RT 4.2.10 released

RT 4.2.10 – 2015-02-26

RT 4.2.10 contains important security fixes, as well as minor bugfixes.

https://download.bestpractical.com/pub/rt/release/rt-4.2.10.tar.gz
https://download.bestpractical.com/pub/rt/release/rt-4.2.10.tar.gz.asc

SHA1 sums

92af386e9c09a0e9489ec1cd55b66c65b77d22be rt-4.2.10.tar.gz
8e65ce02b62df85c7d679dab8d4bde8ef343ec48 rt-4.2.10.tar.gz.asc

This release is primarily a security release; it addresses CVE-014-9472,
a denial-of-service via RT’s email gateway, as well as CVE-2015-1165 and
CVE-2015-1464, which allow for information disclosure and session
hijacking via RT’s RSS feeds.

As part of these security updates, RT’s dependency on the Encode module
has been changed, to Encode 2.64. If upgrading, be sure to run
rt-test-dependencies to verify that your installed version of Encode
meets this requirement; if not, you will need to install a newer version
from CPAN.

This release is also a bugfix release; most notably, it addresses a bug
which causes RT to generate blank outgoing text/plain parts. This fix
requires installing the HTML::FormatExternal module, and having an
external tool (w3m, elinks, etc) installed on the server.

It also introduces indexed full-text searching for MySQL without the
need to recompile MySQL to use the external Sphinx tool; instead, a
MyISAM table is used for indexing. On MySQL 5.6 and above, an
additional InnoDB table can also be used.

The complete list of changes includes:

General user UI

  • Speed up the default simple search on all FTS-enabled installs by not
    OR’ing it with a Subject match. This returns equivalent results for
    almost all tickets, and allows the database to make full use of the
    FTS index.
  • Pressing enter in user preference form fields no longer instead
    resets the auth token (#19431)
  • Pressing enter in ticket create and modify form fields now creates or
    updates the ticket, instead being equivalent to “add more
    attachments”, or the “search” on People pages (#19431)
  • Properly encode headers in forwarded emails that contain non-ASCII
    text (#29753)
  • Allow users to customize visibility of chart/table/TicketSQL in saved
    charts
  • Allow groups to be added as requestors on tickets
  • Perform group searches case-insensitively on People page (#27835)
  • Ticket create transactions for tickets created via the web UI now
    contain mocked-up From, To, and Date headers; this causes them to
    render more correctly when forwarded
  • Update wording of error message for saved searches without a
    description (#30435)
  • Flush TSV download every 10 rows, for responsiveness
  • Retain values in Quick Create on homepage if it fails (#19431)
  • Limit the custom field value autocomplete to 10 values, like other
    autocompletes (#30190)
  • Fix a regression in 4.0.20/4.2.4 which caused some users to have
    blank homepages (#30106)
  • Fix styling on “unread messages” box on Ballard and Web2 themes
  • Fix format of Date headers in RSS feeds (#29712)
  • Adjust width of transaction date to accommodate all date formats
    (#30176)
  • Allow searching for tickets by queue lifecycle

Command-line

  • Fix server name displayed at password prompt when RT is deployed at
    a non-root path like /rt (#22708)

Admin

  • If the optional HTML::FormatExternal module is installed, use w3m,
    elinks, links, html2text, or lynx to format HTML to text. This
    addresses problems with the pure-Perl HTML-to-text converted which
    resulted in blank outgoing emails. (#30176)
  • Add support for native (non-Sphinx) indexed full-text search on
    MySQL. This uses the InnoDB fulltext engine on MySQL 5.6, and an
    additional MyISAM table on prior versions of MySQL.
  • Support MySQL database names with dashes in them (#7568)
  • Properly escape quotes and backslashes in config options in web
    installer (#29990)
  • Increase length of template title form input
  • Clarify wording on updating old Organization values by rt-validator
  • Resolve a runtime error for SMIME without secret keys (#30436)
  • Empty email addresses are no longer caught as being "an RT address"
    if there exist queues without Correspond addresses set (#18380)
  • Allow Parents/Children/Members/MemberOf in CreateTickets action
  • Allow RT-Originator to be overridden in templates
  • Ensure that HTML-encoded entities are indexed in FTS
  • Fix uninitialized value warnings from charts grouped by date
  • Remove no-op $CanonicalizeOnCreate configuration variable;
    RT::User->CanonicalizeUserInfo is always called
  • Make NotifyGroup action respect AlwaysNotifyActor argument
  • Fix X-RT-Interface header on incoming email on existent tickets
  • Warn on startup if queues have invalid lifecycles set (#28352)

Developer

  • Add AfterHeaders callback to ShowMessageHeaders
  • Update all upgrade steps to use .in files (#18856)
  • Add policy tests to enforce the new upgrade step standards
  • Remove +x bit from multiple non-executable files
  • Make Obfuscate callback in configuration options be passed the
    current user, as was documented
  • Remove obsolete _CacheConfig parameters
  • Preferentially use IN rather than multiple OR clauses
  • Respect RowsPerPage for external custom field values
  • Localize default statuses from RT_Config.pm, instead of hardcoding
  • Add callbacks within Dates box after each type of Date
  • Pass the CustomFieldObj down to CustomFieldValue objects intact, so
    its ContextObj can be inspected; this is particularly useful for
    external custom fields.
  • Allow more than one right per @ACL in initialdata
  • Don’t hardcode share/html in tests, for non-default layouts
  • Base detection of new themes on presence of main.css file, not
    base.css file (#30554)
  • Allow for relative “lib” in @INC when running tests
  • Allow EditComponentName customfield callback to alter Rows/Cols
    values

Serializer/importer

  • Memory usage improvements in both serialization and import
  • Templates, Scrips, and ObjectScrips now serialize correctly
    when not cloning

Documentation

  • Document how to enable un-indexed full-text-search, and its drawbacks
  • Note that after restoring from backups, PostgreSQL may need to have
    statistics updated
  • New documentation on writing portlets
  • Add an =pod directive so the first paragraph of UPGRADING is not
    skipped
  • Clarify when UPGRADING-x.y steps should be run
  • Better document known bugs with Sphinx FTS
  • Add missing semicolon on Shredder suggested indexes

A complete changelog is available from git by running:
git log rt-4.2.9…rt-4.2.10
or visiting
https://github.com/bestpractical/rt/compare/rt-4.2.9...rt-4.2.10
rt-announce mailing list
rt-announce@lists.bestpractical.com
http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-announce

RT 4.2.10 – 2015-02-26

RT 4.2.10 contains important security fixes, as well as minor bugfixes.

https://download.bestpractical.com/pub/rt/release/rt-4.2.10.tar.gz
https://download.bestpractical.com/pub/rt/release/rt-4.2.10.tar.gz.asc

Gives me a 404 error…

Regards,

Giles Coochey, CCNP, CCNA, CCNAS
NetSecSpec Ltd
+44 (0) 8444 780677
+44 (0) 7584 634135
http://www.coochey.net
http://www.netsecspec.co.uk
giles@coochey.net

smime.p7s (6.3 KB)

RT 4.2.10 – 2015-02-26

RT 4.2.10 contains important security fixes, as well as minor bugfixes.

https://download.bestpractical.com/pub/rt/release/rt-4.2.10.tar.gz
https://download.bestpractical.com/pub/rt/release/rt-4.2.10.tar.gz.asc

Gives me a 404 error…

Both URLs are working correctly for me right now. Are they still failing for you?

-Jesse

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1On Thu, 26 Feb 2015 16:38:10 +0000 Giles Coochey giles@coochey.net wrote:

On 26/02/2015 16:32, Alex Vandiver wrote:

RT 4.2.10 – 2015-02-26

RT 4.2.10 contains important security fixes, as well as minor bugfixes.

https://download.bestpractical.com/pub/rt/release/rt-4.2.10.tar.gz
https://download.bestpractical.com/pub/rt/release/rt-4.2.10.tar.gz.asc

Gives me a 404 error…

There was a short period when they hadn’t been moved into place;
apologies for that. As Jesse notes, they should work correctly now.

  • Alex
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v2.0.22 (GNU/Linux)

iEYEARECAAYFAlTvZr8ACgkQMflWJZZAbqAc9ACcCtnvvM7YEgnXYC3Ynnp01gLs
vvAAn0L9RK340NBxZN3vCHRNjdNXRlkc
=Hxz8
-----END PGP SIGNATURE-----