pkgsrc/devel/rt4
ryoon 2c7b5f21f6 Update to 4.2.16
This patch is provided by spz@, thank you.

Changelog:

4.2.16

Security Updates

  * One of RT's dependencies, the Perl module Email::Address, has a
    denial of service vulnerability which could induce a denial of
    service of RT itself. We recommend updating to Email::Address
    version 1.912 or later. The Email::Address vulnerabilities are
    assigned CVE-2015-7686 and CVE-2015-12558. CVE-2015-7686 was
    addressed in RT with a previous update. Email::Address version
    1.912 addresses both of these CVEs with updates directly in the
    source module. Thanks to Ricardo Signes for helping us with these
    updates.

  * One of RT's dependencies, the Perl module Email::Address::List,
    relies on and operates similarly to Email::Address and therefore
    also has potential denial of service vulnerabilities. These
    vulnerabilities are assigned CVE-2018-18898. We recommend
    administrators install Email::Address::List version 0.06 or
    later. Thanks to Lukas Kramer for reporting the issue and Alex
    Vandiver for contributing fixes.

  * An optional RT dependency, HTML::Gumbo, incorrectly escaped HTML
    in some cases. Since RT relies on this module to escape HTML
    content, it's possible this issue could allow malicious HTML to be
    displayed in RT. For RT's using this optional module, we recommend
    administrators install HTML::Gumbo version 0.18 or later. Thanks
    to Ruslan Zakirov for updating this module.

  * The version of jQuery used in RT 4.2 and 4.4 has a Cross-site
    Scripting (XSS) vulnerability when using cross-domain Ajax
    requests. This vulnerability is assigned CVE-2015-9251. RT does
    not use this jQuery feature so it is not directly
    vulnerable. jQuery version 1.12 no longer receives official
    updates, however a fix was posted with recommendations for
    applications to patch locally, so RT will follow this
    recommendation and ship with a patched version.

4.2.15

General user UI
  * Show the Ticket's Subject when modifying the ticket.
  * Re-format RT/Config.pm so the `# loc` comment parses correctly.

Web Administration
  * Stop wrapping ShowUser in <a> tags to avoid unnecessary nested links.
  * When listing group members, sort by text-only representation of the
    user, not HTML (I#30771)
  * In the group admin page, stop pre-computing ShowUser.
  * In shredder, check for both id and name mismatches when loading objects
  * Retain scrip sort order in pagination links

Internals
  * Cache OCFVs to improve performance searching for duplicates when adding
    values.
  * Remove unused dependencies on File::Copy and Carp.
  * On Oracle, return the empty string instead of undef for Subject when it
    has no value on a ticket.
  * Handle alphabetic words in RT::Plugin::Version

Developer
  * Avoid using $id in /Ticket/Display.html so callbacks can modify id in ARGS.

Documentation
  * Mention the RT-Attach-Message: yes header in template docs.
  * Fix incorrect path in portlet documentation.

Internationalization
  * Many changes to refactor sections of RT's internationalization code.

4.2.14

Security
  * RT 4.0.0 and above are vulnerable to an information leak of cross-site
    request forgery (CSRF) verification tokens if a user visits a specific
    URL crafted by an attacker. This vulnerability is assigned
    CVE-2017-5943. It was discovered by a third-party security researcher.

  * RT 4.0.0 and above are vulnerable to a cross-site scripting (XSS) attack
    if an attacker uploads a malicious file with a certain content type.
    Installations which use the AlwaysDownloadAttachments config setting are
    unaffected. This fix addresses all existant and future uploaded
    attachments. This vulnerability is assigned CVE-2016-6127. This was
    responsibly disclosed to us first by Scott Russo and the GE Application
    Security Assessment Team.

  * One of RT's dependencies, a Perl module named Email::Address, has a
    denial of service vulnerability which could induce a denial of service
    of RT itself. We recommend administrators install Email::Address version
    1.908 or above, though we additionally provide a new workaround within
    RT. The Email::Address vulnerability was assigned CVE-2015-7686. This
    vulnerability's application to RT was brought to our attention by Pali
    Rohár.

  * RT 4.0.0 and above are vulnerable to timing side-channel attacks for
    user passwords. By carefully measuring millions or billions of login
    attempts, an attacker could crack a user's password even over the
    internet. RT now uses a constant-time comparison algorithm for secrets
    to thwart such attacks. This vulnerability is assigned CVE-2017-5361.
    This was responsibly disclosed to us by Aaron Kondziela.

  * RT's ExternalAuth feature is vulnerable to a similar timing side-channel
    attack. Both RT 4.0/4.2 with the widely-deployed RT::Authen::ExternalAuth
    extension, as well as the core ExternalAuth feature in RT 4.4 are
    vulnerable. Installations which don't use ExternalAuth, or which use
    ExternalAuth for LDAP/ActiveDirectory authentication, or which use
    ExternalAuth for cookie-based authentication, are unaffected. Only
    ExternalAuth in DBI (database) mode is vulnerable.

