Releases: bestpractical/rt
rt-4.2.13
sartak
Shawn M Moore
RT 4.2.13 -- 2016-07-20
We're pleased to announce the availability of RT 4.2.13. This release is a
bugfix release; most notably, values in charts are now sorted numerically,
and regression for time zones on date/time custom fields has been addressed.
A complete list of improvements follows.
https://download.bestpractical.com/pub/rt/release/rt-4.2.13.tar.gz
https://download.bestpractical.com/pub/rt/release/rt-4.2.13.tar.gz.asc
SHA1 sums
eb155493ae8aa965a9571be47abe95ce7dd7a70c rt-4.2.13.tar.gz
4b760717439c6971bd5849e1b3401e7d6bb404cb rt-4.2.13.tar.gz.asc
- Shawn M Moore, for Best Practical
General User UI
- Avoid race condition where a ticket's Started timestamp could be
before its Created timestamp - Users without ability to update a saved search are no longer shown
an Update button - IP custom field textboxes now wide enough for full IPv6 addresses (I#24565)
- Self-service Cc field now allows for autocompleting multiple users
- When possible sort charts numerically rather than ascii-betically
- QuickCreate now respects DefaultQueue and RememberDefaultQueue (I#30913)
- Make user preferences use label tags for better clickiness (I#30953)
- Hide "Transaction has no content" from Extract Article (I#31027)
- Improve CSRF detection by whitelisting more specific parameters (I#31090)
- Empty selection boxes no longer render 1px wide (I#31316)
- Show queue ID if the user can't see the queue name
- Search builder display format now properly supports "large" sizing
- Fix SMIME encoding issue (I#31155)
- Improve messaging and logging around reminders that users can't see
- Queue name on ticket display is now a link to a search for all active
tickets in that queue - Support autocomplete custom fields in bulk update (I#15259)
- Hint to the user that not all CF types are supported by bulk update,
instead of silently excluding them (I#15259) - Improve compliance with RFC4480 for GPG armor lines (I#30372)
- Restore behavior of $EditCustomFieldsSingleColumn config (I#18555)
- Fix a regression with time zones in datetime custom fields (I#31674)
- Fix certain attachment links containing HTML metacharacters from
double escaping (I#31751) - Fix custom attachment URLs for self-service users (I#30960)
Database
- "schema" upgrade files no longer issue CREATE INDEX statements, instead
there are now "indexes" upgrade files that describe the end state of the
indexes RT requires. This better handles indexes that may have been
deployed by hand or otherwise already exist. - We now correctly shred ObjectCustomFields records when shredding a
CustomField - Add $MaxFulltextAttachmentSize RT_Config option (default: 0 meaning
no limit) for tuning how very large attachments are included in the
full-text index - Improve 4.0 upgrade scripts running under 4.2
Web Administration
- We now record transactions for changes to queues
- Improve visual design of Shredder forms
Server Administration
- Add missing dependency on Encode 2.64
- New RT_SiteConfig.pm files now get a "use utf8;" by default to allow
config options to use Unicode - bcrypt cost has been doubled on schedule to improve password hashing
security - Allow multiple --action and --action-arg options in rt-crontool
- Fix "use of localtime without parentheses" warning
- rt-email-dashboards now has a --log parameter for setting log level
- Add config %ReferrerComponents to provide fine-grained control over
referrer checking behavior - Clarify web config validation log messages (I#31117)
- Add a no_ticket_transactions option to user shredder
- Remove now-unnecessary dependency on Apache::DBI (I#31210)
- Avoid DateTime::Locale versions 1.00 and 1.01
https://rt.cpan.org/Public/Bug/Display.html?id=110244 - Have ./configure test whether to use GNU-style syntax or BSD-style
syntax forfind -perm(I#31308)
Developer
- Improve test compatibility with File::Which 1.17
- Improve test compatibility with HTML::FormatText::WithLinks::AndTables
- Remove unused RT::Shredder::Record
- Transactions now have a ColumnMap
- New callbacks:
/Ticket/Create.html MassageCloneArgs
/Admin/Queues/Modify.html FormStart
/Ticket/Elements/ShowBasics AfterTimeLeft, AfterPriority, AfterQueue,
and AfterTable
/Ticket/Elements/ShowSummary AfterBasics, AfterPeople, AfterReminders,
and AfterDates
/Ticket/Graphs/index.html BeforeActionList, FormStart, AfterForm, and
Default
/Ticket/Update.html RightColumnBottom
/Admin/CustomFields/Modify.html EndOfPage
/Elements/CollectionAsTable/Row EachField
/Dashboards/Subscription.html SubscriptionFormEnd, SubscriptionFields,
and MassageSubscriptionFields
/Elements/ShowTransactionAttachments BeforeAttachment - Improved callbacks:
/Admin/CustomFields/Modify.html Initial adds $Results
Documentation
- New documentation on format strings (docs/format-strings.pod) for
controlling how search results are displayed - Update documentation to expect that most installations will deploy
fulltext search - Also remind users that they should set up backups in the README
- Fix UPGRADING-4.2's description of PostgreSQL full-text search using
GiST; it uses GIN indexes (I#31844)
Internationalization
- Adjust the string "CustomFields" to instead use the existing
"Custom Fields" to ease translation - We now display translated ticket properties and statuses on graphs
- Update translations for: Brazilian Portuguese, Czech, Finnish, French,
German, Greek, Hungarian, Japanese, Latvian, Lithuanian, Occitan, Polish,
Russian, Spanish, Swedish, and Turkish
A complete changelog is available from git by running:
git log rt-4.2.12..rt-4.2.13
or visiting
rt-4.2.12...rt-4.2.13
rt-4.4.0
sartak
Shawn M Moore
RT 4.4.0 -- 2016-02-04
We're thrilled to announce the availability of RT 4.4.0! This is
the first release for the next major version of RT. The focus of
this release series is quality-of-life improvements for both users
and administrators.
When upgrading, please be sure to review the upgrading documentation
available in docs/UPGRADING-4.4, as there are a number of
backward-incompatible changes that come along with the new version
number. Upgrading documentation is also available at
http://www.bestpractical.com/docs/rt/latest/UPGRADING-4.4.html
https://download.bestpractical.com/pub/rt/release/rt-4.4.0.tar.gz
https://download.bestpractical.com/pub/rt/release/rt-4.4.0.tar.gz.asc
3bfeeac1e7a7cd4b1a042db04459f0e87c2b5fbb rt-4.4.0.tar.gz
a4a15d41d9ae663d4fda6c2f5246cc0cf26127ac rt-4.4.0.tar.gz.asc
A list of the major new features in RT 4.4.0 is included below. Many
of the new features are described and demoed in a series of
blog posts on http://blog.bestpractical.com/ with still more to come.
Finally, we'd like to invite you to attend our next training session in
Hamburg, Germany, which covers the new features in RT 4.4 as well as
RTIR and its next version. Visit http://bestpractical.com/training for
more.
- Shawn M Moore, for Best Practical
- RT now includes the Assets extension for tracking your physical and
digital resources. - Attachments can now be stored outside of the database either on disk, in
Dropbox, or on Amazon S3. Attachments can also be directly served from S3. - SLA tracking is now part of core RT. You can define many different service
levels that take your business hours and holidays into account. - External authentication and LDAP integration are now shipped as core RT
features. - RT now has support for custom roles, along the lines of Requestor, Owner,
Cc, and AdminCc. These roles can be single-member or multi-member.
Privileges can be assigned to members of custom roles, you can search based
on custom role membership, you can notify custom role members in
scrips, and so on. - RT now has a modern file upload interface which allows you to select
multiple files in one fell swoop, drag and drop attachments onto RT, and
inline preview certain file types like images. - We've added a "scroll" option for gradually loading in ticket history as
the user scrolls down, much like "infinite scroll". This considerably
improves perceived performance. - Existing attachments on a ticket can be reused in subsequent replies,
so you don't have to upload them again. - We now provide some basic Articles configuration for new deploys so that
you can start using the feature immediately. - You can now break up your RT_SiteConfig.pm file into logically-related
chunks under the RT_SiteConfig.d/ directory. - You can now specify default values at the queue level for certain ticket
fields, including custom fields. - RT now warns you when you write the word "attach" (or "attached", etc)
but haven't provided any attachments yet, to avoid "sorry, I forgot this
attachment" followup mail. - RT now understands many more types of "human" date strings.
- Users can now choose any subset of the seven weekdays to receive their
daily dashboard subscriptions. - The query builder display format panel has seen several improvements;
most importantly adjusting the display columns no longer reloads the
entire page. - We've added a popout ticket timer for helping you track time inside RT.
The timer is associated with a ticket and will add the time to to it for
you. - RT now ships with keyboard shortcuts for primarily for navigating ticket
search results. - We ship a (disabled-for-upgrades, enabled-for-new-deploys) scrip for
carrying over time worked to parent tickets. Similarly, we ship a scrip for
tracking time worked per user. - We've added a way to quickly create new linked tickets in queues other than
the one that the current ticket is in. - There's a new site-level config setting and user preference for hiding
unset fields on ticket display pages. - Custom fields now have a customizable "entry hint" for helping users
understand what they should be entering as values. - TicketSQL and the search builder now support Status = 'Active' and
Status = 'Inactive' type queries, so you no longer need to enumerate
all statuses likeStatus = 'new' OR Status = 'open' OR Status = 'stalled' - The mailgate has been completely redesigned and modernized.
