RT 4.4.4beta2 is now available for testing. The list of changes included with this release is below. The most notable changes in this release are security updates, mostly in RT dependencies, and the addition of new features to address GDPR compliance.
One of RT’s dependencies, the Perl module Email::Address, has a denial of service vulnerability which could induce a denial of service of RT itself. We recommend updating to Email::Address version 1.912 or later. The Email::Address vulnerabilities are assigned CVE-2015-7686 and CVE-2015-12558. CVE-2015-7686 was addressed in RT with a previous update. Email::Address version 1.912 addresses both of these CVEs with updates directly in the source module. Thanks to Ricardo Signes for helping us with these updates.
One of RT’s dependencies, the Perl module Email::Address::List, relies on and operates similarly to Email::Address and therefore also has potential denial of service vulnerabilities. These vulnerabilities are assigned CVE-2018-18898. We recommend administrators install Email::Address::List version 0.06 or later. Thanks to Lukas Kramer for reporting the issue and Alex Vandiver for contributing fixes.
An optional RT dependency, HTML::Gumbo, incorrectly escaped HTML in some cases. Since RT relies on this module to escape HTML content, it’s possible this issue could allow malicious HTML to be displayed in RT. For RT’s using this optional module, we recommend administrators install HTML::Gumbo version 0.18 or later. Thanks to Ruslan Zakirov for updating this module.
The version of jQuery used in RT 4.2 and 4.4 has a Cross-site Scripting (XSS) vulnerability when using cross-domain Ajax requests. This vulnerability is assigned CVE-2015-9251. RT does not use this jQuery feature so it is not directly vulnerable. jQuery version 1.12 no longer receives official updates, however a fix was posted with recommendations for applications to patch locally, so RT will follow this recommendation and ship with a patched version.
EU General Data Protection Regulation (GDPR)
Several new features were added to support GDPR compliance and are summarized here.
See the new GDPR documentation for details on the new features.
- Provide ways to download user data to format-neutral tsv files.
- Provide ways to anonymize or remove users.
- Provide a tool to remove PII from transaction history.
- Allow self service users to optionally view and edit their personal data.
General user UI
- Don’t skip sending mail if there are attached tickets.
- Handle legacy PGP Partitioned format for Outlook-style messages.
- Improve visuals of self service “Go to Ticket” box (I#31794).
- Add SLA to query builder options.
- Improve message when applying/removing custom roles from queues (I#32695).
- Wipe out related transactions on custom field shred.
- Add option to disable escaping HTML in articles (I#32374).
- Add keyboard shortcuts for reply and comment on ticket display page.
- Improve message for adding/deleting a new custom field value (I#32695).
- Make each transaction in history display below previous transactions (CSS bug fix).
- Avoid overflowing ticket subject in “Recently Viewed” menu on ballard theme.
- Better align input boxes and login button.
- Omit disabled users and groups from dashboard subscription page.
- Don’t return search results for disabled custom fields (I#33972).
- Add some style to web UI shredder pages.
- Render charts properly when searching with queue custom fields (#I32564).
- On user prefs page, show system default values for Timezone and Lang when unset.
- Templatize and install rt-search-attributes utility.
- Allow rt-setup-fulltext-index to prompt for dba password.
- Allow rt-validator to delete txns of reminder changes if reminders don’t exist.
- Allow rt-validator to delete txns of custom field changes if CFs don’t exist.
- Let rt-validator check more owner change txns.
- Add default CSS in theme editor for heading font colors.
- Pass UTF-8 decoded data to Create method for rt-importer on Pg.
- Check SeeGroup on individual group admin pages.
- Standardize error message for failed dashboard load.
- Clarify email recipients in dryrun debug message for dashboard email.
- Skip disabled users when sending dashboard subscriptions.
- Allow multiple search criteria on group and user admin pages.
- Fix cursor url for #logo-color-picker on theme editor page.
- Fix logo color picker setup for Chrome.
- Use full path for processing index files on upgrades.
- Update rt-dump-metadata for the AppliedTo => AddedTo method name change.
- Filter out expired SMIME keys.
- Add script to automatically update DB sequences to the next available value.
Useful when using serializer/importer to clone from one DB type to another.
- Include only ticket lifecycles for Status = ‘Active’.
- Update article postfix loops from using $_ to a named variable.
- Avoid duplicated items in index.html when generating online docs.
- Don’t endlessly try to terminate apache processes in tests.
- Provide a results array to pass messages to ListActions for asset create.
- Copy lifecycle array before iterating and possibly modifying.
- Load RT::ObjectCustomFieldValues to prevent web installer errors.
- Add a class based on custom field name to allow for easier custom styling.
- Test lifecycle rights with optional context object to allow for role rights.
- Remove signature feature from SelfService prefs since self service users can’t have a sig.
- Don’t search empty attribute values in CanonicalizeUserInfoFromExternalAuth.
- Add column to transaction column map for content.
- Update AddTicket to force multipart/mixed email when attaching tickets to email.
- Require Encode::HanExtra in RT::Attachment::EncodedHeaders when necessary.
- Add caching to the queue list portlet to improve performance on RT at a glance.
- Update session testing method when testing on Oracle to avoid hanging tests
- Correctly call ProcessObjectCustomFieldUpdates with Object rather than TicketObj
- Add callbacks for modifying custom role lists.
- Add ARGSRef parameter to the IncludeArticle callback.
- Add callback ‘BeforeTitle’ to change history titlebox.
- Add BeforeCreate callback for user admin page.
- Apply dynamic tr classes on NEWLINE in Row callback (thanks to Michael Friedrich).
- Add BeforeDeleteLink callback for AddAttachments.
- Add GDPR documentation.
- Add custom roles documentation.
- Update query builder docs to explain NOT NULL in CF searches.
- Update database version notes in README.
- Add and display a Synopsis for the user shredder plugin.
- Clarify failed resolver error message for user shredder plugin.
A complete changelog is available from git by running:
git log rt-4.4.3…rt-4.4.4beta2