  * RT 4.0.0 and above are potentially vulnerable to a remote code execution
    attack in the dashboard subscription interface. A privileged attacker
    can cause unexpected code to be executed through carefully-crafted saved
    search names. Though we have not been able to demonstrate an actual
    attack owing to other defenses in place, it could be possible. This fix
    addresses all existant and future saved searches. This vulnerability is
    assigned CVE-2017-5944. It was discovered by an internal security audit.

  * RT 4.0.0 and above have misleading documentation which could reduce
    system security. The RestrictLoginReferrer config setting (which has
    security implications) was inconsistent with its implementation, which
    checked for a slightly different variable name. RT will now check for the
    incorrect name and produce an error message. This was responsibly
    disclosed to us by Alex Vandiver.

General user UI
  * Avoid divide-by-zero in charts with no data (I#32143)
  * Remove dashboard from menu if it can't be loaded (I#29719)
  * Avoid wrapping one-time recipient checkbox separately from its
    label (I#32117)
  * Use only top-level attachments for generating one-time recipient lists
    to avoid e.g. phishing addresses
  * Fix bulk update for asset custom fields (I#32509)
  * Sort one-time recipient addresses (I#31879)
  * Fix article quicksearch degrading the article menu (#31591)
  * Avoid noisy "CF changed from 0 to 0" messages (I#32440)
  * Avoid showing a truncated list of articles due to permissions (I#31989)
  * Include the new Request Tracker logo
  * Stop double-escaping HTML which is made into links (I#31169)

Email
  * Avoid overaggressively trimming whitespace from MIME encoded-words
  * Add config option $OverrideMailPrecedence to help avoid out-of-office
    autoreplies
  * Fix issues with encrypted attachments being unreadable/absent

Database
  * Replace deprecated NOCREATEUSER with NOSUPERUSER for
    Postgres 9.6 (I#32511)

rt-serializer/rt-importer
  * Fix several incorrect references in output (I#31803, I#31804, I#31805,
    I#31808)
  * Add --exclude-organization option  (I#31812, I#31813)
  * Add --limit-queues and --limit-cfs options
  * Suppress semi-unmigrated link relationships by default
  * Add --hyperlink-unmigrated option
  * Fix queue change transactions to mention unmigrated queues by name
  * Support for dashboards in menu preference (I#31810)
  * Support for RT at a Glance preference (I#31809)
  * Don't skip RT->System searches
  * Avoid breaking rights granted to users (I#31806)

Web Administration
  * Add checkbox for selecting all custom field values in admin UI
  * Log a history entry when adjusting whether a user is Privileged
  * Log history entries when adding/removing a group member both to
    the group and to the member
  * Hide disabled scrips by default, adding a "include disabled scrips"
    checkbox (I#30131)
  * Add missing timezone field on user create/modify (I#29977)
  * Add RT extension names and versions to System Configuration page (I#31482)

Server Administration
  * Avoid error messages in 4.0.1 upgrade step
  * Improve automatic identification of `find` command
  * Add RefreshIntervals config option for managing homepage and
    dashboard refresh
  * Log failure to unlink temp file after email parse (I#32142)
  * Make automatically linking a used article to the ticket configurable
    with $LinkArticlesOnInclude config
  * Avoid undef warnings with mbox MailCommand and FastCGI
  * Avoid regex deprecation warnings on perl 5.21.1+
  * Avoid issues with modern Perl versions excluding ./ from @INC
  * Reduce log levels of custom field loading issues caused by ordinary
    end-user actions (I#31742)
  * Adapt SMIME probe to work with openssl 1.1
  * Double bcrypt cost for password hashing
  * Avoid "Couldn't load object RT::Transaction #0" warnings (I#31548)
  * Avoid broken DateTime::Locale versions (I#31542)
  * Avoid incompatible DBD::mysql version (I#32670)

Developer
  * Clarify the usage of skip_update in /Ticket/Update.html BeforeUpdate
    callback
  * Fix whitespace-related test failures under Mojolicious 7.0
  * Fix test failures when /usr/bin/sendmail absent
  * Factor out _OutgoingMailFrom into a separate method for extensibility
  * Ensure that Test::NoWarnings is skipped if skip_all is used
  * Fix bug where RT::Ticket->Create's SquelchMailTo would squelch only
    to the first address (I#31600)
  * Avoid test failure caused by hash randomization
  * Set up default args for customizations calling SignEncrypt directly
  * New callbacks:
      /Elements/ShowCustomFieldWikitext WikiFormatArgs
      /Search/Elements/Chart AfterChartTable
  * Improved callbacks:
      /Elements/Tabs Privileged adds Search_Args and Has_Query parameters

Documentation
  * Update links to the RT wiki
  * Update mailing list references to point to community forum
  * Improve documentation around creating a custom theme (I#31800)
  * Document how to include custom fields in format strings

Internationalization
  * Improvth @RefreshIntervals
  * Update translations for: Brazilian Portuguese, Dutch, German, Latvian,
    Macedonian, Russian, Serbian, Slovenian, and Spanish

4.2.13

General User UI
  * Avoid race condition where a ticket's Started timestamp could be
    before its Created timestamp
  * Users without ability to update a saved search are no longer shown
    an Update button
  * IP custom field textboxes now wide enough for full IPv6 addresses (I#24565)
  * Self-service Cc field now allows for autocompleting multiple users
  * When possible sort charts numerically rather than ascii-betically
  * QuickCreate now respects DefaultQueue and RememberDefaultQueue (I#30913)
  * Make user preferences use label tags for better clickiness (I#30953)
  * Hide "Transaction has no content" from Extract Article (I#31027)
  * Improve CSRF detection by whitelisting more specific parameters (I#31090)
  * Empty selection boxes no longer render 1px wide (I#31316)
  * Show queue ID if the user can't see the queue name
  * Search builder display format now properly supports "large" sizing
  * Fix SMIME encoding issue (I#31155)
  * Improve messaging and logging around reminders that users can't see
  * Queue name on ticket display is now a link to a search for all active
    tickets in that queue
  * Support autocomplete custom fields in bulk update (I#15259)
  * Hint to the user that not all CF types are supported by bulk update,
    instead of silently excluding them (I#15259)
  * Improve compliance with RFC4480 for GPG armor lines (I#30372)
  * Restore behavior of $EditCustomFieldsSingleColumn config (I#18555)
  * Fix a regression with time zones in datetime custom fields (I#31674)
  * Fix certain attachment links containing HTML metacharacters from
    double escaping (I#31751)
  * Fix custom attachment URLs for self-service users (I#30960)

Database
  * "schema" upgrade files no longer issue CREATE INDEX statements, instead
    there are now "indexes" upgrade files that describe the end state of the
    indexes RT requires. This better handles indexes that may have been
    deployed by hand or otherwise already exist.
  * We now correctly shred ObjectCustomFields records when shredding a
    CustomField
  * Add $MaxFulltextAttachmentSize RT_Config option (default: 0 meaning
    no limit) for tuning how very large attachments are included in the
    full-text index
  * Improve 4.0 upgrade scripts running under 4.2

Web Administration
  * We now record transactions for changes to queues
  * Improve visual design of Shredder forms

Server Administration
  * Add missing dependency on Encode 2.64
  * New RT_SiteConfig.pm files now get a "use utf8;" by default to allow
    config options to use Unicode
  * bcrypt cost has been doubled on schedule to improve password hashing
    security
  * Allow multiple --action and --action-arg options in rt-crontool
  * Fix "use of localtime without parentheses" warning
  * rt-email-dashboards now has a --log parameter for setting log level
  * Add config %ReferrerComponents to provide fine-grained control over
    referrer checking behavior
  * Clarify web config validation log messages (I#31117)
  * Add a no_ticket_transactions option to user shredder
  * Remove now-unnecessary dependency on Apache::DBI (I#31210)
  * Avoid DateTime::Locale versions 1.00 and 1.01
    https://rt.cpan.org/Public/Bug/Display.html?id=110244
  * Have ./configure test whether to use GNU-style syntax or BSD-style
    syntax for `find -perm` (I#31308)

Developer
  * Improve test compatibility with File::Which 1.17
  * Improve test compatibility with HTML::FormatText::WithLinks::AndTables
  * Remove unused RT::Shredder::Record
  * Transactions now have a ColumnMap
  * New callbacks:
      /Ticket/Create.html MassageCloneArgs
      /Admin/Queues/Modify.html FormStart
      /Ticket/Elements/ShowBasics AfterTimeLeft, AfterPriority, AfterQueue,
          and AfterTable
      /Ticket/Elements/ShowSummary AfterBasics, AfterPeople, AfterReminders,
          and AfterDates
      /Ticket/Graphs/index.html BeforeActionList, FormStart, AfterForm, and
          Default
      /Ticket/Update.html RightColumnBottom
      /Admin/CustomFields/Modify.html EndOfPage
      /Elements/CollectionAsTable/Row EachField
      /Dashboards/Subscription.html SubscriptionFormEnd, SubscriptionFields,
          and MassageSubscriptionFields
      /Elements/ShowTransactionAttachments BeforeAttachment
  * Improved callbacks:
      /Admin/CustomFields/Modify.html Initial adds $Results

Documentation
  * New documentation on format strings (docs/format-strings.pod) for
    controlling how search results are displayed
  * Update documentation to expect that most installations will deploy
    fulltext search
  * Also remind users that they should set up backups in the README
  * Fix UPGRADING-4.2's description of PostgreSQL full-text search using
    GiST; it uses GIN indexes (I#31844)

Internationalization
  * Adjust the string "CustomFields" to instead use the existing
    "Custom Fields" to ease translation
  * We now display translated ticket properties and statuses on graphs
  * Update translations for: Brazilian Portuguese, Czech, Finnish, French,
    German, Greek, Hungarian, Japanese, Latvian, Lithuanian, Occitan, Polish,
    Russian, Spanish, Swedish, and Turkish
2019-06-13 03:19:13 +00:00
..
patches
DESCR
dirs.mk
distinfo
INSTALL
Makefile
MESSAGE
options.mk
PLIST