- RT now includes the Assets extension for tracking your physical and
Additional changes:
General user UI
- Improve and unify display of topactions (new ticket in, simple search,
article search, etc) - Empty selection boxes no longer render 1px wide (#31316)
- Replace singular use of "Administrative Cc" with "AdminCc"
- Don't display "check box to delete" for every group on queue watcher page
- Don't render empty "Ticket #:" results in bulk update
- Improved the paging links in collection lists (#30374)
- IPv6 custom fields are rendered in their compressed representation
- Queue name on ticket display is now a link to a search for all active
tickets in that queue - Search builder display format now properly supports "large" sizing
- Display more "show columns" in search builder
- Record transactions for queue changes
- Show queue ID if the user can't see the queue name
- New, modern bookmark star icons to better match ticket timer icon
- If there's a single pending ticket, just show the ticket number (#30692)
- Improve messaging for enabling and disabling custom fields
- Improve messaging for applying a custom field to a queue (#31128)
- Mention which principal and right was granted instead of simply saying
"Right Granted" - Improve "user already has right" error
- Gray out "(no value)" for custom fields
- Hide "transaction has no content" entries from extract as article
- Improve CSRF whitelist (#31090)
- Make user preferences use label tags for better clickiness (#30953)
- Rename "Quicksearch" (the table of queues) to "QueueList" (#18514)
- When possible sort charts numerically rather than ascii-betically
- Self-service Cc field now allows for autocompleting multiple users
- IP custom field textboxes now wide enough for full IPv6 addresses (#24565)
- Move attachments to below messagebox on bulk update for consistency
- Stop rounding large numbers of hours worked into days
- Add a "chosen" UI for making long lists of select custom field values more
friendly - Search builder now uses the "chosen" UI for selecting display columns
- Increase MaxInlineBody
- Improved management of mail recipients
- Stop cloning time fields when creating child tickets
- Improve datepicker usage for relative date strings
- Squelching now applies to all updates in the request, instead of only the
initial correspond/comment transaction. - Sync scrip recipients with non-wysiwyg plaintext editor
Command-line
- Fix for "0" values in bin/rt (#31290)
- rt-email-dashboards now has a --log option
- rt-crontool now allows multiple actions
- Improve structure of multipart mail
Web Administration
- Rights management pages now have gray callout for sections that have
rights granted - For new installs we now provide a General topic and Content CF for Articles
- Query log now supports Undup and ShowElem params
- Queues now have a sort order
- We no longer delete articles but instead just disable them to help maintain
auditability (#19323) - Allow ModifyTicket to change nobody to someone else, without OwnTicket
- Select CFs will now suppress "(no value)" option when it's invalid
- Add new ShowAssetsMenu right to manage visibility of Assets feature
Server Administration
- Use MiB rather than MB for attachment size config (GitHub #162)
- ReferrerComponents lets you fine-tune CSRF whitelist and blacklist
- The user shredder now supports a no_ticket_transactions option
- Avoid warnings if users don't have sufficient rights on reminders
- Fix decoding issues (#31155)
- Removed redundant Apache::DBI dependencies (#31210)
- Shred object custom fields when shredding a custom field
- Improve compat and docs for Apache 2.4
- Put temporary files for email parsing in /tmp
- Allow deep namespaces for ScripActions and Conditions
- Copy rt-ldapimport into install-tree sbin
- Avoid DateTime::Locale 1.00 and 1.01; earlier and later versions are OK
Developer
- Upgrade jQuery from 1.9.1 to 1.11.3
- Upgrade jQuery UI from 1.10.0 to 1.11.4
- Upgrade CKEditor from 4.0.1 to 4.5.3
- Removed many unused fields on tickets and users
- Added a Group->Label method for displaying groups in the UI
- Ticket Modify now processes watcher updates
- Support optional inclusion of RT-System and Nobody users in autocomplete
- Transactions now have a ColumnMap
- /User/Prefs.html became /Prefs/AboutMe.html for consistency (#14200)
- We now warn when you forget to undef $mech in tests, which can
cause spurious failures - Additional callbacks
- Remove mostly-duplicate code for Rules which can never trigger
Documentation
- We've written new documentation for the query builder, dashboards,
reporting, and other related features - SLA cookbook
- Update documentation to expect that most installations will deploy
fulltext search - Also remind users that they should set up backups in the README
- Clarify "otherwise your internal links may be broken" (#31117)
- Unify our documentation for upgrading cored extensions
- Switch example for Plugins in RT_Config from ExternalAuth to JSGantt
Internationalization
- Graphing now uses the localization engine in more places
- Update translations for: Basque, Bulgarian, Catalan, Simplified and
Traditional Chinese, Croatian, Czech, Danish, Dutch, Estonian, Finnish,
French, German, Greek, Hungarian, Icelandic, Indonesian, Italian, Japanese,
Latvian, Lithuanian, Norwegian (Bokmal and Nynorsk), Persian, Polish,
Portuguese, Russian, Serbian, Slovak, Slovenian, Spanish, Swedish, and
Turkish...
rt-4.2.12
sartak
Shawn M Moore
RT 4.2.12 -- 2015-08-12
RT 4.2.12 contains important security fixes.
https://download.bestpractical.com/pub/rt/release/rt-4.2.12.tar.gz
https://download.bestpractical.com/pub/rt/release/rt-4.2.12.tar.gz.asc
SHA1 sums
ddbf70752c2b96354caf7687534addf075859d4d rt-4.2.12.tar.gz
8e76c69a56a60afbe0a75673874a1f4510355350 rt-4.2.12.tar.gz.asc
This release is a security release which addresses the following
vulnerabilities:
RT 4.0.0 and above are vulnerable to a cross-site scripting (XSS) attack via
the user and group rights management pages. This vulnerability is assigned
CVE-2015-5475. It was discovered and reported by Marcin Kopeć at Data Reliance
Shared Service Center.
RT 4.2.0 and above are vulnerable to a cross-site scripting (XSS) attack
via the cryptography interface. This vulnerability could allow an attacker
with a carefully-crafted key to inject JavaScript into RT's user interface.
Installations which use neither GnuPG nor S/MIME are unaffected.
A complete changelog is available from git by running:
git log rt-4.2.11..rt-4.2.12
or visiting
rt-4.2.11...rt-4.2.12
rt-4.0.24
sartak
Shawn M Moore
RT 4.0.24 -- 2015-08-12
RT 4.0.24 contains an important security fix.
https://download.bestpractical.com/pub/rt/release/rt-4.0.24.tar.gz
https://download.bestpractical.com/pub/rt/release/rt-4.0.24.tar.gz.sig
SHA1 sums
0588b678cc1f13ae1504e9fffede1b8485d172f7 rt-4.0.24.tar.gz
8f8b69532112aa01d6fe540478de6a7046ad6fb0 rt-4.0.24.tar.gz.sig
This release is a security release which addresses the following
vulnerability:
RT 4.0.0 and above are vulnerable to a cross-site scripting (XSS) attack via
the user and group rights management pages. This vulnerability is assigned
CVE-2015-5475. It was discovered and reported by Marcin Kopeć at Data Reliance
Shared Service Center.
A complete changelog is available from git by running:
git log rt-4.0.23..rt-4.0.24
or visiting
rt-4.0.23...rt-4.0.24
rt-4.2.11
RT 4.2.11 -- 2015-05-07
RT 4.2.11 is now available.
https://download.bestpractical.com/pub/rt/release/rt-4.2.11.tar.gz
https://download.bestpractical.com/pub/rt/release/rt-4.2.11.tar.gz.asc
SHA1 sums
c40063b4265a983343804f2056b22964a8ba7be9 rt-4.2.11.tar.gz
d34d6694462d597d14a474390d335bd2b58f42b8 rt-4.2.11.tar.gz.asc
This release is a bugfix release; most notably, it improves indexing
time for full-text search, as well as improving support for Apache 2.4
and MySQL 5.5. Interactive command-line tools (including upgrade tools)
will now also default to displaying warnings to STDERR, to aid in
awareness of potential errors.
The complete list of changes includes:
General user UI
- If storing a transaction failed, note the failure obviously in the
ticket history (#30419) - Make sub-menus accessible on screen-readers
- Prevent Dashboard portlet from rendering with too many columns
- Hint that a transaction is Correspondence, using red background, on Jumbo
and Bulk Update pages as well. - Articles distinction between "no classes exist" and "none visible to user"
(#30638) - Skip Articles Class selection page if there is only one valid option
(#29975) - For consistency with other roles, don't attempt to send email
notifications to owners that are disabled - Improve search performance when searching custom field values on users
- Allow ModifyTicket to change nobody -> someone else, without OwnTicket
- Allow HTML5
andtags for the replacedtag - Respect the user's chosen units for Time Worked across page loads, instead
of always defaulting to minutes. (#17985) - In Jumbo, preserve ticket basics so in progress changes persist after
returning to the page - Make elements styled as .button render the same as other buttons
- Add print styles for button and .button that match other inputs
Command-line
- Default to enabling error warnings to the screen for interactive commands
- Standardize --help, --quiet and --verbose options across tools
- Allow GSSAPI authentication with bin/rt (#25074)
Web Administration
- Don't show rights on role groups rights list which are nonsensical (#30556)
- Support setting multiply-valued custom fields during REST ticket creation
- Fix an infinite loop in multiple-valued custom field parsing
- Recover gracefully on template creation failure (#29021)
- Provide a user-legible representation of the user's GPG key (#25376)
- Ability to change back to "role" UsernameFormat
- Consistently store un-encoded header data for forwards (#29714)
Server Administration
- Improve full-text indexing by 1-2 orders of magnitude, on both PostgreSQL
and MySQL. - Warn if innodb_log_file_size would limit uploads to < 5M on MySQL 5.5 and later
- Increase the warn threshold on max_allowed_packet to 5M
- Validate lifecycle right name length
- For convenience, allow using the distribution name instead of package
name in Plugin(); for example: Plugin('RT-Extension-SLA') - Suggest explicit binlog_path for sphinx >= 1.10
- Drop DatabaseRequireSSL option that does nothing; replace with
DatabaseExtraDSN option to allow passing of arbitrary additional
database parameters to the database interface - Respect configure-time FontPath configuration
- Configurable transaction suppression for EscalatePriority (#29465)
- Switch from Oracle DBA-only tables to tables the user can inspect (#30393)
- Properly handle large IN sql arguments by breaking them up in to separate
statements
Developer
- Deprecate unused RT::Interface::CLI::debug sub
- Standardize and simplify boilerplate for command-line options
- Make rt-validator infinite loop checker actually work
- Add 'mbox' option to $MailCommand which writes mbox-formatted output
- Allow attributes to be set after object creation in initialdata
files (#13036) - Do not set charset and body on multipart messages in ContentAsMIME (#23671)
- Look harder for content in message/rfc822 parts
- Allow creation of multipart/related via REST, by providing Content-IDs
- Fold RT::Shredder code into core record classes
- Skip Shredder tests on all non-SQLite databases
- Built in HTTP Basic auth and htpasswd support in rt-apache tool
- New callbacks for Ticket/Elements/ShowBasics, AfterTimeEstimated and
AfterTimeWorked - Use %ARGS values in /Admin/Users/Modify.html to allow callbacks to modify
them (#27655) - Allow passing SquelchMailTo to Ticket->Create
- Explicitly depend on Class::Accessor::Fast not Class::Accessor
- Add BodyClass parameter to Elements/Header so callbacks can more easily
style only their own pages.
Documentation
- Extend the documentation to support Apache 2.4 deployment
- Attempt to improve reliability in lighttpd by suggesting sockets instead of
TCP connection - Information on finding and installing plugins
- Information on the new rights interface in the UPGRADING doc (#29515)
Internationalization
- Localize EmailFrequency properties
- Updated localizations (German, Spanish, French, Icelandic, Italian,
Japanese, Lithuanian, Russian, Swedish, Traditional Chinese)
A complete changelog is available from git by running:
git log rt-4.2.10..rt-4.2.11
or visiting
rt-4.2.10...rt-4.2.11
rt-4.2.10
RT 4.2.10 -- 2015-02-26
RT 4.2.10 contains important security fixes, as well as minor bugfixes.
https://download.bestpractical.com/pub/rt/release/rt-4.2.10.tar.gz
https://download.bestpractical.com/pub/rt/release/rt-4.2.10.tar.gz.asc
SHA1 sums
92af386e9c09a0e9489ec1cd55b66c65b77d22be rt-4.2.10.tar.gz
8e65ce02b62df85c7d679dab8d4bde8ef343ec48 rt-4.2.10.tar.gz.asc
This release is primarily a security release; it addresses CVE-014-9472,
a denial-of-service via RT's email gateway, as well as CVE-2015-1165 and
CVE-2015-1464, which allow for information disclosure and session
hijacking via RT's RSS feeds.
As part of these security updates, RT's dependency on the Encode module
has been changed, to Encode 2.64. If upgrading, be sure to run
rt-test-dependencies to verify that your installed version of Encode
meets this requirement; if not, you will need to install a newer version
from CPAN.
This release is also a bugfix release; most notably, it addresses a bug
which causes RT to generate blank outgoing text/plain parts. This fix
requires installing the HTML::FormatExternal module, and having an
external tool (w3m, elinks, etc) installed on the server.
It also introduces indexed full-text searching for MySQL without the
need to recompile MySQL to use the external Sphinx tool; instead, a
MyISAM table is used for indexing. On MySQL 5.6 and above, an
additional InnoDB table can also be used.
The complete list of changes includes:
General user UI
- Speed up the default simple search on all FTS-enabled installs by not
OR'ing it with a Subject match. This returns equivalent results for
almost all tickets, and allows the database to make full use of the
FTS index. - Pressing enter in user preference form fields no longer instead
resets the auth token (#19431) - Pressing enter in ticket create and modify form fields now creates or
updates the ticket, instead being equivalent to "add more
attachments", or the "search" on People pages (#19431) - Properly encode headers in forwarded emails that contain non-ASCII
text (#29753) - Allow users to customize visibility of chart/table/TicketSQL in saved
charts - Allow groups to be added as requestors on tickets
- Perform group searches case-insensitively on People page (#27835)
- Ticket create transactions for tickets created via the web UI now
contain mocked-up From, To, and Date headers; this causes them to
render more correctly when forwarded - Update wording of error message for saved searches without a
description (#30435) - Flush TSV download every 10 rows, for responsiveness
- Retain values in Quick Create on homepage if it fails (#19431)
- Limit the custom field value autocomplete to 10 values, like other
autocompletes (#30190) - Fix a regression in 4.0.20/4.2.4 which caused some users to have
blank homepages (#30106) - Fix styling on "unread messages" box on Ballard and Web2 themes
- Fix format of Date headers in RSS feeds (#29712)
- Adjust width of transaction date to accommodate all date formats
(#30176) - Allow searching for tickets by queue lifecycle
Command-line
- Fix server name displayed at password prompt when RT is deployed at
a non-root path like /rt (#22708)
Admin
- If the optional HTML::FormatExternal module is installed, use w3m,
elinks, links, html2text, or lynx to format HTML to text. This
addresses problems with the pure-Perl HTML-to-text converted which
resulted in blank outgoing emails. (#30176) - Add support for native (non-Sphinx) indexed full-text search on
MySQL. This uses the InnoDB fulltext engine on MySQL 5.6, and an
additional MyISAM table on prior versions of MySQL. - Support MySQL database names with dashes in them (#7568)
- Properly escape quotes and backslashes in config options in web
installer (#29990) - Increase length of template title form input
- Clarify wording on updating old Organization values by rt-validator
- Resolve a runtime error for SMIME without secret keys (#30436)
- Empty email addresses are no longer caught as being "an RT address"
if there exist queues without Correspond addresses set (#18380) - Allow Parents/Children/Members/MemberOf in CreateTickets action
- Allow RT-Originator to be overridden in templates
- Ensure that HTML-encoded entities are indexed in FTS
- Fix uninitialized value warnings from charts grouped by date
- Remove no-op $CanonicalizeOnCreate configuration variable;
RT::User->CanonicalizeUserInfo is always called - Make NotifyGroup action respect AlwaysNotifyActor argument
- Fix X-RT-Interface header on incoming email on existent tickets
- Warn on startup if queues have invalid lifecycles set (#28352)
Developer
- Add AfterHeaders callback to ShowMessageHeaders
- Update all upgrade steps to use .in files (#18856)
- Add policy tests to enforce the new upgrade step standards
- Remove +x bit from multiple non-executable files
- Make Obfuscate callback in configuration options be passed the
current user, as was documented - Remove obsolete _CacheConfig parameters
- Preferentially use IN rather than multiple OR clauses
- Respect RowsPerPage for external custom field values
- Localize default statuses from RT_Config.pm, instead of hardcoding
- Add callbacks within Dates box after each type of Date
- Pass the CustomFieldObj down to CustomFieldValue objects intact, so
its ContextObj can be inspected; this is particularly useful for
external custom fields. - Allow more than one right per @acl in initialdata
- Don't hardcode share/html in tests, for non-default layouts
- Base detection of new themes on presence of main.css file, not
base.css file (#30554) - Allow for relative "lib" in @inc when running tests
- Allow EditComponentName customfield callback to alter Rows/Cols
values
Serializer/importer
- Memory usage improvements in both serialization and import
- Templates, Scrips, and ObjectScrips now serialize correctly
when not cloning
Documentation
- Document how to enable un-indexed full-text-search, and its drawbacks
- Note that after restoring from backups, PostgreSQL may need to have
statistics updated - New documentation on writing portlets
- Add an =pod directive so the first paragraph of UPGRADING is not
skipped - Clarify when UPGRADING-x.y steps should be run
- Better document known bugs with Sphinx FTS
- Add missing semicolon on Shredder suggested indexes
A complete changelog is available from git by running:
git log rt-4.2.9..rt-4.2.10
or visiting
rt-4.2.9...rt-4.2.10
rt-4.0.23
RT 4.0.23 -- 2015-02-26
RT 4.0.23 contains important security fixes, as well as minor bugfixes.
https://download.bestpractical.com/pub/rt/release/rt-4.0.23.tar.gz
https://download.bestpractical.com/pub/rt/release/rt-4.0.23.tar.gz.sig
SHA1 sums
1067e0469184a6955e2822967eb7a2e287f7c17b rt-4.0.23.tar.gz
17a153215b95d12e5aa0500d676089aed081d6df rt-4.0.23.tar.gz.sig
This release is primarily a security release; it addresses CVE-014-9472,
a denial-of-service via RT's email gateway, as well as CVE-2015-1165 and
CVE-2015-1464, which allow for information disclosure and session
hijacking via RT's RSS feeds.
As part of these security updates, RT's dependency on the Encode module
has been changed, to Encode 2.64. If upgrading, be sure to run
rt-test-dependencies to verify that your installed version of Encode
meets this requirement; if not, you will need to install a newer version
from CPAN.
Other changes include:
General user UI
- Flush TSV download every 10 rows, for responsiveness
- Pressing enter in user preference form fields no longer instead
resets the auth token - Pressing enter in ticket create and modify form fields now creates or
updates the ticket, instead being equivalent to "add more
attachments", or the "search" on People pages. - Retain values in Quick Create on homepage if it fails
Command-line
- Fix server name displayed at password prompt when RT is deployed at
a non-root path like /rt
Admin
- Empty email addresses are no longer caught as being "an RT address"
if there exist queues without Correspond addresses set - Allow Parents/Children/Members/MemberOf in CreateTickets action
- Allow RT-Originator to be overridden in templates
- Add missing semicolon on Shredder suggested indexes
- Ensure that HTML-encoded entities are indexed in FTS
Developer
- Make Obfuscate callback in configuration options be passed the
current user, as was documented - Remove obsolete _CacheConfig parameters
- ACL checks are now applied in the ->AddRecord stage, not in ->Next;
this means that collections accessed via ->ItemsArrayRef are now
correctly ACL'd.
Documentation
- New documentation on writing portlets
- Add an =pod directive so the first paragraph of UPGRADING is not
skipped - Clarify when UPGRADING-x.y steps should be run
A complete changelog is available from git by running:
git log rt-4.0.22..rt-4.0.23
or visiting
rt-4.0.22...rt-4.0.23
rt-4.2.9
RT 4.2.9 -- 2014-10-29
RT 4.2.9 is now available
RT 4.2.9 is a bugfix release and includes a fix needed to release RTIR 3.2.0.
https://download.bestpractical.com/pub/rt/release/rt-4.2.9.tar.gz
https://download.bestpractical.com/pub/rt/release/rt-4.2.9.tar.gz.asc
SHA1 sums
f3433d388d59283b4ea28d588af69fd16f870aae rt-4.2.9.tar.gz
248b98bb1a3d6aaa01d55958457505c2f59e38d4 rt-4.2.9.tar.gz.asc
General user UI
- Fix Subject header during ticket printing (#30362)
- Comparisons of long text Custom Fields were erroneously reporting
updates (#30378) - Broken logo link for the mobile UI when used with $WebPath
- No longer leak base64 data to non-english users who change a Dashboard
subscription and futureproof for other Attribute updates (#24665) - Previous column selection is remembered when updating search formats (#16972)
- Charts could return quadrupled data for aggregate data (such as Time
Worked) depending on your rights configuration. - Charts can now be grouped by Priority
- Ticket Creation form now leaves Requestor blank on page reload if you
cleared it out.
Localizations
- "check to delete all values" is now localized
Command-line
- BeforeDue action now accepts 2D as well as 2d (#30449)
- bin/rt no longer shows a default Due date unless one is configured
on the Queue. Additionally, Starts and Due are served in your time
zone (#20334)
Admin
- Improvements to the layout of the Group Members page
Developer
- Fix tests that used send_via_mailgate to properly check returns (#19156)
- Improvements to rt-static-docs for generating online documentation
- Proper warnings testing for cf_date tests
- Remove unused code to render Rules during replies/comments
- Undo a regression that meant Custom Fields passed to Ticket->Create
needed to be readable by the user creating the ticket.
Documentation
- Add a mention of SelfService to the documentation of $AllowUserAutocompleteForUnprivileged
- Update our backups documentation to cover restoring from the suggested
backups.
A complete changelog is available from git by running:
git log rt-4.2.8..rt-4.2.9
or visiting
rt-4.2.8...rt-4.2.9
rt-4.2.8
RT 4.2.8 -- 2014-10-02
RT 4.2.8 contains important security fixes, as well as minor bugfixes.
http://download.bestpractical.com/pub/rt/release/rt-4.2.8.tar.gz
http://download.bestpractical.com/pub/rt/release/rt-4.2.8.tar.gz.asc
SHA1 sums
6842a1e442e6055ecbae0d443a99361072e45591 rt-4.2.8.tar.gz
375ef344407b54f73730524bef85b4be5b1948e2 rt-4.2.8.tar.gz.asc
This release is primarily a security release; it addresses
CVE-2014-7227, a vulnerability in RT's SMIME integration enabled by
CVE-2015-6271 and related vulnerabilities, known as "Shellshock."
Systems which have patched bash are not vulnerable to CVE-2014-7227.
It also addresses a minor error in the 4.2.7 upgrade step on Oracle; for
Oracle users who had already upgraded to 4.2.7, the 4.2.8 upgrade step
properly runs the same alteration. There is no database change for
non-Oracle installs.
General user UI
- Properly hide ticket list when MoreAboutRequestorTicketList is set to
"None"
Localizations
- Allow text in Squelch box on ModifyPeople page to be translatable.
- Updated German, Basque, French, Hungarian, and Russian translations.
Admin
- Allow $OverrideOutgoingMailFrom to key by queue id, as an alternative
to name - Stop calling the deprecated _SQLLimit method when limiting by
transaction date - Stop hiding the value of the AllowLoginPasswordAutoComplete setting
in System Configuration (#30417) - Resolve CVE-2014-7227, arbitrary execution of code by privileged
users via SMIME by way of CVE-2015-6271.
