RT::Extension::Announce Released

We recently released RT::Extension::Announce which gives you an easy way to insert announcements on your RT homepage so all users can see the message. You may want to display a banner during maintenance or maybe an unscheduled outage to make sure the people fielding customer tickets know that something is going on.

The messages are set and managed in a dedicated queue, created when you install the module. This allows you to manage who can post announcements using permissions on the queue. You can also show messages only to select groups if you don't need to notify everyone.

More details are available in the RT::Extension::Announce documentation. Bugs or comments welcome at bug-RT-Extension-Announce@rt.cpan.org, pull requests via github.

Share this post:

New documentation for RT

As we mentioned in September, we've been working on documentation and we've got some updates for you from our latest release.

Lifecycles

Lifecycles are a major new feature in RT 4 and the core documentation has been available in RT_Config.pm. We've added more documentation that walks through an example lifecycle customization to give you an idea how you might take advantage of this powerful feature.

Styling RT

If you've poked around the Configuration tab, you've probably found the RT Theme Editor. If not, it's described in the new RT Styling doc. We also offer some guidelines on adding custom CSS and even developing your own RT theme. If you create one, we'd love to hear about it!

RT Approvals

Setting up approvals in RT is described briefly in RT Essentials. Approvals are now explained more fully, with an example. We also improved the documentation for the CreateTickets action which is key to setting up the automatic creation of approval tickets.

Articles

Articles, formerly the RTFM extension and now part of core RT, now has documentation explaining setup, configuration, and usage.

RT Backups

We often get questions about what you need to back up to make sure you can retore your RT instance, so we've published our general backup guidelines.

Loading RT Objects

If you've installed RT or an RT extension that creates a template or scrip, you've run the make initdb or make upgrade-database commands. These commands process files that contain various RT objects and create them in your RT database. The syntax of these initialdata files is now documented which should make it much easier for extension authors to include RT objects with their extensions.

General Documentation Cleanup

We've continued to clean up our POD and improve our documents, most notable adding images and screenshots which you can see in our Lifecycles and styling docs.

We hope you find these new documents useful. We'll continue to improve and expand on our documentation so you can get the most out of all the features of RT. If you find incorrect information or want to suggest improvements, you can file bug reports at rt-bugs@bestpractical.com or send us a pull request on github.

Share this post:

RT 4.0.10 Released

I'm happy to announce that RT 4.0.10 is now available.

This release contains several bugfixes and a fix for a regression introduced in 4.0.9. If you have a Queue configured so that users have SeeQueue and CreateTicket but not ShowTicket (they can create tickets, but won't be able to see them after creation) then any Custom Fields assigned to that Queue and filled in during creation would be lost during submission.

A complete changelog is available.

Share this post:

RT Users Survey

We were wondering what configurations of RT our users are running, what you're doing with RT, and what you'd like to do, so we thought we should just ask: take the RT Users Survey.

The survey has some questions geared toward the administrators who maintain RT or power users who are responsible for its care and feeding locally. There are also questions about using RT and new features you'd like to see. We're interested in a range of responses so please feel free to forward to anyone else who maintains or is an active user of RT.

Thanks!

Share this post:

RT 4.0.9 Released

I'm happy to announce that RT 4.0.9 is now available.

This release contains a number of bugfixes since the 4.0.8 release. It also contains the first set of embargoed security tests fixed by patches released on 2012-05-22. These are the tests for vulnerabilities fixed in RT 4.0.6 and RT 3.8.12.

This release also requires a newer HTML::RewriteAttributes. You will be prompted to upgrade when upgrading RT or when manually running 'make test-dependencies'.

If you have set a custom @JSFiles in RT_SiteConfig.pm, you will need to amend this to include the new jquery.cookie.js file added to RT_Config.pm. See UPGRADING-4.0 for more details.

A complete changelog is available.

Share this post:

Security vulnerabilities in RT

We have determined a number of security vulnerabilities which affectboth RT 3.8.x and RT 4.0.x. We are releasing RT versions 3.8.15 and 4.0.8, and RTFM version 2.4.5, to resolve these vulnerabilities, as well as patches which apply atop all released versions of 3.8 and 4.0.

The vulnerabilities addressed by 3.8.15, 4.0.8, and the patches include the following:

All versions of RT are vulnerable to an email header injection attack. Users with ModifySelf or AdminUser can cause RT to add arbitrary headers or content to outgoing mail. Depending on the scrips that are configured, this may be be leveraged for information leakage or phishing. We have been assigned CVE-2012-4730 for this vulnerability; we would like to thank Scott MacVicar for bringing this matter to our attention.

RT 4.0.0 and above and RTFM 2.0.0 and above contain a vulnerability due to lack of proper rights checking, allowing any privileged user to create Articles in any class. We have been assigned CVE-2012-4731 for this vulnerability.

All versions of RT with cross-site-request forgery (CSRF) protection (RT 3.8.12 and above, RT 4.0.6 and above, and any instances running the security patches released 2012-05-22) contain a vulnerability which incorrectly allows though CSRF requests which toggle ticket bookmarks. We have been assigned CVE-2012-4732 for this vulnerability; we would like to thank Matthew Astley for bringing this to our attention.

Additionally, all versions of RT are vulnerable to a confused deputy attack on the user. While not strictly a CSRF attack, users who are not logged in who are tricked into following a malicious link may, after supplying their credentials, be subject to an attack which leverages their credentials to modify arbitrary state. While users who were logged in would have observed the CSRF protection page, users who were not logged in receive no such warning due to the intervening login process. RT has been extended to notify users of pending actions during the login process. We have been assigned CVE-2012-4734 for this vulnerability; we would like to thank Matthew Astley for bringing this to our attention.

RT 3.8.0 and above are susceptible to a number of vulnerabilities concerning improper signing or encryption of messages using GnuPG; if GnuPG is not enabled, none of the following affect you. We have been assigned CVE-2012-4735 for the following related vulnerabilities:

  • When using GnuPG, RT now clarifies the concepts of signing for integrity and signing for authentication, which are separate (and exclusive) concepts. Previously, enabling the "Sign by default" queue configuration began signing automatically-generated messages with the queue's key, in addition to defaulting emails sent from the web UI to being signed. This provides integrity, but causes emails signed with that key to no longer possess authenticity; no individual email is guaranteed to have come from an actor designated to act for that key, in the case of automatically-generated emails.

    RT has now changed the "Sign by default" checkbox to merely provide a default in the web UI when composing messages; it no longer affects automatically-generated outgoing messages. Thus the "Sign by default" option helps to provide authenticity. A separate queue configuration option, "Sign all auto-generated mail" (defaulting to off) now controls the signing of automatically- generated emails, which (when used in combination with the previous option) helps provide integrity of all outgoing messages.

    Users who had previously checked "Sign by default" and who wish to maintain the previous effect of integrity but not authenticity will need to enable the new option as well.

    We would like to thank Matthijs Melissen (University of Luxembourg) for bringing this matter to our attention.

  • RT 3.8.0 and above contain a vulnerability which allows incoming emails to force all triggered outgoing mail to be signed and/or encrypted.

  • RT 3.8.0 and above contain a vulnerability which allows incoming emails to incorrectly appear in the UI to have been encrypted when they had not been. This vulnerability only applies to encryption, not signing.

  • RT 3.8.0 and above contain a vulnerability which allows any user who is capable of sending signed email in the UI to do so using any secret key stored in RT's keyring.

Additionally, RT 3.8.0 and above contain a vulnerability which allows a user to pass arbitrary arguments to the command-line GnuPG client, which could be leveraged to create arbitrary files on disk with the permissions of the webserver. This vulnerability only applies if GnuPG is enabled, and does not allow for execution of programs other than the command-line GnuPG client. We have been assigned CVE-2012-4884 for this vulnerability.

If you are running 3.8.x and RTFM, you will need to install RTFM 2.4.5 to resolve CVE-2012-4731. Patches for all releases of 3.8.x and 4.0.x are available for download; The README within it contains instructions for applying the patches. Otherwise, we recommend upgrading to RT 4.0.8, which resolves the above vulnerabilities.

If you are using RT::Authen::ExternalAuth, you also need to upgrade it to version 0.12 for compatibility with the security fixes in RT 4.0.8, 3.8.15, and the patches.

Share this post:

RT Documentation Now Online

In the past, the best source for RT documentation was the codebaseitself where you could use the trusty perldoc command to find all of the embedded documentation. You also had the RT Essentials book for general concepts and architecture.

These days, most of us are very used to tabbing into our browser's search box and asking the internet to magically find the answers to our vaguely worded questions. Searches for RT questions typically find the community wiki, mailing list archives, and occasionally a link to source code in Github.

Today this changes.

All of the documentation embedded in the RT source is now easily accessible on the Best Practical website, and web searches will start to return results that link to official documentation. Each page indicates which RT version it's for, so you'll know you're not looking at the documentation for the wrong RT version. We'll be updating the site with documentation for each currently supported major version of RT going forward.

What's There

The documentation is in a few major categories:

  • Install and Upgrade: for getting started or moving to a new version

  • User: aimed at explaining features and how to do things

  • Utilities: docs for all of the utilities delivered with RT, from the rt command-line interface tool to rt-crontool to rt-server

  • Developer: core documentation on all of the Perl modules that make up RT

  • Actions and Conditions: core RT actions and conditions available for Scrips and rt-crontool

More to Come

Even though this documentation has been public and available for years, publishing it to the web site gives it a new level of visibility. This shows where our docs need some work (yes, we see it too). We'll continue to improve, correct, and add to the documentation over time.

You can help by submitting documentation patches if you find areas that could be improved or are incorrect. Part of the published doc includes instructions for getting started contributing patches. You can also browse the code and doc on Github and use their web editing feature to make changes and submit pull requests easily.

We hope you find the docs useful. Let us know what you think.

Share this post:

Release Scheduling

We're currently hard at work on the next major version of Request Tracker (RT 4.2) and we want to share our plans for the current RT release series.

As our current stable release, RT 4.0 will continue to receive regular bugfix releases. All new features are targeted for 4.2. This allows us to provide a consistent and stable upgrade path within the 4.0 series.

At this time, RT 3.8 will only be receiving security or critical bugfixes. When we release 4.2, we will announce an end of life schedule for 3.8.

The RT FAQ Manager was integrated into RT 4.0 as the Articles feature. Once RT 3.8 is no longer supported, support will also cease for RTFM.

With the release of 4.2, we also plan to stop fixing bugs for certain old and outdated web browsers. In particular this means IE6, but may also include other browsers that cause us maintenance problems. We will not actively break compatibility with these browsers, but we will not be developing patches to fix them.

Share this post:

RT 4.0.7 Released

I'm happy to announce that RT 4.0.7 is now available.

This release contains a number of bugfixes since the 4.0.6 release. In particular, we have adjusted the CSRF warning for a few pages based on user feedback.

This release bumps dependencies on Email::Address, FCGI and IPC::Run so please make sure to run 'make testdeps' and if required 'make fixdeps' before upgrading. Running 'make upgrade' will also check your installed versions for errors.

Security

  • Bump the FCGI dependency to one which closes CVE-2011-2766 The 4.0 series did not specify a minimum FCGI version and it's possible that a vulnerable release of the perl FCGI module was installed when you set up an earlier release of 4.0.x

Features

  • Allow specification of your CSRF Whitelist Referrer using *.example.com
  • Allow searching for tickets associated with articles using a:42
  • Upgrade our Date/Time picker JS, allow unsetting of CFs
  • Improve display of circularly linked tickets
  • Optimize the large table changes between 3.2 and 3.4 for MySQL
  • Provide a better error if your CreateTickets template is malformed
  • Add the ExtractTicketId function to make customizing ticket id matching easier

Bugfixes

  • Don't trust emails that claim to be UTF-8, convert it to UTF-8 before storing
  • Fix a shredder bug when deleting a user and replacing it with another user
  • Remove CSRF restrictions on search results page
  • Ensure that TransactionBatch scrips always run in the RT::System context rather than having some sub-objects in the original user's context.
  • Better display of multipart/related mail
  • Remove some warnings when running under Perl 5.16
  • Better errors when viewing approvals without rights
  • Bring back rounded corners on FireFox >= 13 by using the standard border-radius property
  • $Users->LimitCustomField now ignores disabled ObjectCustomFieldValues properly (same for other non-ticket objects).
  • Versions of IPC::Run < 0.90 could truncate labels on charts that contain UTF-8 characters
  • Fix a rendering issue where certain emails would cause the history to render progressively more staggered to the right
  • Make owner:falcone and owner:falcone@example.com work
  • CF.{Foo} TicketSQL searches are now case insensitive on Pg and Oracle
  • Tickets with Unicode subjects created through the Web UI could end up being corrupted on reply because of other headers passed to MIME::Head
  • Ignore DECRYPTION_INFO from GnuPG 1.4.12
  • Record LastUpdated(By) on Scrips
  • Simple Search now handles Custom Fields with dashes
  • Remove another hardcoded use of 'resolved' in the mailgate unsafe actions
  • When deleting dashboards, also delete subscriptions
  • Fix rendering of links from bin/rt
  • Don't allow ticket creation if your REST form contains an unknown field
  • Skip users with empty email addresses in autocompletion
  • Loosen our detection of mobile browser to search for the word 'mobile'
  • Don't provide a charset on download of binary attachments
  • Fix UseSideBySideLayout to not be cached across users
  • Ensure that article searches are case insensitive
  • QueueSummaryByStatus now uses the improved code from QueueSummaryByLifecylcle

A complete changelog is available from git by running

git log rt-4.0.6..rt-4.0.7

or visiting

https://github.com/bestpractical/rt/compare/rt-4.0.6...rt-4.0.7

although they will not load all of the commits.

Share this post:

RT 3.8.14 Released

I'm happy to announce that RT 3.8.14 is now available.

This release contains two fixes related to the 3.8.12 security release.

Access to search results URLs is now CSRF whitelisted, based on user feedback. An error in rt-email-dashboards has been corrected.

A complete changelog is available from git by running:

git log rt-3.8.13..rt-3.8.14

or on github with

https://github.com/bestpractical/rt/compare/rt-3.8.13...rt-3.8.14

Share this post: