,

Register now for Request Tracker (RT) training in New York this October

,

Our third training for 2013 will be held in New York, NY on October 8th and
9th. As we like to keep class sizes relatively intimate, register soon or we
may not be able to guarantee you a seat. If you can't make it to this training
session, feel free to drop us a line to suggest locations for the future.

This training will introduce you to the new features in RT 4.2 as part of a
comprehensive overview of RT. Whether you're an old hand at RT or a recent
convert, you'll have a good understanding of all of RT's features and
functionality by the end of the session.

The first day starts off with a tour of RT's web interface and continues with a
detailed exploration and explanation of RT's functionality, aimed at
non-programmer RT administrators. We'll walk through setting up a common
helpdesk configuration, from rights management, constructing workflows and
notifications, and the basics of Lifecycles.

The second day of training picks up with server-side RT administration and
dives into what you need to safely customize and extend RT. We'll cover
upgrading and deploying RT, database tuning, advanced Lifecycle configurations,
writing tools with RT's API, building an extension, and demonstrate how to
extensibly alter the web UI and internal functions.

It goes without saying that you'll get the most out of training if you attend
both days of the course, but we've designed the material so that you can step
out after the first day with a dramatically improved understanding of how to
use RT or show up on the second day and get quickly up to speed on how to make
RT do your bidding.

Each class includes training materials, a continental breakfast, and an
afternoon snack (lunch is not provided).

If you'd like to pay with Visa, MasterCard or Discover, please visit Best Practical's online store.
Unfortunately we are unable to accept American Express or PayPal. If you'd
prefer to pay with a purchase order, please email us at
training@bestpractical.com. Be sure to include:

  • If you want to attend both days or a single day
  • Full names and email addresses of attendees

Please also contact us at training@bestpractical.com for discounted pricing if
you are from an academic institution or if you'd like to send more than 3
people.

Share this post:

, ,

RT Training at Ohio LinuxFest 2013

, ,

Best Practical is happy to announce we're doing RT training this year at the Ohio LinuxFest in Columbus. Ohio LinuxFest Institute, the training portion of the conference, runs all day on Friday, September 13. We'll be presenting RT Basics in the morning and a more in-depth RT Customization class in the afternoon. Registration entitles you to one morning and one afternoon class, so you could even attend both! We'll also be around during the conference on Saturday to answer questions and talk about RT and RTIR.

Share this post:

,

RT for Incident Response 3.0.0 Released

,

RTIR 3.0.0 is now available.

RTIR 3.0 is fully compatible with the RT 4.0 series. It takes advantage of many new native RT features to remove complexity and ease future development.

This RTIR release requires RT 4.0.14, but we recommend installing the latest RT release available (4.0.17 at this time) as it repairs a few regressions in the upgrade path.

Please review all of the documentation in docs/UPGRADING and corresponding docs/UPGRADING-* files relevant to your current RTIR version.

You may also review the upgrading documentation at http://www.bestpractical.com/docs/rtir/3.0/

With the release of RTIR 3.0.0, the RTIR 2 series has officially entered maintenance mode. For more details about this and future RTIR release scheduling, we have published a blog post.

A permanent changelog is available.

Share this post:

,

RT 4.0.16 released

,

RT 4.0.16 is now available.

This release fixes an important regression in the Shredder tool included in 4.0.14 and 4.0.15. Attempting to run the Shredder tool from the command line would fail with a compile-time error.

A complete changelog is available.

Share this post:

RT 4.0.15 Released

RT 4.0.15 is now available.

This release fixes an important regression in the ugprade scripts included in 4.0.14. If you attempted to upgrade from 3.8 with the RT FAQ Manager tables (FM_*) in your database, one of the upgrade scripts would error out.

If you were planning to upgrade from 3.8 using 4.0.14, please use 4.0.15 instead. If you have already upgraded to 4.0.14, there is no functional change in 4.0.15.

A permanent changelog is available.

Share this post:

RT 4.0.14 Released

I'm happy to pleased that RT 4.0.14 is now available.

This release is primarily a bugfix release. It also contains automated tests for security vulnerabilities announced earlier

A complete changelog is available.

Share this post:

RTIR Release Scheduling

As the next major version of RT for Incident Response (RTIR) is in final testing before release, we wanted to document our plans for the current RTIR release series.

RTIR 3.0 will join RT 4.0 as our stable series and will receive regular bugfix releases. All new development will be centered on RTIR 3.2 which will be compatible with RT 4.2 (the current RT development series).

Once RT 4.2 and RTIR 3.2 are released, we expect that RTIR 2.4 and 2.6 will follow the same end-of-life schedule as RT 3.8 and the RT FAQ Manager announced here.

At this time, RTIR 2.4 and 2.6 are only receiving security or critical bugfixes, such as these patches.

If you would like to help test the next RTIR release, the third release candidate is available.

Share this post:

,

We're coming to Seattle for training in June

,

Our next public training is happening in Seattle on June 19th and 20th. Join us and learn from the experts how to get the most out of RT as a user and administrator, as well as a preview of what's to come in RT 4.2. Whether you're a native of the Pacific Northwest or will be flying in from afar, you'll leave our two-day training class with a much better understanding of the features, functionality, and administration of RT. Interested? Find more details here or sign up today!

Share this post:

,

Security vulnerabilities in RT

,

We discovered a number of security vulnerabilities which affect both RT3.8.x and RT 4.0.x. We released RT versions 3.8.17 and 4.0.13 to resolve these vulnerabilities, as well as patches which apply atop all released versions of 3.8 and 4.0.

The vulnerabilities addressed by 3.8.17, 4.0.13, and the below patches include the following:

RT 4.0.0 and above are vulnerable to a limited privilege escalation leading to unauthorized modification of ticket data. The DeleteTicket right and any custom lifecycle transition rights may be bypassed by any user with ModifyTicket. This vulnerability is assigned CVE-2012-4733.

RT 3.8.0 and above include a version of bin/rt that uses semi-predictable names when creating tempfiles. This could possibly be exploited by a malicious user to overwrite files with permissions of the user running bin/rt. This vulnerability is assigned CVE-2013-3368.

RT 3.8.0 and above allow calling of arbitrary Mason components (without control of arguments) for users who can see administration pages. This could be used by a malicious user to run private components which may have negative side-effects. This vulnerability is assigned CVE-2013-3369.

RT 3.8.0 and above allow direct requests to private callback components. Though no callback components ship with RT, this could be used to exploit an extension or local callback which uses the arguments passed to it insecurely. This vulnerability is assigned CVE-2013-3370.

RT 3.8.3 and above are vulnerable to cross-site scripting (XSS) via attachment filenames. The vector is difficult to exploit due to parsing requirements. Additionally, RT 4.0.0 and above are vulnerable to XSS via maliciously-crafted "URLs" in ticket content when RT's "MakeClicky" feature is configured. Although not believed to be exploitable in the stock configuration, a patch is also included for RTIR 2.6.x to add bulletproofing. These vulnerabilities are assigned CVE-2013-3371.

RT 3.8.0 and above are vulnerable to an HTTP header injection limited to the value of the Content-Disposition header. Injection of other arbitrary response headers is not possible. Some (especially older) browsers may allow multiple Content-Disposition values which could lead to XSS. Newer browsers contain security measures to prevent this. Thank you to Dominic Hargreaves for reporting this vulnerability. This vulnerability is assigned CVE-2013-3372.

RT 3.8.0 and above are vulnerable to a MIME header injection in outgoing email generated by RT. The vectors via RT's stock templates are resolved by this patchset, but any custom email templates should be updated to ensure that values interpolated into mail headers do not contain newlines. This vulnerability is assigned CVE-2013-3373.

RT 3.8.0 and above are vulnerable to limited session re-use when using the file-based session store, Apache::Session::File. RT's default session configuration only uses Apache::Session::File for Oracle. RT instances using Oracle may be locally configured to use the database-backed Apache::Session::Oracle, in which case sessions are never re-used. The extent of session re-use is limited to information leaks of certain user preferences and caches, such as queue names available for ticket creation. Thank you to Jenny Martin for reporting the problem that lead to discovery of this vulnerability. This vulnerability is assigned CVE-2013-3374.

In addition to releasing RT versions 3.8.17 and 4.0.13 which address these issues, we also collected patches for all releases of 3.8.x and 4.0.x into a download available at:

http://download.bestpractical.com/pub/rt/release/security-2013-05-22.tar.gz

The README in the tarball contains instructions for applying the patches. If you need help resolving these issues locally, we will provide discounted pricing for single-incident support; please contact us at sales@bestpractical.com for more information.

Versions of RT older than 3.8.0 are unsupported and do not receive security patches; please contact sales@bestpractical.com if you need assistance with an older RT version.

Share this post:

,

RT Training in Seattle, Washington — June 19th & 20th

,

Best Practical Solutions provides unparalleled instruction in how to get the most out of RT.

Our second training of 2013 will be held in Seattle, Washington on June 19th & 20th. Space is limited, so RSVP as soon as possible so we can guarantee you a seat.

This training will introduce you to the new features in RT 4 as part of a comprehensive overview of RT. Whether you're an old hand at RT or a recent convert, you'll have a good understanding of all of RT's features and functionality by the end of the session.

The first day starts off with a tour of RT's web interface and continues with a detailed exploration and explanation of RT's functionality, aimed at non-programmer RT administrators. We'll walk through setting up a common helpdesk configuration, from rights management, constructing workflows and notifications, and the basics of Lifecycles.

The second day of training picks up with server-side RT administration and dives into what you need to safely customize and extend RT. We'll cover upgrading and deploying RT, database tuning, advanced Lifecycle configurations, writing tools with RT's API, building an extension, and demonstrate how to extensibly alter the web UI and internal functions.

It goes without saying that you'll get the most out of training if you attend both days of the course, but we've designed the material so that you can step out after the first day with a dramatically improved understanding of how to use RT or show up on the second day and get quickly up to speed on how to make RT do your bidding.

Pricing and Payment

The cost of the class includes training materials, a continental breakfast and an afternoon snack. Please note that lunch will not be provided.

Single Day - USD 995
Both Days - USD 1495 (25% savings)

To Register

If you'd like to pay with Visa, MasterCard or Discover, please visit Best Practical's online store. Unfortunately we are unable to accept American Express or PayPal.

If you'd prefer to pay with a purchase order, please email us at training@bestpractical.com. Be sure to include:

  • If you want to attend both days or a single day
  • Full names and email addresses of attendees

Please also contact us at training@bestpractical.com for discounted pricing if you are from an academic institution or if you'd like to send more than 3 people.

Future training locations

If you can't make it to this training session, feel free to drop us a line to suggest locations for the future.

Share this post: