RT Documentation Now Online

In the past, the best source for RT documentation was the codebaseitself where you could use the trusty perldoc command to find all of the embedded documentation. You also had the RT Essentials book for general concepts and architecture.

These days, most of us are very used to tabbing into our browser's search box and asking the internet to magically find the answers to our vaguely worded questions. Searches for RT questions typically find the community wiki, mailing list archives, and occasionally a link to source code in Github.

Today this changes.

All of the documentation embedded in the RT source is now easily accessible on the Best Practical website, and web searches will start to return results that link to official documentation. Each page indicates which RT version it's for, so you'll know you're not looking at the documentation for the wrong RT version. We'll be updating the site with documentation for each currently supported major version of RT going forward.

What's There

The documentation is in a few major categories:

  • Install and Upgrade: for getting started or moving to a new version

  • User: aimed at explaining features and how to do things

  • Utilities: docs for all of the utilities delivered with RT, from the rt command-line interface tool to rt-crontool to rt-server

  • Developer: core documentation on all of the Perl modules that make up RT

  • Actions and Conditions: core RT actions and conditions available for Scrips and rt-crontool

More to Come

Even though this documentation has been public and available for years, publishing it to the web site gives it a new level of visibility. This shows where our docs need some work (yes, we see it too). We'll continue to improve, correct, and add to the documentation over time.

You can help by submitting documentation patches if you find areas that could be improved or are incorrect. Part of the published doc includes instructions for getting started contributing patches. You can also browse the code and doc on Github and use their web editing feature to make changes and submit pull requests easily.

We hope you find the docs useful. Let us know what you think.

Share this post:

Release Scheduling

We're currently hard at work on the next major version of Request Tracker (RT 4.2) and we want to share our plans for the current RT release series.

As our current stable release, RT 4.0 will continue to receive regular bugfix releases. All new features are targeted for 4.2. This allows us to provide a consistent and stable upgrade path within the 4.0 series.

At this time, RT 3.8 will only be receiving security or critical bugfixes. When we release 4.2, we will announce an end of life schedule for 3.8.

The RT FAQ Manager was integrated into RT 4.0 as the Articles feature. Once RT 3.8 is no longer supported, support will also cease for RTFM.

With the release of 4.2, we also plan to stop fixing bugs for certain old and outdated web browsers. In particular this means IE6, but may also include other browsers that cause us maintenance problems. We will not actively break compatibility with these browsers, but we will not be developing patches to fix them.

Share this post:

RT 4.0.7 Released

I'm happy to announce that RT 4.0.7 is now available.

This release contains a number of bugfixes since the 4.0.6 release. In particular, we have adjusted the CSRF warning for a few pages based on user feedback.

This release bumps dependencies on Email::Address, FCGI and IPC::Run so please make sure to run 'make testdeps' and if required 'make fixdeps' before upgrading. Running 'make upgrade' will also check your installed versions for errors.

Security

  • Bump the FCGI dependency to one which closes CVE-2011-2766 The 4.0 series did not specify a minimum FCGI version and it's possible that a vulnerable release of the perl FCGI module was installed when you set up an earlier release of 4.0.x

Features

  • Allow specification of your CSRF Whitelist Referrer using *.example.com
  • Allow searching for tickets associated with articles using a:42
  • Upgrade our Date/Time picker JS, allow unsetting of CFs
  • Improve display of circularly linked tickets
  • Optimize the large table changes between 3.2 and 3.4 for MySQL
  • Provide a better error if your CreateTickets template is malformed
  • Add the ExtractTicketId function to make customizing ticket id matching easier

Bugfixes

  • Don't trust emails that claim to be UTF-8, convert it to UTF-8 before storing
  • Fix a shredder bug when deleting a user and replacing it with another user
  • Remove CSRF restrictions on search results page
  • Ensure that TransactionBatch scrips always run in the RT::System context rather than having some sub-objects in the original user's context.
  • Better display of multipart/related mail
  • Remove some warnings when running under Perl 5.16
  • Better errors when viewing approvals without rights
  • Bring back rounded corners on FireFox >= 13 by using the standard border-radius property
  • $Users->LimitCustomField now ignores disabled ObjectCustomFieldValues properly (same for other non-ticket objects).
  • Versions of IPC::Run < 0.90 could truncate labels on charts that contain UTF-8 characters
  • Fix a rendering issue where certain emails would cause the history to render progressively more staggered to the right
  • Make owner:falcone and owner:falcone@example.com work
  • CF.{Foo} TicketSQL searches are now case insensitive on Pg and Oracle
  • Tickets with Unicode subjects created through the Web UI could end up being corrupted on reply because of other headers passed to MIME::Head
  • Ignore DECRYPTION_INFO from GnuPG 1.4.12
  • Record LastUpdated(By) on Scrips
  • Simple Search now handles Custom Fields with dashes
  • Remove another hardcoded use of 'resolved' in the mailgate unsafe actions
  • When deleting dashboards, also delete subscriptions
  • Fix rendering of links from bin/rt
  • Don't allow ticket creation if your REST form contains an unknown field
  • Skip users with empty email addresses in autocompletion
  • Loosen our detection of mobile browser to search for the word 'mobile'
  • Don't provide a charset on download of binary attachments
  • Fix UseSideBySideLayout to not be cached across users
  • Ensure that article searches are case insensitive
  • QueueSummaryByStatus now uses the improved code from QueueSummaryByLifecylcle

A complete changelog is available from git by running 

git log rt-4.0.6..rt-4.0.7

or visiting

https://github.com/bestpractical/rt/compare/rt-4.0.6...rt-4.0.7

although they will not load all of the commits.

Share this post:

RT 3.8.14 Released

I'm happy to announce that RT 3.8.14 is now available.

This release contains two fixes related to the 3.8.12 security release.

Access to search results URLs is now CSRF whitelisted, based on user feedback. An error in rt-email-dashboards has been corrected.

A complete changelog is available from git by running:

git log rt-3.8.13..rt-3.8.14

or on github with

https://github.com/bestpractical/rt/compare/rt-3.8.13...rt-3.8.14

Share this post:

,

RT Training in Atlanta — October 23rd and 24th

,

Our next and final training for 2012 will be held in Atlanta, GA October 23rd and 24th. As we like to keep class sizes relatively intimate, register soon or we may not be able to guarantee you a seat.

To learn more and sign up online, visit our shop.

If you can't make it to this training session, feel free to drop us a line to suggest locations for the future.

What does training cover?

This training will introduce you to the new features in RT4 as part of a comprehensive overview of RT. Whether you're an old hand at RT or a recent convert, you'll have a good understanding of all of RT's features and functionality by the end of the session.

The first day starts off with a tour of RT's web interface and continues with a detailed exploration and explanation of RT's functionality, aimed at non-programmer RT administrators. We'll walk through setting up a common helpdesk configuration, from rights management, constructing workflows and notifications, and the basics of Lifecycles.

The second day of training picks up with server-side RT administration and dives into what you need to safely customize and extend RT. We'll cover upgrading and deploying RT, database tuning, advanced Lifecycle configurations, writing tools with RT's API, building an extension, and demonstrate how to extensibly alter the web UI and internal functions.

It goes without saying that you'll get the most out of training if you attend both days of the course, but we've designed the material so that you can step out after the first day with a dramatically improved understanding of how to use RT or show up on the second day and get quickly up to speed on how to make RT do your bidding.

Share this post:

,

Security vulnerabilities in three commonly deployed RT extensions

,

We have determined a number of security vulnerabilities in commonlyinstalled RT extensions, enumerated below. You can determine which, if any, of these extensions your RT installation is using by navigating to Configuration → Tools → System Configuration, and examining the "Plugins" configuration setting.

We have released updated versions of each vulnerable extension. Installation instructions for each are included in a README file in each extension's tarball. You need only download and upgrade these extensions if you have a previous version of them installed; RT installations with none of the below extensions installed are not vulnerable, and do not need to take action.

RT::Authen::ExternalAuth 0.10 and below (for all versions of RT) are vulnerable to an escalation of privilege attack where the URL of a RSS feed of the user can be used to acquire a fully logged-in session as that user. CVE-2012-2770 has been assigned to this vulnerability.

Users of RT 3.8.2 and above should upgrade to RT::Authen::ExternalAuth 0.11, which resolves this vulnerability. Because users of RT 3.8.1 cannot run RT::Authen::ExternalAuth later then 0.08 (due to bugs in plugin handling code in RT 3.8.1), we are also providing a patch which applies to RT::Authen::ExternalAuth 0.08. This patch should only be applied if you are running RT 3.8.1 and RT::Authen::ExternalAuth 0.08. Instructions for applying the patch can be found in the patch file itself.

http://cpan.metacpan.org/authors/id/A/AL/ALEXMV/RT-Authen-ExternalAuth-0.11.tar.gz
http://download.bestpractical.com/pub/rt/release/rt-authen-externalauth-0.08.patch

RT::FM versions 2.0.4 through 2.4.3, inclusive, are vulnerable to multiple cross-site scripting (XSS) attacks in the topic administration page. CVE-2012-2768 has been assigned to this vulnerability. This release also includes updates for compatibility with RT 3.8.12. As RT 4.0 and above bundle RT::FM's functionality, and resolved this vulnerability in RT 4.0.6, this update is only applicable to installations of RT 3.8.

http://download.bestpractical.com/pub/rt/release/RTFM-2.4.4.tar.gz

RT::Extension::MobileUI 1.01 and below are vulnerable to multiple cross-site scripting (XSS) attacks. CVE-2012-2769 has been assigned to this vulnerability. As RT 4.0 and above bundle RT::Extension::MobileUI's functionality, and resolved this vulnerability in RT 4.0.6, this update is only applicable to installations of RT 3.8.

http://cpan.metacpan.org/authors/id/A/AL/ALEXMV/RT-Extension-MobileUI-1.02.tar.gz

The README in each tarball contains instructions for upgrading the extension. If you need help resolving this issue locally, we will provide discounted pricing for single-incident support; please contact us at sales at bestpractical.com for more information.

Share this post:

Best Practical at OSCON

If you'll be attending OSCON in Portland next week, we're teaching aTutorial on Monday and running the Perl Lightning Talks on Thursday. In between, we'll be enjoying sessions, hanging out in the hallways, manning the TPF booth at the Expo, and sampling some of the local brews (coffee, tea and beer). If you're an RT user or interested in using RT, please stop us for a chat during the conference. You can find us on Twitter as @bestpractical if you want to arrange a meetup.

Share this post:

,

Security vulnerabilities in RT

,

Internal audits of the RT codebase have uncovered a number of securityvulnerabilities in RT. We are releasing versions 3.8.12 and 4.0.6 to resolve these vulnerabilities, as well as patches which apply atop all released versions of 3.8 and 4.0.

The vulnerabilities addressed by 3.8.12, 4.0.6, and the below patches include the following:

The previously released tool to upgrade weak password hashes as part of CVE-2011-0009 was an incomplete fix and failed to upgrade passwords of disabled users. This release includes an updated version of the vulnerable-passwords tool, which should be run again to upgrade the remaining password hashes. CVE-2011-2082 is assigned to this vulnerability.

RT versions 3.0 and above contain a number of cross-site scripting (XSS) vulnerabilities which allow an attacker to run JavaScript with the user's credentials. CVE-2011-2083 is assigned to this vulnerability.

RT versions 3.0 and above are vulnerable to multiple information disclosure vulnerabilities. This includes the ability for privileged users to expose users' previous password hashes -- this vulnerability is particularly dangerous given RT's weak hashing previous to the fix in CVE-2011-0009. A separate vulnerability allows privileged users to obtain correspondence history for any ticket in RT. CVE-2011-2084 is assigned to this vulnerability.

All publicly released versions of RT are vulnerable to cross-site request forgery (CSRF), in which a malicious website causes the browser to make a request to RT as the currently logged in user. This attack vector could be used for information disclosure, privilege escalation, and arbitrary execution of code. Because some external integrations may rely on RT's previously permissive functionality, we have included a configuration option ($RestrictReferrer) to disable CSRF protection. We have also added an additional configuration parameter ($ReferrerWhitelist) to aid in exempting certain originating sites from CSRF protections. CVE-2011-2085 is assigned to this vulnerability.

We have also added a separate configuration option ($RestrictLoginReferrer) to prevent login CSRF, a different class of CSRF attack where the user is silently logged in using the attacker's credentials. $RestrictLoginReferrer defaults to disabled, because this functionality's benign usage is more commonly relied upon and presents less of a threat vector for RT than many other types of online applications.

RT versions 3.6.1 and above are vulnerable to a remote execution of code vulnerability if the optional VERP configuration options ($VERPPrefix and $VERPDomain) are enabled. RT 3.8.0 and higher are vulnerable to a limited remote execution of code which can be leveraged for privilege escalation. RT 4.0.0 and above contain a vulnerability in the global $DisallowExecuteCode option, allowing sufficiently privileged users to still execute code even if RT was configured to not allow it. CVE-2011-4458 is assigned to this set of vulnerabilities.

RT versions 3.0 and above may, under some circumstances, still respect rights that a user only has by way of a currently-disabled group. CVE-2011-4459 is assigned to this vulnerability.

RT versions 2.0 and above are vulnerable to a SQL injection attack, which allow privileged users to obtain arbitrary information from the database. CVE-2011-4460 is assigned to this vulnerability.

In addition to releasing RT versions 3.8.12 and 4.0.6 which address these issues, we have also collected patches for all releases of 3.8 and 4.0 into a distribution available for download at:

http://download.bestpractical.com/pub/rt/release/security-2012-05-22.tar.gz

The README in the tarball contains instructions for applying the patches. The patches require version 0.68 or higher of FCGI.pm if you are running a FastCGI deployment. A too-low version of this module will manifest as outgoing mail failing to be sent, and errors in the logs resembling:

Could not send mail with command `[...]`:
Can't locate object method "FILENO" via package "FCGI::Stream"

If you need help resolving these security issues, we will provide discounted pricing for single-incident support; please contact us at sales at bestpractical.com for more information.

Share this post:

,

RT 4.0.5 Released

,

I'm happy to announce that RT 4.0.5 is now available.

This release contains a number of bugfixes and small improvements since the 4.0.4 release; a few of the more notable ones include:

  • Greatly improved print CSS
  • New Config option - HideResolveActionsWithDependencies removes actions such as Resolve from the action menu on tickets with outstanding dependencies
  • New Config option - AutocompleteOwnersForSearch allows admins to force an Owner autocompleter in the Query Builder
  • New Config option - NoTicketInterfaceForApprovals redirects users to the Approvals interface if they visit an Approval ticket in the regular RT UI
  • Improved Simple Search documentation and new 'any' keyword for any status
  • Improved case insensitivity in the User and Custom Field Autocompleters
  • new --enable-ssl-mailgate configure option and rt-mailgate options to assist with setting rt-mailgate up to talk to your ssl enabled RT server
  • More improvements to email quote detection to handle Outlook quoting
  • The CreateTickets action now supports adding Groups as Watchers
  • httpurl_overwrite no longer inserts spaces into your URLs
  • Added NBSP as a search column in the Query Builder
  • Maintain Approved/Denied state in the radio button on past Approvals
  • Fixes for Bookmarked ticket searches
  • Bugfixes for OverrideOutgoingMailFrom and sending bounces
  • More consistent ordering of Articles
  • Improvements to menu internals, including fixes for Search collections and localization of key names
  • Preserve Content-Disposition when redistributing mail
  • Improved PGP handling for .asc attachments with misleading content-types
  • By default, RT's session cookie will not be available to javascript
  • Allow Charts to be grouped by Told.
  • Test and localization cleanups.

Share this post:

,

Boston RT Training Reminder — March 5 & 6, 2012

,

March 2012 will bring a two-day RT training session to our hometown of Boston!To learn more and sign up online, visit our shop.

Drop us a line at training@bestpractical.com with any questions you have or to inquire about discounted pricing for academic institutions.

Our 2012 training session highlights the new features available in RT 4.

Day 1 covers

  • RT basics and concepts, concentrating on giving you an RT vocabulary and introducing you to parts of the basic and admin UI
  • Installing, upgrading and deploying RT
  • Mail and commandline access to RT
  • Escalations and notifications using the backend tools
  • Finding and installing extensions for RT and a walkthrough of common and popular extensions.

Day 2 covers

  • Deeper exploration of the Admin UI covering Users, Groups, ACLs, Lifecycles, Scrips, Templates, Approvals and Articles
  • Database administration and Full Text Searching
  • Using external authentication with your RT
  • Learn to build your own RT extension to apply customizations in a way that minimizes conflicts during an upgrade

A spot at either day costs $995 USD, but you can save 25% if you attend both days of training. That's just $1495 USD!

Reservations

We like to keep class sizes relatively intimate. Please register soon or we may not be able to guarantee you a seat.

When you register, please tell us which date(s) you are registering for, and whether you'd like to register for the whole training session or for only a single day.

If you'd like to pay via credit card, please visit Best Practical's online store. If you'd prefer to reserve a seat and have us bill you, please write to us training@bestpractical.com. Be sure to include the full names and email addresses of all attendees you'd like to register for training.

Share this post: