3.8.15 Release Notes
This release resolves a number of security vulnerabilities.
It resolves CVE-2012-4730, CVE-2012-4732, CVE-2012-4734, CVE-2012-4735,
and CVE-2012-4884.
In addition to these security fixes, RT 3.8.15 contains support for
partitioned PGP messages.
3.8.14 Release Notes
This release contains two fixes related to the 3.8.12 security release.
Access to search results URLs is now CSRF whitelisted, based on user
feedback.
An error in rt-email-dashboards has been corrected.
3.8.13 Release Notes
This release contains an important bugfix over the 3.8.12 security
release:
* Fix sending email with the 'perl-script' mod_perl handler, by
ensuring that STDIN was always on FD 0 before calling IPC::Open2.
This failure showed as either SIGPIPE or abnormal exit codes when
running sendmail.
* Fix for "Undefined value assigned to typeglob" and "Bad file
descriptor: core_output_filter" errors caused by the above change, by
ensuring that both FD 0 and FD 1 are prevented from being claimed by
Apache. This error only arose with the perfork MPM and mod_perl <=
2.0.4.
Changes from 3.8.11 to 3.8.12:
This release, in addition to being a bugfix release, also resolves a
number of security vulnerabilities. It resolves CVE-2011-2082,
CVE-2011-2083, CVE-2011-2084, CVE-2011-2085, CVE-2011-4458,
CVE-2011-4459, and CVE-2011-4460.
* Upgrade prototype.js to version 1.7, for compatibility with google
charts.
* Remove ie7.js, which is no longer used.
* Ensure that TransactionBatch scripts are only run once.
Changes from 3.8.10 to 3.8.11:
This release contains a number of bugfixes and minor security updates
since the 3.8.10 release, most notably:
* Adjust FCGI dependency to one which resolves FCGI's CVE-2011-2766
* New WebHttpOnlyCookies option, enabled by default, which hides RT's
cookie from direct Javascript access.
* Compatibility with perl 5.12 and 5.14, by removing deprecated "for
qw(...)" and "defined %hash" syntax.
* MySQL 5.5 compatibility, by specifying ENGINE=InnoDB rather than
TYPE=InnoDB
* Ensure that RT::Interface::Web's _Overlay, _Local, and _Vendor files
are loaded correctly.
* Fix session cleaner for on-disk sessions, broken since 3.8.0.
* Ensure that only one "Based on" attribute is stored for each custom
field.
* Fix the loading of Shredder plugins, broken in 3.8.10.
Changelog:
SECURITY
* Move to a SHA-256 based password hashing scheme
* Redirect users to their desired pages after login.
This prevents possible back button attacks after a user logs out.
* Clone Scrip's TicketObj since we change the CurrentUser and it can
leak information (Custom field values, etc)
INSTALLATION
* Fixes to the RH Layout in config.layout
ACCESS CONTROL
* New AdminCustomFieldValues right that allows user to add/remove
CF values, but not edit the CF
CONFIGURATION
* Add ResolveDefaultUpdateType to choose between Comment or Correspond
on Resolve
* When using Set($MailCommand, 'testfile') log all mail to the
same tmpfile
* Add a callback to allow extensions to redirect a user to an external
auth logout URL using RT's logout button. This ensures that the user's
RT session is cleared
* Add SuppressAutoOpenOnUpdate preference
DOCUMENTATION
* Clean up README
* Update UPGRADING.mysql documentation for users of older mysql
* Flag that "Let this user be granted rights" means "Privileged"
* Fix rt-crontool examples to use a real Condition
* Undocument SenderMustExistInExternalDatabase since the code was
never merged
* Better document SetOutgoingMailFrom
* Better document shrink_cgm_table.pl
DATABASE
* Add support for Postgres 9
* No longer record transactions for ACL Equivalence Groups
* Don't delete all RT MySQL ACLs before invoke GRANT
* Quote database name for GRANT on MySQL
* Insert extensions' schema and acl files as the DBA
* Fix searches for empty Attachments on Oracle
EMAIL
* Better handling of mail generated by Outlook
* When RT's SendmailCommand fails, record it in ticket history
* New GPG tests and bugfixes for corner cases
* use EmailOutputEncoding for Content-Type.charset
* Handle failures in MIME Encoding better
* Small bugfixes for text/html templates
* Fix MIME decoding on ticket subjects
* Remove stray colons and whitespace in the default Admin Comment
template
USER INTERFACE
* Fix an infinite loop when using the 3.4-compat theme
* Fixes to CollectionList sorting
* css positioning tweaks for page menus
* Fixes for Bulk Update when users click 'Add More Files'
* Skip all watchers when offering to add CCs as Watchers
* Fix ahah.js to handle more than one CF 'Include page' link
* Ensure that Nobody is always at the front of the Select Owner list
* Link Basics in SelfService to the Update page
* Fix toggling js to only run once
* Ensure signatures are included in Jumbo edits
* Better identify (in the UI) a misconfigured GPG setup
* GPG key management UI updates
* Add classes/ids to the Custom Field Editing pages
* CSS Fixes for preferences widgets
* Fix truncated top values on Charts
* Wording and layout changes for the 'update password' widget
* Ensure that we keep Anchor tags on redirects
* Fix loading a new search on the Chart/Graph pages
* Change Attachment size label from Bytes to Megabytes
* Respect timezones in timestamps in /Approvals/
* Charset fixes for Ticket Attachment downloads
* Bar graph fixes for large numbers of bars
* Allow a callback on QuickCreate to pass a default Status
* Fix Approvals to make one search for approval tickets that distincts
and orders them
* Link from Group Membership lists to User admin pages
* New callbacks (autohandler, default queue, aborting ticket updates,
after requestor on create)
* Fix non-local local links and add t: syntax
* Editing Transaction custom fields now shows errors inline
* Use the ShowUser element more consistently across the UI
TOOLS
* Improvements to extract-message-catalog (translation tool)
* Let shrink_cgm_table and shrink_transactions display "percent complete"
* Added a simple script to naively generate a RTAddressRegexp
* Install rt-attributes-viewer originally shipped with 3.8.8
* bin/rt now searches for global configs in LOCAL_ETC_PATH also
OTHER BUG FIXES
* No longer refuse to start if you upgraded from a version of RT that
allowed you to have invalid Scrips
* Handle broken Reminders links when users change their Organization
* Trim whitespace from CustomFieldValues consistently
* RFC2616 dates are always in UTC
* Scrips can no longer have an empty Condition, Action or Template
* make multi-value REST fields separated with commas ignore spaces
* Localize ENV changes under mod_perl
* Don't page group memberships for a User
* Skip disabled Queues when a Simple Search term matches a Queue Name
* Add TransactionObj to CreateTickets templates to match the docs
* Fix the use of Tickets_Local.pm in rt-email-dashboards and rt-crontool
* Escape more characters in graphviz output
* Fix message when you fail to delete a saved search to tell you
Permission Denied
* Include Rules with Scrips when previewing recipients
* Ensure that distribution upgrades that break Scalar::Util show up in
apache logs
* Fix warnings on empty Collection List headers
* Log errors from safe_run_child
* Refuse to run if webmux.pl and RT.pm are mismatched
* Actually log the error that caused "Can't load a principal for id #"
* Switch to using $Approver->Name in templates since an AdminCc can
approve
* Allow fastcgi_server to specify a port
* Guard against SavedSearches with no content
* Ensure our output is always flagged as utf-8
* Allow queries like "Priority > -2"
* Fixes to Private/Public key methods
* Return 'set private key' from SetPrivateKey, not 'unset private key'
* Protect STDOUT under mod_perl - among other things, this fixes
Scrips that use system()
* Fix forwarding of messages without a top level textual part
* New visual style (web2).
* Rich text mails.
* Email signatures and encryption.
* User settings for:
- Ticket history ordering.
- Timezones.
- Date and time format.
- Username format.
- Default queue.
- Size of message text boxes.
* Charts of ticket relationships.
* Breeze through upgrades with new upgrade tools.
* Subscribe to iCalendar feeds of ticket due dates.
* Bookmark frequently-used tickets.
* Turn off mail from RT when you go on vacation.
* Get your mail from RT as a daily or weekly batch.
* Delete historical or spam tickets with RT::Shredder (only as a superuser).
* Set up more configurable business rules with new Scrip Conditions and
Actions.
* Forward tickets to third-parties from within RT.
* Enable and Disable RT extensions with the new Plugins system.
* Automatically log out inactive users with rt-clean-sessions.
* Run faster with less memory, thanks to numerous performance improvements
and bug fixes.
* Fixed a potential HTML injection attck via user's properties.
* Better support for installation on Solaris and FreeBSD (non-GNU make).
* Updates to documentation and scripts for upgrading from MySQL 4.0
* Updated upgrade documentation for the new Queue Tag and bookmarks features.
* Multiple bugs in iCal support fixed.
* Backwards compatibility fixes for extensions developed against 3.6
* Added support for external links in tabs and targets.
* Addition of a new callback before ticket creation so you can implement
custom validation or stop creation for another reason.
* Missing documentation to external authentication configuration variable
in bin/rt and make it possible to set it via ENV.
* Merged method in RT::Ticket.
Significant changes:
- Reminders (remind of taking actions on an inactive bug at some point)
- "Googleish" simple searches
- Email input completion
- Revamped theme engine
- Support for UTF-8 password
- Many more translations
- Various Bugfixes
Approved-by: cube
changes are apparently minor to a end user (but not for the site
administrator).
It'd very hard and very long to provide a full list of changes. The main
changes in RT 3.4 are a complete rework of how Custom Fields are handled,
which means there is a lot more flexibility in that area now (including
Custom Fields for users, per-queue, per-transaction). RT 3.4 is also
supposed to be faster, which certainly is no bad news.
Another bonus of RT 3.4 are the availability of extensions, and I will
commit RTx::Shredder and RTx::RightsMatrix very soon.
Updating RT is not an easy task, be sure to backup your database, and don't
forget to grant the new rights to relevant people.
In pkgsrc, rt3 is also seeing a few changes. The main one is the situation
of the "local" path, which is now set to /var/rt3, which seems less lame to
me than the previous value. It could be debated, though.
change (it breaks for callbacks).
Inspired from the commit to solve the same issue on the 3.4 branch of RT.
Bump PKGREVISION and Mason version requirement.
Collection.
This package is based on the work of Dieter Roelants in pkgsrc-wip, with
a lot of changes to make it proper WRT pkgsrc.
RT is an industrial-grade ticketing system. It lets a group of
people intelligently and efficiently manage requests submitted by
a community of users. RT is used by systems administrators, customer
support staffs, NOCs, developers and even marketing departments at
over a thousand sites around the world.