Developer
- Add a ModifyMaxResults callback for Autocomplete endpoints
- Properly pass collection class to ColumnMap in /Elements/TSVExport
Documentation
- Update POD for AddRoleMember/DeleteRoleMember being in
RT::Record::Role::Roles now, not RT::Record.
A complete changelog is available from git by running:
git log rt-4.2.7..rt-4.2.8
or visiting
rt-4.2.7...rt-4.2.8
rt-4.2.7
RT 4.2.7 -- 2014-09-11
We are pleased to announce that RT 4.2.7 is now available.
http://download.bestpractical.com/pub/rt/release/rt-4.2.7.tar.gz
http://download.bestpractical.com/pub/rt/release/rt-4.2.7.tar.gz.asc
SHA1 sums
bcb0f4c049be68c3cd95fefeea80afc701cb4ff9 rt-4.2.7.tar.gz
d855b2a91055eecd0caf89d78f429d53ff567425 rt-4.2.7.tar.gz.asc
This release is primarily a bugfix release; most notably, it reworks
UTF8 data handling to work with versions of DBD::Pg 3.3.0 and above. On
PostgreSQL, this requires a newer version of DBIx::SearchBuilder.
It also includes a minor database upgrade step; no matter how minor, do
not forget to take (and test) database backups before upgrading.
General user UI
- Fix algorithm for determining which links to display in ticket
relationship graphs with a MaxDepth - Use "Correspondence added" or "Comment added" rather than the general
"Message recorded" - Loading saved charts should load all of their settings (#29015)
- Stop fixing the width of "New ticket in" button (#27649)
- Record transactions in ticket history when attachments were dropped
or truncated due to $MaxAttachmentSize - Still delay transaction loading when "full headers" have been
requested - Add an "overdue" class on Due columns, to match DueRelative columns.
- Only show "overdue" class if the ticket status is still active
- Fix styling of "There are unread messages" box in aileron
- Keep date and datetime custom field inputs during failed ticket
creation - Silence warnings from emails without Content-Transfer-Encoding
headers - Silence warnings on user modify pages for disabled users
- Let custom field grouping boxes link on Display pages link to the
appropriate anchor on editing pages (#30195)
Localizations
- Localize "Recursive" column title in group memberships page
- Additional missing locstrings for numerous titleboxes
- Stop translating titles piecemeal in SelfService (#14736)
- Updated Catalan, German, Basque, Italian, Japanese, Dutch, Brazilian
Portuguese, and Russian translations
Command-line
- Reduce values queried using "rt ls" to only those displayed; this
speeds request time significantly when a large number of custom
fields are applied - Add -s option to "rt comment", to set status when adding a comment or
correspondence (#30375)
Admin
- Add %AdminSearchResultRows configuration for altering the number of
rows per page of object types in the administrative interface - Add an additional suggested index on Attachments' Creator for
deleting users with Shredder - Fix rt-dump-metadata, by removing PrivateKey from _Accessible
(#22465) - Rework internals dealing with characters/bytes, for better internal
consistency, and su support DBD::Pg 3.3.0 and above. - Provide rt-mailgate version in User-Agent string (#18420)
- Reword errors given for rt-crontool when no valid user is found
(#18621) - Show the right error message when rt-crontool fails to load a module
(#22991) - Properly detect when rt-server is called without --listen
- Detect auto-generated mail in the presence of multiple Precedence:
headers - Strip non-word characters from custom field variable names in Simple
templates; this allows use of custom fields with spaces (#18446) - Streamline 3.8 -> 4.0 and 4.0 -> 4.2 upgrade steps by reducing the
number of ALTER TABLE calls that are run, adding/dropping multiple
columns at once (#21309) - Remove LogoImageHeight and LogoImageWidth configuration varables,
which had no effect (#26827)
Developer
- Add a callback to manipulate which link types are displayed on
tickets - Allow Object to be a subref in @Attributes in initialdata, to allow
for attributes on arbitrary objects - Ignore vim swap files when testing
- Allow the SuccessfulLogin callback to alter where RT redirects to
- Add a callback to alter arguments to Showhistory
- Consistently use ->_GroupingClass when determining record class for
grouping lookup. - Allow ->Deprecated to take a loglevel
- Switch from MIME::Head->set(), deprecated for the last 16 years, to
->replace() (#18417)
Documentation
- Correct documentation on where Shredder places sqldump files (#19167)
- Consistently use say 1/0 instead of true/false in RT_Config.pm
documentation - Document how ordering in lifecycle transitions controls ordering in
the status drop-down
A complete changelog is available from git by running:
git log rt-4.2.6..rt-4.2.7
or visiting
rt-4.2.6...rt-4.2.7