rt-4.0.23
RT 4.0.23 -- 2015-02-26
RT 4.0.23 contains important security fixes, as well as minor bugfixes.
https://download.bestpractical.com/pub/rt/release/rt-4.0.23.tar.gz
https://download.bestpractical.com/pub/rt/release/rt-4.0.23.tar.gz.sig
SHA1 sums
1067e0469184a6955e2822967eb7a2e287f7c17b rt-4.0.23.tar.gz
17a153215b95d12e5aa0500d676089aed081d6df rt-4.0.23.tar.gz.sig
This release is primarily a security release; it addresses CVE-014-9472,
a denial-of-service via RT's email gateway, as well as CVE-2015-1165 and
CVE-2015-1464, which allow for information disclosure and session
hijacking via RT's RSS feeds.
As part of these security updates, RT's dependency on the Encode module
has been changed, to Encode 2.64. If upgrading, be sure to run
rt-test-dependencies to verify that your installed version of Encode
meets this requirement; if not, you will need to install a newer version
from CPAN.
Other changes include:
General user UI
- Flush TSV download every 10 rows, for responsiveness
- Pressing enter in user preference form fields no longer instead
resets the auth token - Pressing enter in ticket create and modify form fields now creates or
updates the ticket, instead being equivalent to "add more
attachments", or the "search" on People pages. - Retain values in Quick Create on homepage if it fails
Command-line
- Fix server name displayed at password prompt when RT is deployed at
a non-root path like /rt
Admin
- Empty email addresses are no longer caught as being "an RT address"
if there exist queues without Correspond addresses set - Allow Parents/Children/Members/MemberOf in CreateTickets action
- Allow RT-Originator to be overridden in templates
- Add missing semicolon on Shredder suggested indexes
- Ensure that HTML-encoded entities are indexed in FTS
Developer
- Make Obfuscate callback in configuration options be passed the
current user, as was documented - Remove obsolete _CacheConfig parameters
- ACL checks are now applied in the ->AddRecord stage, not in ->Next;
this means that collections accessed via ->ItemsArrayRef are now
correctly ACL'd.
Documentation
- New documentation on writing portlets
- Add an =pod directive so the first paragraph of UPGRADING is not
skipped - Clarify when UPGRADING-x.y steps should be run
A complete changelog is available from git by running:
git log rt-4.0.22..rt-4.0.23
or visiting
rt-4.0.22...rt-4.0.23