,

RT Training in Atlanta — October 23rd and 24th

,

Our next and final training for 2012 will be held in Atlanta, GA October 23rd and 24th. As we like to keep class sizes relatively intimate, register soon or we may not be able to guarantee you a seat.

To learn more and sign up online, visit our shop.

If you can't make it to this training session, feel free to drop us a line to suggest locations for the future.

What does training cover?

This training will introduce you to the new features in RT4 as part of a comprehensive overview of RT. Whether you're an old hand at RT or a recent convert, you'll have a good understanding of all of RT's features and functionality by the end of the session.

The first day starts off with a tour of RT's web interface and continues with a detailed exploration and explanation of RT's functionality, aimed at non-programmer RT administrators. We'll walk through setting up a common helpdesk configuration, from rights management, constructing workflows and notifications, and the basics of Lifecycles.

The second day of training picks up with server-side RT administration and dives into what you need to safely customize and extend RT. We'll cover upgrading and deploying RT, database tuning, advanced Lifecycle configurations, writing tools with RT's API, building an extension, and demonstrate how to extensibly alter the web UI and internal functions.

It goes without saying that you'll get the most out of training if you attend both days of the course, but we've designed the material so that you can step out after the first day with a dramatically improved understanding of how to use RT or show up on the second day and get quickly up to speed on how to make RT do your bidding.

Share this post:

,

Security vulnerabilities in three commonly deployed RT extensions

,

We have determined a number of security vulnerabilities in commonlyinstalled RT extensions, enumerated below. You can determine which, if any, of these extensions your RT installation is using by navigating to Configuration → Tools → System Configuration, and examining the "Plugins" configuration setting.

We have released updated versions of each vulnerable extension. Installation instructions for each are included in a README file in each extension's tarball. You need only download and upgrade these extensions if you have a previous version of them installed; RT installations with none of the below extensions installed are not vulnerable, and do not need to take action.

RT::Authen::ExternalAuth 0.10 and below (for all versions of RT) are vulnerable to an escalation of privilege attack where the URL of a RSS feed of the user can be used to acquire a fully logged-in session as that user. CVE-2012-2770 has been assigned to this vulnerability.

Users of RT 3.8.2 and above should upgrade to RT::Authen::ExternalAuth 0.11, which resolves this vulnerability. Because users of RT 3.8.1 cannot run RT::Authen::ExternalAuth later then 0.08 (due to bugs in plugin handling code in RT 3.8.1), we are also providing a patch which applies to RT::Authen::ExternalAuth 0.08. This patch should only be applied if you are running RT 3.8.1 and RT::Authen::ExternalAuth 0.08. Instructions for applying the patch can be found in the patch file itself.

http://cpan.metacpan.org/authors/id/A/AL/ALEXMV/RT-Authen-ExternalAuth-0.11.tar.gz
http://download.bestpractical.com/pub/rt/release/rt-authen-externalauth-0.08.patch

RT::FM versions 2.0.4 through 2.4.3, inclusive, are vulnerable to multiple cross-site scripting (XSS) attacks in the topic administration page. CVE-2012-2768 has been assigned to this vulnerability. This release also includes updates for compatibility with RT 3.8.12. As RT 4.0 and above bundle RT::FM's functionality, and resolved this vulnerability in RT 4.0.6, this update is only applicable to installations of RT 3.8.

http://download.bestpractical.com/pub/rt/release/RTFM-2.4.4.tar.gz

RT::Extension::MobileUI 1.01 and below are vulnerable to multiple cross-site scripting (XSS) attacks. CVE-2012-2769 has been assigned to this vulnerability. As RT 4.0 and above bundle RT::Extension::MobileUI's functionality, and resolved this vulnerability in RT 4.0.6, this update is only applicable to installations of RT 3.8.

http://cpan.metacpan.org/authors/id/A/AL/ALEXMV/RT-Extension-MobileUI-1.02.tar.gz

The README in each tarball contains instructions for upgrading the extension. If you need help resolving this issue locally, we will provide discounted pricing for single-incident support; please contact us at sales at bestpractical.com for more information.

Share this post:

Best Practical at OSCON

If you'll be attending OSCON in Portland next week, we're teaching aTutorial on Monday and running the Perl Lightning Talks on Thursday. In between, we'll be enjoying sessions, hanging out in the hallways, manning the TPF booth at the Expo, and sampling some of the local brews (coffee, tea and beer). If you're an RT user or interested in using RT, please stop us for a chat during the conference. You can find us on Twitter as @bestpractical if you want to arrange a meetup.

Share this post:

,

Security vulnerabilities in RT

,

Internal audits of the RT codebase have uncovered a number of securityvulnerabilities in RT. We are releasing versions 3.8.12 and 4.0.6 to resolve these vulnerabilities, as well as patches which apply atop all released versions of 3.8 and 4.0.

The vulnerabilities addressed by 3.8.12, 4.0.6, and the below patches include the following:

The previously released tool to upgrade weak password hashes as part of CVE-2011-0009 was an incomplete fix and failed to upgrade passwords of disabled users. This release includes an updated version of the vulnerable-passwords tool, which should be run again to upgrade the remaining password hashes. CVE-2011-2082 is assigned to this vulnerability.

RT versions 3.0 and above contain a number of cross-site scripting (XSS) vulnerabilities which allow an attacker to run JavaScript with the user's credentials. CVE-2011-2083 is assigned to this vulnerability.

RT versions 3.0 and above are vulnerable to multiple information disclosure vulnerabilities. This includes the ability for privileged users to expose users' previous password hashes -- this vulnerability is particularly dangerous given RT's weak hashing previous to the fix in CVE-2011-0009. A separate vulnerability allows privileged users to obtain correspondence history for any ticket in RT. CVE-2011-2084 is assigned to this vulnerability.

All publicly released versions of RT are vulnerable to cross-site request forgery (CSRF), in which a malicious website causes the browser to make a request to RT as the currently logged in user. This attack vector could be used for information disclosure, privilege escalation, and arbitrary execution of code. Because some external integrations may rely on RT's previously permissive functionality, we have included a configuration option ($RestrictReferrer) to disable CSRF protection. We have also added an additional configuration parameter ($ReferrerWhitelist) to aid in exempting certain originating sites from CSRF protections. CVE-2011-2085 is assigned to this vulnerability.

We have also added a separate configuration option ($RestrictLoginReferrer) to prevent login CSRF, a different class of CSRF attack where the user is silently logged in using the attacker's credentials. $RestrictLoginReferrer defaults to disabled, because this functionality's benign usage is more commonly relied upon and presents less of a threat vector for RT than many other types of online applications.

RT versions 3.6.1 and above are vulnerable to a remote execution of code vulnerability if the optional VERP configuration options ($VERPPrefix and $VERPDomain) are enabled. RT 3.8.0 and higher are vulnerable to a limited remote execution of code which can be leveraged for privilege escalation. RT 4.0.0 and above contain a vulnerability in the global $DisallowExecuteCode option, allowing sufficiently privileged users to still execute code even if RT was configured to not allow it. CVE-2011-4458 is assigned to this set of vulnerabilities.

RT versions 3.0 and above may, under some circumstances, still respect rights that a user only has by way of a currently-disabled group. CVE-2011-4459 is assigned to this vulnerability.

RT versions 2.0 and above are vulnerable to a SQL injection attack, which allow privileged users to obtain arbitrary information from the database. CVE-2011-4460 is assigned to this vulnerability.

In addition to releasing RT versions 3.8.12 and 4.0.6 which address these issues, we have also collected patches for all releases of 3.8 and 4.0 into a distribution available for download at:

http://download.bestpractical.com/pub/rt/release/security-2012-05-22.tar.gz

The README in the tarball contains instructions for applying the patches. The patches require version 0.68 or higher of FCGI.pm if you are running a FastCGI deployment. A too-low version of this module will manifest as outgoing mail failing to be sent, and errors in the logs resembling:

Could not send mail with command `[...]`:
Can't locate object method "FILENO" via package "FCGI::Stream"

If you need help resolving these security issues, we will provide discounted pricing for single-incident support; please contact us at sales at bestpractical.com for more information.

Share this post:

,

RT 4.0.5 Released

,

I'm happy to announce that RT 4.0.5 is now available.

This release contains a number of bugfixes and small improvements since the 4.0.4 release; a few of the more notable ones include:

  • Greatly improved print CSS
  • New Config option - HideResolveActionsWithDependencies removes actions such as Resolve from the action menu on tickets with outstanding dependencies
  • New Config option - AutocompleteOwnersForSearch allows admins to force an Owner autocompleter in the Query Builder
  • New Config option - NoTicketInterfaceForApprovals redirects users to the Approvals interface if they visit an Approval ticket in the regular RT UI
  • Improved Simple Search documentation and new 'any' keyword for any status
  • Improved case insensitivity in the User and Custom Field Autocompleters
  • new --enable-ssl-mailgate configure option and rt-mailgate options to assist with setting rt-mailgate up to talk to your ssl enabled RT server
  • More improvements to email quote detection to handle Outlook quoting
  • The CreateTickets action now supports adding Groups as Watchers
  • httpurl_overwrite no longer inserts spaces into your URLs
  • Added NBSP as a search column in the Query Builder
  • Maintain Approved/Denied state in the radio button on past Approvals
  • Fixes for Bookmarked ticket searches
  • Bugfixes for OverrideOutgoingMailFrom and sending bounces
  • More consistent ordering of Articles
  • Improvements to menu internals, including fixes for Search collections and localization of key names
  • Preserve Content-Disposition when redistributing mail
  • Improved PGP handling for .asc attachments with misleading content-types
  • By default, RT's session cookie will not be available to javascript
  • Allow Charts to be grouped by Told.
  • Test and localization cleanups.

Share this post:

,

Boston RT Training Reminder — March 5 & 6, 2012

,

March 2012 will bring a two-day RT training session to our hometown of Boston!To learn more and sign up online, visit our shop.

Drop us a line at training@bestpractical.com with any questions you have or to inquire about discounted pricing for academic institutions.

Our 2012 training session highlights the new features available in RT 4.

Day 1 covers

  • RT basics and concepts, concentrating on giving you an RT vocabulary and introducing you to parts of the basic and admin UI
  • Installing, upgrading and deploying RT
  • Mail and commandline access to RT
  • Escalations and notifications using the backend tools
  • Finding and installing extensions for RT and a walkthrough of common and popular extensions.

Day 2 covers

  • Deeper exploration of the Admin UI covering Users, Groups, ACLs, Lifecycles, Scrips, Templates, Approvals and Articles
  • Database administration and Full Text Searching
  • Using external authentication with your RT
  • Learn to build your own RT extension to apply customizations in a way that minimizes conflicts during an upgrade

A spot at either day costs $995 USD, but you can save 25% if you attend both days of training. That's just $1495 USD!

Reservations

We like to keep class sizes relatively intimate. Please register soon or we may not be able to guarantee you a seat.

When you register, please tell us which date(s) you are registering for, and whether you'd like to register for the whole training session or for only a single day.

If you'd like to pay via credit card, please visit Best Practical's online store. If you'd prefer to reserve a seat and have us bill you, please write to us training@bestpractical.com. Be sure to include the full names and email addresses of all attendees you'd like to register for training.

Share this post:

A tiny Christmas present for the Perl community

PAUSE has long had an SSL certificate signed with a CAcert  key. CAcert's aims are noble, but over the past few years, browsers have become incredibly cranky about SSL certificates from all but a few trusted providers.

As a small treat for the Perl community, Best Practical has just bought a "proper"  SSL certificate for https://pause.perl.org. We'd like to thank Andreas König for his tireless work to operate and maintain PAUSE and his help in making this happen.

Share this post:

, ,

RT Training in Boston — March 5 & 6, 2012

, ,

March 2012 will bring a two-day RT training session to our hometown of Boston!

To learn more and sign up online, visit our shop.

Drop us a line at training@bestpractical.com with any questions you have or to inquire about discounted pricing for academic institutions.

What does training cover?

The first day starts off with a tour of RT's web interface and continues with a detailed exploration and explanation of RT's functionality, workflows and configurability. We'll touch on basic administration, but concentrate largely on helping you and your team get the most out of your RT instance.

The second day of training picks up with RT administration and dives into what you need to safely customize and extend RT. We'll cover point-and-click configuration, upgrading and installing RT, development best practices, RT's API, building an extension, and database tuning.

It goes without saying that you'll get the most out of training if you attend both days of the course, but we've designed the material so that you can step out after the first day with a dramatically improved understanding of how to use RT or show up on the second day and get quickly up to speed on how to make RT do your bidding.

Share this post:

We're hiring! Come hack Perl for Best Practical.

About us

We're Best Practical Solutions, a small software company located in Somerville, MA. We build software and sell support, training, consulting, and custom development. Our main product, RT (Request Tracker), is the premiere open source issue tracking system. We've been around for a decade, and things just keep getting busier.

About the job

We're looking for a Perl hacker to help us enhance and refine our products, and as well as to be excellent to our customers. You'll be responsible for everything from implementing new features, to testing and applying user-contributed patches to our released software. In a typical week, you'll probably spend about half your time working on internal and open source projects, and half working on customer projects; this requires good communication skills, as well as a desire to help customers get the most out of our software.

The hours are flexible, and we all telecommute some of the time...though we work from our office in the heart of Davis Square, Somerville on most days. While we do a fair amount of our collaboration in-person, you should also be comfortable using email and instant messaging to coordinate and get work done, as we have a few employees in other parts of the globe.

About you

You should be a self-starter who has solid experience with Perl, as well as some experience with at least a few of the following buzzwords:

  • Open source development practices (code review, backcompat)
  • Distributed source control (git, branching, patches)
  • Test driven development (smoke testing, Test::More)
  • User interface design (HTML, CSS)
  • Documentation (user-facing, API)
  • Javascript (jQuery, events, AJAX)
  • SQL databases (MySQL, PostgreSQL, Oracle, SQLite)
  • Optimization, profiling, and debugging (nytprof)
  • UNIX systems administration (webservers, mailservers)

It's okay if you don't know everything out of the gate, but you should be able to learn on the fly and be comfortable asking questions when you get in over your head. RT is a large codebase to dive into, so you should be prepared to work with a project that's too big to hold in your head all at once. If you want to see what sort of trouble you're getting yourself into, you can find all of our open source code on github.

We're a small company; you should be comfortable working both independently and in small teams, and prioritizing tasks on your own. Being able to task-switch efficiently and juggle several projects at once is a necessity.

Compensation

DOE - This is a full-time salaried position, but the details are negotiable. We're a small, self funded company. The standard benefits apply, of course: health insurance, dental insurance, and junk food to make that dental insurance worthwhile.

How to apply

Send something approximating a cover letter, a resume in plain text, HTML or PDF, and a sample of some code you've written to resumes@bestpractical.com. If you're involved in open source development of one kind or another, please tell us about it. If you have a CPAN ID tell us what it is; we won't consider applications without some sort of code example to look at. We'll be paying particular attention to the readability, comments, and tests.

Share this post:

,

RT 4.0.4 Released, fixes RT 3 -> 4.0.3 upgrade regression

,

RT 4.0.3 contained a serious bug wherein upgrades from any version ofRT 3 to RT 4.0.3 broke template interpolation; please do not use it. If you had previously upgraded from RT 3 to RT 4.0.0, 4.0.1, or 4.0.2, before upgrading to RT 4.0.3, you are not affected by this bug.

If you are currently running RT 4.0.3 and are affected by this issue, upgrading to RT 4.0.4 will resolve it.

Download it here

Share this post: