rt-4.0.13

RT 4.0.13 contains important security fixes.

http://download.bestpractical.com/pub/rt/release/rt-4.0.13.tar.gz
http://download.bestpractical.com/pub/rt/release/rt-4.0.13.tar.gz.asc

SHA1 sums
d09f0b9beed8f4e7972fd43d5597e78306d9acef rt-4.0.13.tar.gz
94d1de447301c9be728197572aff2d29944bc39e rt-4.0.13.tar.gz.asc

This release of RT resolves a number of security vulnerabilities:

CVE-2012-4733
CVE-2013-3368
CVE-2013-3369
CVE-2013-3370
CVE-2013-3371
CVE-2013-3372
CVE-2013-3373
CVE-2013-3374

It also includes a database upgrade, so please make sure to run make upgrade-database.

Details about the above CVEs are available at:
http://lists.bestpractical.com/pipermail/rt-announce/2013-May/000226.html

A complete changelog is available from git by running:
git log rt-4.0.12..rt-4.0.13
or visiting
rt-4.0.12...rt-4.0.13

rt-4.0.12

It's my pleasure to announce RT 4.0.12 is now available for download.

http://download.bestpractical.com/pub/rt/release/rt-4.0.12.tar.gz
http://download.bestpractical.com/pub/rt/release/rt-4.0.12.tar.gz.sig

SHA1 sums
779ae82d1847aea23afe28e54a982c59f93b4953 rt-4.0.12.tar.gz
8ef461c88486fa551985323ef6ed56e626176258 rt-4.0.12.tar.gz.sig

This release of RT repairs a regression in 4.0.11. If you use the Rich
Text Editor, the red background on Reply was missing due to the update
of CKEditor to support IE10. It also includes a database upgrade, so
please make sure to run 'make upgrade-database'.

Features

• Date and DateTime Custom Fields now have the same 'smart' date parsing
  that core RT date fields have.
• Improved logging when the sending of a Correspond or Comment fails.
• The Quick Search preferences page now has Select/Clear All buttons.
• Unprivileged users can now change Language and Time Zone.
• Warn MySQL users if their max_allowed_packet is dangerously low.

Bugfixes

• Repair 4.0.11 regression where red background on Reply with the
  RichText Editor was lost.
• Quiet warnings in the verbose user format.
• Allow changing the case of a Group's name (prevented by earlier code
  stopping you from having two groups with the same name).
• Allow changing the case of a Class's name.
• Avoid warnings when using empty Templates.
• Update our InnoDB checks for MySQL 5.6 compatibility.
• Clarification of when SetOutgoingMailFrom and OverrideOutgoingMailFrom
  are available.
• Improve layout of collection lists in IE.
• Fix Attach more files button in Self Service.
• Set caching headers on autocomplete endpoints.
• Restore and improve prematurely deleted documentation for
  DontSearchFileAttachments.
• Correct the encoding of Dashboard email Subject headers.
• Fix the default roles on User->WatchedQueues.
• Document the need to grant SeeCustomField in UPGRADING-3.4.
• Nudge menus below the shadows in aileron.
• Fix missing headers and a syntax error in the
  /REST/1.0/attachment/NN endpoint.

Localization

• Improve the display of numbers when using the French localization.
• Built in components and searches (such as Bookmarked Tickets) are now
  localizable.
• Use PostgreSQL error codes in the full-text-indexer instead of
  matching on error messages that may be in a non-english language.
• Localize 'Dashboard' during creation.
• Mark 'Modify this user' as localizable.

Developer

• Test can now be run against a remote DB server.
• Install etc/upgrade to make some rt-setup-database actions easier
  without requiring access to the install directory.
• RT_TEST_PARALLEL_NUM controls the -j param in make parallel-test
• Work around a git bug in git archive when packaging releases.
  This caused the third party sources to bloat the 4.0.11 tarball.
• Fix examples in the CreateTickets documentation.
• RT Ticket types (ticket, approval, reminder) are now always forced to
  lower case.
• Allow the use of 'NOT IN' in Limits (assuming a new enough
  DBIx::SearchBuilder).

A complete changelog is available from git by running:
git log rt-4.0.11..rt-4.0.12
or visiting
rt-4.0.11...rt-4.0.12

rt-4.0.11

RT 4.0.11 is now available for download.

http://download.bestpractical.com/pub/rt/release/rt-4.0.11.tar.gz
http://download.bestpractical.com/pub/rt/release/rt-4.0.11.tar.gz.sig

SHA1 sums

fc59a03b87be5cb02c763c55a2f5f3cafa67d087  rt-4.0.11.tar.gz
828ee5226748485d4de3c228622a5feed8d42ea1  rt-4.0.11.tar.gz.sig

This release of RT contains two large updates.

The WYSIWYG editor (CKEditor) used on ticket creation and reply pages
has been updated to address numerous reports of breakages when using IE
10. It also includes fixes for many other browsers. You can read more
about the included changes at http://ckeditor.com/whatsnew. We are
shipping 3.6.6.1, upgraded from 3.4.1.

If you use RT with mod_perl and have not updated from SetHandler
perl-script to SetHandler modperl, RT will now refuse to start. You can
read more about mod_perl configuration here
http://bestpractical.com/rt/docs/latest/web_deployment.html#mod_perl-2.xx

Bugfixes

• Fix description of the ModifyACL right on Classes.
• Allow sorting by a Queue's SubjectTag (in the admin UI).
• Reminders attached to tickets in the deleted status now no longer
  throw errors.
• Custom Fields containing & were not being displayed properly in search
  results.
• Validate usernames properly on rename as well as during creation.
• Remove user preference for 'Number of search results' since it was
  unused and conflicted with the option on the My RT at a Glance
  configuration page.
• Clean up temp files left behind by the REST interface.
• Recipients and Scrips box on Ticket reply/comment pages retain
  checkbox state when uploading attachments or including articles or
  otherwise reloading the page.
• Charts are no longer hidden by the print css.
• Date Custom Fields should ignore time zones.
• rt-crontool no longer throws an error on --help or other error
  conditions.
• When choosing the Shredder link from search results, correctly select
  the Tickets plugin.
• Bring back an Article quick search missing since before 4.0.0.
• The default $ExtractSubjectTagMatch no longer removes [comment] from
  mail with subjects like [comment] [rtname #1].
• In the Class PageMenus, load a Class not a CustomField to validate the id.
• Date Custom Fields now parse strings like 'today' in the user's
  timezone.
• Username and Password are now the same length on IE8/9.
• External Custom Fields can now be changed back to internal
  Custom Fields in the CF Admin UI.
• Inline text attachments now obey PlainTextPre or PlainTextMono if
  they are set.
• Once a Group contained more than one User or Group, current members of
  the Group were not being excluded from the autocomplete results.
• Reloading pages with results= will no longer trigger the CSRF warning.

Features

• Update translations from Launchpad, including a new Catalan
  translation by Ton Orga Ventura.
• Watcher searches now pre-load the user when possible to reduce joins
  to the Users table and boost query speed.
• When using RT::Record->Update new values are truncated before being
  compared to the existing values. This removes a large number of
  repeated update transactions that don't change anything.
• Search result formats may contain mailto: links.
• Refuse to start with an error message if RT is configured to use
  mod_perl with SetHandler perl-script.
• Improve the display of numbers in the German translation.

Documentation

• Further updates to the code used to generate docs.bestpractical.com
  and minor updates to the pod to improve formatting.
• New documentation for the ExtractSubjectTag extension by Kai Storbeck.

Developer

• Allow extensions to add new one-time-to types and headers.
• Expose version sorting code so Module::Install::RTx can use it.
• More consistent returns from RT::Link->LoadByParams.
• Added callbacks for changing the links from Quick search.
• A callback for changing the Queues displayed on the Quick search.
• Test setting and updating private/public GPG keys.
• More escaping of URLs, targets and IDs in the menus.
• Don't create testing databases or set them up when checking syntax.
• Add callbacks to the mobile login form.

A complete changelog is available from git by running:
git log rt-4.0.10..rt-4.0.11
or visiting
rt-4.0.10...rt-4.0.11

rt-3.8.16

I'm happy to announce that RT 3.8.16, the latest maintenance release, is
available for download.

http://download.bestpractical.com/pub/rt/release/rt-3.8.16.tar.gz
http://download.bestpractical.com/pub/rt/release/rt-3.8.16.tar.gz.sig

SHA1 sums

9df5ed89d93d07d64ece8692cfb9e4a444ade01d  rt-3.8.16.tar.gz
9d71bc7b65638af15179d8e9def60f55b5329d7c  rt-3.8.16.tar.gz.sig

Recent support for partitioned GnuPG emails introduced a deadlock
situation for large QP/Base64 emails with GnuPG enabled. In addition,
this release resolves a number of issues running the test suite on newer
versions of perl.

git log rt-3.8.15..rt-3.8.16
or visit
rt-3.8.15...rt-3.8.16

rt-4.0.10

RT 4.0.10 is now available for download.

http://download.bestpractical.com/pub/rt/release/rt-4.0.10.tar.gz
http://download.bestpractical.com/pub/rt/release/rt-4.0.10.tar.gz.sig

SHA1 sums

6ecb3f9ffd59df55d04fc7705e4017e8a420bac8  rt-4.0.10.tar.gz
7f84cad8c5aa0a3b8bd45e5b79ab6b247bfa3624  rt-4.0.10.tar.gz.sig

This release contains several bugfixes and a fix for a regression
introduced in 4.0.9. If you have a Queue configured so that users have
SeeQueue and CreateTicket but not ShowTicket (they can create tickets,
but won't be able to see them after creation) then any Custom Fields
assigned to that Queue and filled in during creation would be lost
during submission.

Bugfixes

• CF values are no longer possibly lost during ticket creation; see
  above for a complete description
• Updated localizations, including a new Slovak translation
• Error titleboxes now render properly when they have collapse icons
• Restore a missing tag on the mobile login
• Allow non-uris in Link transactions
• Bulk Update maintains the previous value of the "Told" box on page
  reload
• Simple Search no triggers queue-searching behavior when passed a
  disabled Queue names
• We now find localizations expressed as ( qw(a b c))
• Only attempt to update Told if the correspond succeeded

git log rt-4.0.9..rt-4.0.10
or visiting
rt-4.0.9...rt-4.0.10

rt-4.0.9

I'm happy to announce that RT 4.0.9 is now available.

http://download.bestpractical.com/pub/rt/release/rt-4.0.9.tar.gz
http://download.bestpractical.com/pub/rt/release/rt-4.0.9.tar.gz.sig

SHA1 sums

1adf162b2d73eb521b00f45e30ccea6fe193e604  rt-4.0.9.tar.gz
ac76d9199cbeda986f9cea590177a4047840fc37  rt-4.0.9.tar.gz.sig

This release contains a number of bugfixes since the 4.0.8 release.
It also contains the first set of embargoed security tests fixed by
patches released on 2012-05-22. These are the tests for
vulnerabilities fixed in RT 4.0.6 and RT 3.8.12.

This release also requires a newer HTML::RewriteAttributes.
You will be prompted to upgrade when upgrading RT or when manually
running 'make test-dependencies'.

If you have set a custom @jsfiles in RT_SiteConfig.pm, you will need to
amend this to include the new jquery.cookie.js file added to
RT_Config.pm. See UPGRADING-4.0 for more details.

Bugfixes

• IE8/9 are encouraged never to use compatibility mode.
• User autocompletes on Oracle now work.
• Disabled personal groups hiding out from 3.8 are cleaned out.
• When upgrading from 3.8 to 4.0 the article upgrade points to the
  correct upgrading documentation.
• Restore the link to a Queue's History.
• Stop manually deleting Custom Field Values in the REST API, use
  the standard RT API calls.
• Avoid Devel::StackTrace 1.28 and 1.29 which are known to break RT.
• Don't show the full login page to mobile clients.
• Refresh your Localization preferences on each page load.
• TicketSQL containing Queue = 'Nonexistant Queue' will not generate
  invalid SQL.
• Fix an error deleting Custom Field Values on some installs.
• Ensure that leading newlines on Templates are preserved, despite
  browsers stripping them.
• Eliminate a potential deadlock on large emails when using GPG.
• Handle emails in unknown charsets better.
• Fix GPG Error templates that used reference passing.
• Make Configuration written by the installer consistent and skip some
  keys.
• Log better error messages and fewer warnings with parsing unparseable
  sender email addresses.
• Add a missing table element to the Outgoing Mail element.
• Allow 'requestors' on REST ticket creation because it was allowed in
  3.8 (earlier versions of 4.0 only allowed requestor as a key).
• Fix loading of _Vendor and _Local files in plugins.
• Remove menu/page overlapping that prevented clicking on some links.
• Handle invalid/unindexable Full Text Search records in Pg better.
• Allow users without the ExecuteCode right to create Simple templates.
• Ensure that templates which use heredocs won't have mysterious
  failures.
• Fix null and NULL to work interchangeably in TicketSQL.
• No longer match on an english string on the Jumbo page. This would
  result in the Comment/Correspond textarea remaining populated if using
  RT in a non-english locale.
• Remove even more old REST restrictions on Custom Field, Queue and
  other object names.
• Avoid warnings when building the menu on pages with invalid Queues or
  other objects.
• Saved Search descriptions can safely contain [] without running
  afoul of the localization infrastructure.
• Allow setting a Queue's Lifecycle back to 'default'.
• Stop using HTML::Mason's cache_self method. It caused some rendering
  bugs with GnuPG keys and won't be fixed by upstream.
• Fix "RefersTo is NULL" and "Requestor is NULL" to work properly in
  TicketSQL (before we only checked for "IS NULL").
• Instead of localizing "Owner Name" in the charting UI, instead
  localize the words separately.
• When overriding $HomepageComponents or other reference config types in
  RT_SiteConfig.pm, the name would not render properly on
  Configuration.html.
• Clean up session lockfiles because Apache::Session::File doesn't.
• Improve Custom Field Upload rendering when multiple files have been
  uploaded.
• Bust the cache used by the SelectQueue widget when a Queue's name
  changes.
• Dates on the Bulk Update page such as Due, Told, etc are now rendered
  as DateTimes.

Features

• The Rights Editor now keeps track of the user/group and tab selected
  when submitting and switching between states.
• Allow bookmarking tickets from the mobile interface.
• Warn less when your RT is behind a proxy.
• New CheckMoreMSMailHeaders config option that tries harder to detect
  outlook and repair weird linespacing issues in text parts.
• New callbacks to add more information to the Outgoing Mail elements.
• When listing statuses for multiple Queues/Lifecycles, group statuses
  by Lifecycle (collapsing Lifecycles with identical Status lists). This
  provides a more navigable status list on pages such as the Bulk Update.
• Improve performance of shrink_cgm_table.pl and
  shrink_transactions_table.pl by processing more rows at a time.
• When updating fields that contain lots of text (such as templates)
  don't display the entire contents of the template.
• Add Custom Field styling and a callback to easily add CFs in the mobile UI.
• Search Results that display many Custom Fields across many ticket rows
  will now cache Custom Field objects and make fewer database queries.
• Extensions that use ExtractTicketId can now cleanly alter the subject
  of the ticket.
• New callbacks at the beginning and end of search results.
• Record an X-RT-Interface header to track how a ticket was created.
• Improve dashboard rendering in Outlook and Lotus Notes by scrubbing
  JavaScript and not including the print styles.
• Update messages to include the user being affected rather than saying
  "Added principal" or "That principal".
• Provide add_after and add_before convenience methods for extensions
  adding new menus to RT.
• Display examples of the Date Format preferences in the user's timezone
  to make it clearer which formats are defined as UTC and which aren't.
• Users changing their password can now hit enter and not submit the
  Auth Token Reset form.
• When users move a ticket from Queue A to Queue B and no longer have
  the ability to see the ticket in Queue B, RT will still display a
  message confirming that the move happened.

Documentation

• Lifecycle documentation separate from the RT_Config.pm docs.
• Document how to use the Style Editor and how to add your own CSS.
• Document basic approvals configuration.
• Improve documentation and examples for CreateTickets action
• Improvements to the Article setup/usage documentation.
• Clean up extraneous quotes in our POD.
• New documentation on recommended backup procedures.
• Remove some erroneous documentation in the REST interface.
• New documentation for the initialdata file format.

Development

• Improve SQL logging on record creation and the autocompleter.
• Improve the debugging mason errors to include a stack trace.
• Ensure tests never run in the local locale (which can cause
  interesting failures).
• Catch and error if we throw warnings in tests.
• The rt-apache tool now accepts "." so you can easily run from a git
  checkout.
• Enforce internal policies on the repository with 99-policy.t.
• Inline test server now clears the callback cache between tests.

git log rt-4.0.8..rt-4.0.9
or visiting
rt-4.0.8...rt-4.0.9

rt-4.0.8

RT 4.0.8 contains important security fixes, in addition to bugfixes.

http://download.bestpractical.com/pub/rt/release/rt-4.0.8.tar.gz
http://download.bestpractical.com/pub/rt/release/rt-4.0.8.tar.gz.sig

SHA1 sums

7be074e86929c69b4f17d10503646ff070f7fa3b  rt-4.0.8.tar.gz
7ee1ecf25a99472d0d75665ed577941cb94c64e7  rt-4.0.8.tar.gz.sig

This release, in addition to being a bugfix release, also resolves a
number of security vulnerabilities. It resolves CVE-2012-4730,
CVE-2012-4731, CVE-2012-4732, CVE-2012-4734, CVE-2012-4735, and
CVE-2012-4884.

Bugfixes

• Custom Fields BasedOn can be set from intialdata again.
• Fix the 3.8.4 NotifyGroup upgrade script to properly join notification
  groups with a comma.
• Correct the use of the 'approved' state from Lifecycles. It is now
  used only when all approvals are completed.
• Use database-level row locking to ensure that scrips do not suffer
  from race conditions with scrips from other processes.
• Remove multiple slashes so that page menus display and the active item
  is correctly highlighted.
• Improve MaxAttachmentSize documentation.
• Ensure that ticket links in the iCal feed are CSRF whitelisted.

Features

• New alias validator sbin/rt-validate-aliases which helps keep RT and
  /etc/aliases in sync.
• Add support for GPG mails in inline format (PGP partitioned encoding)
  that are also encoded for transfer with Base64 or quoted printable.
• Add a BeforeLocalization callback to message headers.
• If you have DBIx::SearchBuilder 1.62 or higher and are using full
  text indexing on Pg or Oracle, rt-fulltext-indexer uses a faster query
  to find unindexed attachments.

Developer

• Add rt-apache for running a test instance of apache.
• Add the rt-static-docs tool for generating HTML versions of our docs.

A complete changelog is available from git by running

git log rt-4.0.7..rt-4.0.8
or visiting
rt-4.0.7...rt-4.0.8

rt-3.8.15

This release of RT contains important security updates.
You can download it from:

http://download.bestpractical.com/pub/rt/release/rt-3.8.15.tar.gz
http://download.bestpractical.com/pub/rt/release/rt-3.8.15.tar.gz.sig

SHA1 sums

abb7b0d52cb9843e3154aeff2490211ddcdc59b8  rt-3.8.15.tar.gz
9401cdd429565b99dd45c99e20d5d36ac8d0fe4c  rt-3.8.15.tar.gz.sig

This release resolves a number of security vulnerabilities.
It resolves CVE-2012-4730, CVE-2012-4732, CVE-2012-4734, CVE-2012-4735,
and CVE-2012-4884.

In addition to these security fixes, RT 3.8.15 contains support for
partitioned PGP messages.

rt-4.0.7

I'm happy to announce that RT 4.0.7 is now available.

http://download.bestpractical.com/pub/rt/release/rt-4.0.7.tar.gz
http://download.bestpractical.com/pub/rt/release/rt-4.0.7.tar.gz.sig

SHA1 sums
4c6ba7c3311e0fc42bb99434e91d03318c24186f rt-4.0.7.tar.gz
e162aa17cacecc714ec744545c52c4ac7238c816 rt-4.0.7.tar.gz.sig

This release contains a number of bugfixes since the 4.0.6 release.
In particular, we have adjusted the CSRF warning for a few pages based
on user feedback.

This release bumps dependencies on Email::Address, FCGI and IPC::Run so
please make sure to run 'make testdeps' and if required
'make fixdeps' before upgrading. Running 'make upgrade' will also
check your installed versions for errors.

Security

• Bump the FCGI dependency to one which closes CVE-2011-2766
  The 4.0 series did not specify a minimum FCGI version and it's
  possible that a vulnerable release of the perl FCGI module was
  installed when you set up an earlier release of 4.0.x

Features

• Allow specification of your CSRF Whitelist Referrer using *.example.com
• Allow searching for tickets associated with articles using a:42
• Upgrade our Date/Time picker JS, allow unsetting of CFs
• Improve display of circularly linked tickets
• Optimize the large table changes between 3.2 and 3.4 for MySQL
• Provide a better error if your CreateTickets template is malformed
• Add the ExtractTicketId function to make customizing ticket id
  matching easier

Bugfixes

• Don't trust emails that claim to be UTF-8, convert it to UTF-8 before storing
• Fix a shredder bug when deleting a user and replacing it with another user
• Remove CSRF restrictions on search results page
• Ensure that TransactionBatch scrips always run in the RT::System
  context rather than having some sub-objects in the original user's
  context.
• Better display of multipart/related mail
• Remove some warnings when running under Perl 5.16
• Better errors when viewing approvals without rights
• Bring back rounded corners on FireFox >= 13 by using the standard
  border-radius property
• $Users->LimitCustomField now ignores disabled ObjectCustomFieldValues
  properly (same for other non-ticket objects).
• Versions of IPC::Run < 0.90 could truncate labels on charts that
  contain UTF-8 characters
• Fix a rendering issue where certain emails would cause the history to
  render progressively more staggered to the right
• Make owner:falcone and owner:[email protected] work
• CF.{Foo} TicketSQL searches are now case insensitive on Pg and Oracle
• Tickets with Unicode subjects created through the Web UI could end up
  being corrupted on reply because of other headers passed to MIME::Head
• Ignore DECRYPTION_INFO from GnuPG 1.4.12
• Record LastUpdated(By) on Scrips
• Simple Search now handles Custom Fields with dashes
• Remove another hardcoded use of 'resolved' in the mailgate unsafe actions
• When deleting dashboards, also delete subscriptions
• Fix rendering of links from bin/rt
• Don't allow ticket creation if your REST form contains an unknown field
• Skip users with empty email addresses in autocompletion
• Loosen our detection of mobile browser to search for the word 'mobile'
• Don't provide a charset on download of binary attachments
• Fix UseSideBySideLayout to not be cached across users
• Ensure that article searches are case insensitive
• QueueSummaryByStatus now uses the improved code from QueueSummaryByLifecylcle

A complete changelog is available from git by running
git log rt-4.0.6..rt-4.0.7
or visiting
rt-4.0.6...rt-4.0.7
although they will not load all of the commits.

rt-3.8.14

I'm happy to announce that RT 3.8.14 is now available.

http://download.bestpractical.com/pub/rt/release/rt-3.8.14.tar.gz
http://download.bestpractical.com/pub/rt/release/rt-3.8.14.tar.gz.sig

SHA1 sums

0ea5e7598e9bf75156629f6358192b6f62035f8a  rt-3.8.14.tar.gz
49d1cf9e280edd23e9c467c80adc48922eb959fb  rt-3.8.14.tar.gz.sig

This release contains two fixes related to the 3.8.12 security release.

Access to search results URLs is now CSRF whitelisted, based on user feedback.
An error in rt-email-dashboards has been corrected.

A complete changelog is available from git by running:
git log rt-3.8.13..rt-3.8.14
or on github with
rt-3.8.13...rt-3.8.14