML5
andtags for the replacedtag - Respect the user's chosen units for Time Worked across page loads, instead
of always defaulting to minutes. (#17985) - In Jumbo, preserve ticket basics so in progress changes persist after
returning to the page - Make elements styled as .button render the same as other buttons
- Add print styles for button and .button that match other inputs
Command-line
- Default to enabling error warnings to the screen for interactive commands
- Standardize --help, --quiet and --verbose options across tools
- Allow GSSAPI authentication with bin/rt (#25074)
Web Administration
- Don't show rights on role groups rights list which are nonsensical (#30556)
- Support setting multiply-valued custom fields during REST ticket creation
- Fix an infinite loop in multiple-valued custom field parsing
- Recover gracefully on template creation failure (#29021)
- Provide a user-legible representation of the user's GPG key (#25376)
- Ability to change back to "role" UsernameFormat
- Consistently store un-encoded header data for forwards (#29714)
Server Administration
- Improve full-text indexing by 1-2 orders of magnitude, on both PostgreSQL
and MySQL. - Warn if innodb_log_file_size would limit uploads to < 5M on MySQL 5.5 and later
- Increase the warn threshold on max_allowed_packet to 5M
- Validate lifecycle right name length
- For convenience, allow using the distribution name instead of package
name in Plugin(); for example: Plugin('RT-Extension-SLA') - Suggest explicit binlog_path for sphinx >= 1.10
- Drop DatabaseRequireSSL option that does nothing; replace with
DatabaseExtraDSN option to allow passing of arbitrary additional
database parameters to the database interface - Respect configure-time FontPath configuration
- Configurable transaction suppression for EscalatePriority (#29465)
- Switch from Oracle DBA-only tables to tables the user can inspect (#30393)
- Properly handle large IN sql arguments by breaking them up in to separate
statements
Developer
- Deprecate unused RT::Interface::CLI::debug sub
- Standardize and simplify boilerplate for command-line options
- Make rt-validator infinite loop checker actually work
- Add 'mbox' option to $MailCommand which writes mbox-formatted output
- Allow attributes to be set after object creation in initialdata
files (#13036) - Do not set charset and body on multipart messages in ContentAsMIME (#23671)
- Look harder for content in message/rfc822 parts
- Allow creation of multipart/related via REST, by providing Content-IDs
- Fold RT::Shredder code into core record classes
- Skip Shredder tests on all non-SQLite databases
- Built in HTTP Basic auth and htpasswd support in rt-apache tool
- New callbacks for Ticket/Elements/ShowBasics, AfterTimeEstimated and
AfterTimeWorked - Use %ARGS values in /Admin/Users/Modify.html to allow callbacks to modify
them (#27655) - Allow passing SquelchMailTo to Ticket->Create
- Explicitly depend on Class::Accessor::Fast not Class::Accessor
- Add BodyClass parameter to Elements/Header so callbacks can more easily
style only their own pages.
Documentation
- Extend the documentation to support Apache 2.4 deployment
- Attempt to improve reliability in lighttpd by suggesting sockets instead of
TCP connection - Information on finding and installing plugins
- Information on the new rights interface in the UPGRADING doc (#29515)
Internationalization
- Localize EmailFrequency properties
- Updated localizations (German, Spanish, French, Icelandic, Italian,
Japanese, Lithuanian, Russian, Swedish, Traditional Chinese)
A complete changelog is available from git by running:
git log rt-4.2.10..rt-4.2.11
or visiting
rt-4.2.10...rt-4.2.11
rt-4.2.10
RT 4.2.10 -- 2015-02-26
RT 4.2.10 contains important security fixes, as well as minor bugfixes.
https://download.bestpractical.com/pub/rt/release/rt-4.2.10.tar.gz
https://download.bestpractical.com/pub/rt/release/rt-4.2.10.tar.gz.asc
SHA1 sums
92af386e9c09a0e9489ec1cd55b66c65b77d22be rt-4.2.10.tar.gz
8e65ce02b62df85c7d679dab8d4bde8ef343ec48 rt-4.2.10.tar.gz.asc
This release is primarily a security release; it addresses CVE-014-9472,
a denial-of-service via RT's email gateway, as well as CVE-2015-1165 and
CVE-2015-1464, which allow for information disclosure and session
hijacking via RT's RSS feeds.
As part of these security updates, RT's dependency on the Encode module
has been changed, to Encode 2.64. If upgrading, be sure to run
rt-test-dependencies to verify that your installed version of Encode
meets this requirement; if not, you will need to install a newer version
from CPAN.
This release is also a bugfix release; most notably, it addresses a bug
which causes RT to generate blank outgoing text/plain parts. This fix
requires installing the HTML::FormatExternal module, and having an
external tool (w3m, elinks, etc) installed on the server.
It also introduces indexed full-text searching for MySQL without the
need to recompile MySQL to use the external Sphinx tool; instead, a
MyISAM table is used for indexing. On MySQL 5.6 and above, an
additional InnoDB table can also be used.
The complete list of changes includes:
General user UI
- Speed up the default simple search on all FTS-enabled installs by not
OR'ing it with a Subject match. This returns equivalent results for
almost all tickets, and allows the database to make full use of the
FTS index. - Pressing enter in user preference form fields no longer instead
resets the auth token (#19431) - Pressing enter in ticket create and modify form fields now creates or
updates the ticket, instead being equivalent to "add more
attachments", or the "search" on People pages (#19431) - Properly encode headers in forwarded emails that contain non-ASCII
text (#29753) - Allow users to customize visibility of chart/table/TicketSQL in saved
charts - Allow groups to be added as requestors on tickets
- Perform group searches case-insensitively on People page (#27835)
- Ticket create transactions for tickets created via the web UI now
contain mocked-up From, To, and Date headers; this causes them to
render more correctly when forwarded - Update wording of error message for saved searches without a
description (#30435) - Flush TSV download every 10 rows, for responsiveness
- Retain values in Quick Create on homepage if it fails (#19431)
- Limit the custom field value autocomplete to 10 values, like other
autocompletes (#30190) - Fix a regression in 4.0.20/4.2.4 which caused some users to have
blank homepages (#30106) - Fix styling on "unread messages" box on Ballard and Web2 themes
- Fix format of Date headers in RSS feeds (#29712)
- Adjust width of transaction date to accommodate all date formats
(#30176) - Allow searching for tickets by queue lifecycle
Command-line
- Fix server name displayed at password prompt when RT is deployed at
a non-root path like /rt (#22708)
Admin
- If the optional HTML::FormatExternal module is installed, use w3m,
elinks, links, html2text, or lynx to format HTML to text. This
addresses problems with the pure-Perl HTML-to-text converted which
resulted in blank outgoing emails. (#30176) - Add support for native (non-Sphinx) indexed full-text search on
MySQL. This uses the InnoDB fulltext engine on MySQL 5.6, and an
additional MyISAM table on prior versions of MySQL. - Support MySQL database names with dashes in them (#7568)
- Properly escape quotes and backslashes in config options in web
installer (#29990) - Increase length of template title form input
- Clarify wording on updating old Organization values by rt-validator
- Resolve a runtime error for SMIME without secret keys (#30436)
- Empty email addresses are no longer caught as being "an RT address"
if there exist queues without Correspond addresses set (#18380) - Allow Parents/Children/Members/MemberOf in CreateTickets action
- Allow RT-Originator to be overridden in templates
- Ensure that HTML-encoded entities are indexed in FTS
- Fix uninitialized value warnings from charts grouped by date
- Remove no-op $CanonicalizeOnCreate configuration variable;
RT::User->CanonicalizeUserInfo is always called - Make NotifyGroup action respect AlwaysNotifyActor argument
- Fix X-RT-Interface header on incoming email on existent tickets
- Warn on startup if queues have invalid lifecycles set (#28352)
Developer
- Add AfterHeaders callback to ShowMessageHeaders
- Update all upgrade steps to use .in files (#18856)
- Add policy tests to enforce the new upgrade step standards
- Remove +x bit from multiple non-executable files
- Make Obfuscate callback in configuration options be passed the
current user, as was documented - Remove obsolete _CacheConfig parameters
- Preferentially use IN rather than multiple OR clauses
- Respect RowsPerPage for external custom field values
- Localize default statuses from RT_Config.pm, instead of hardcoding
- Add callbacks within Dates box after each type of Date
- Pass the CustomFieldObj down to CustomFieldValue objects intact, so
its ContextObj can be inspected; this is particularly useful for
external custom fields. - Allow more than one right per @acl in initialdata
- Don't hardcode share/html in tests, for non-default layouts
- Base detection of new themes on presence of main.css file, not
base.css file (#30554) - Allow for relative "lib" in @inc when running tests
- Allow EditComponentName customfield callback to alter Rows/Cols
values
Serializer/importer
- Memory usage improvements in both serialization and import
- Templates, Scrips, and ObjectScrips now serialize correctly
when not cloning
Documentation
- Document how to enable un-indexed full-text-search, and its drawbacks
- Note that after restoring from backups, PostgreSQL may need to have
statistics updated - New documentation on writing portlets
- Add an =pod directive so the first paragraph of UPGRADING is not
skipped - Clarify when UPGRADING-x.y steps should be run
- Better document known bugs with Sphinx FTS
- Add missing semicolon on Shredder suggested indexes
A complete changelog is available from git by running:
git log rt-4.2.9..rt-4.2.10
or visiting
rt-4.2.9...rt-4.2.10
rt-4.0.23
RT 4.0.23 -- 2015-02-26
RT 4.0.23 contains important security fixes, as well as minor bugfixes.
https://download.bestpractical.com/pub/rt/release/rt-4.0.23.tar.gz
https://download.bestpractical.com/pub/rt/release/rt-4.0.23.tar.gz.sig
SHA1 sums
1067e0469184a6955e2822967eb7a2e287f7c17b rt-4.0.23.tar.gz
17a153215b95d12e5aa0500d676089aed081d6df rt-4.0.23.tar.gz.sig
This release is primarily a security release; it addresses CVE-014-9472,
a denial-of-service via RT's email gateway, as well as CVE-2015-1165 and
CVE-2015-1464, which allow for information disclosure and session
hijacking via RT's RSS feeds.
As part of these security updates, RT's dependency on the Encode module
has been changed, to Encode 2.64. If upgrading, be sure to run
rt-test-dependencies to verify that your installed version of Encode
meets this requirement; if not, you will need to install a newer version
from CPAN.
Other changes include:
General user UI
- Flush TSV download every 10 rows, for responsiveness
- Pressing enter in user preference form fields no longer instead
resets the auth token - Pressing enter in ticket create and modify form fields now creates or
updates the ticket, instead being equivalent to "add more
attachments", or the "search" on People pages. - Retain values in Quick Create on homepage if it fails
Command-line
- Fix server name displayed at password prompt when RT is deployed at
a non-root path like /rt
Admin
- Empty email addresses are no longer caught as being "an RT address"
if there exist queues without Correspond addresses set - Allow Parents/Children/Members/MemberOf in CreateTickets action
- Allow RT-Originator to be overridden in templates
- Add missing semicolon on Shredder suggested indexes
- Ensure that HTML-encoded entities are indexed in FTS
Developer
- Make Obfuscate callback in configuration options be passed the
current user, as was documented - Remove obsolete _CacheConfig parameters
- ACL checks are now applied in the ->AddRecord stage, not in ->Next;
this means that collections accessed via ->ItemsArrayRef are now
correctly ACL'd.
Documentation
- New documentation on writing portlets
- Add an =pod directive so the first paragraph of UPGRADING is not
skipped - Clarify when UPGRADING-x.y steps should be run
A complete changelog is available from git by running:
git log rt-4.0.22..rt-4.0.23
or visiting
rt-4.0.22...rt-4.0.23