RT 4.2.16 Beta 1 Now Available

Jim_Brandt · February 1, 2019, 7:56pm

RT 4.2.16beta1 is now available for testing. The list of changes
included with this release is below. The most notable changes in
this release are security updates which are mostly in RT dependencies
and not RT itself.

https://download.bestpractical.com/pub/rt/devel/rt-4.2.16beta1.tar.gz
https://download.bestpractical.com/pub/rt/devel/rt-4.2.16beta1.tar.gz.asc

SHA-256 sums

ca0f114fa5c7af84d5c5e2652bda1ab144653a783fbb711d17d26299db64b708 rt-4.2.16beta1.tar.gz
a8136c9c85dea43e771dd92b63162c704ad9a76661d9021744d49e0b6437f557 rt-4.2.16beta1.tar.gz.asc

Security Updates

One of RT’s dependencies, the Perl module Email::Address, has a denial of service vulnerability which could induce a denial of service of RT itself. We recommend updating to Email::Address version 1.912 or later. The Email::Address vulnerabilities are assigned CVE-2015-7686 and CVE-2015-12558. CVE-2015-7686 was addressed in RT with a previous update. Email::Address version 1.912 addresses both of these CVEs with updates directly in the source module. Thanks to Ricardo Signes for helping us with these updates.
One of RT’s dependencies, the Perl module Email::Address::List, relies on and operates similarly to Email::Address and therefore also has potential denial of service vulnerabilities. These vulnerabilities are assigned CVE-2018-18898. We recommend administrators install Email::Address::List version 0.06 or later. Thanks to Lukas Kramer for reporting the issue and Alex Vandiver for contributing fixes.
An optional RT dependency, HTML::Gumbo, incorrectly escaped HTML in some cases. Since RT relies on this module to escape HTML content, it’s possible this issue could allow malicious HTML to be displayed in RT. For RT’s using this optional module, we recommend administrators install HTML::Gumbo version 0.18 or later. Thanks to Ruslan Zakirov for updating this module.
The version of jQuery used in RT 4.2 and 4.4 has a Cross-site Scripting (XSS) vulnerability when using cross-domain Ajax requests. This vulnerability is assigned CVE-2015-9251. RT does not use this jQuery feature so it is not directly vulnerable. jQuery version 1.12 no longer receives official updates, however a fix was posted with recommendations for applications to patch locally, so RT will follow this recommendation and ship with a patched version.

A complete changelog is available from git by running:
git log rt-4.2.15…rt-4.2.16beta1
or visiting
Comparing rt-4.2.15...rt-4.2.16beta1 · bestpractical/rt · GitHub

Petr_Hanousek · February 5, 2019, 9:10pm

Hello Jim,
could you please add to this release the newer version of rt-validator as you have in version 4.4.4? And also “Add script to automatically update DB sequences to the next available value. Useful when using serializer/importer to clone from one DB type to another.”
Thank you, Petr