RT 4.0.17 released

RT 4.0.17 is now available.

This release fixes an important regression in the upgrade script included in 4.0.14, 4.0.15, and 4.0.16. Attempting to upgrade from 3.x would skip key upgrade steps. New installs, and sites upgrading from within the 4.0.x series, are unaffected.

Affected installations (i.e., who upgraded from 3.x to 4.0.14, 4.0.15, or 4.0.16) should install RT 4.0.17, and then run 'make upgrade-database', specifying versions 3.9.9 through 4.0.0 as the versions to upgrade from and to. This should produce:

    Going to apply following upgrades:
* 4.0.0rc2
* 4.0.0rc4
* 4.0.0rc7

Due to the missed upgrade steps, passwords would work until after the user first logged in, or until etc/upgrade/vulnerable-passwords was run. Affected users may be found by running the following SQL query:

SELECT Name FROM Users WHERE Password LIKE '!sha512!%'
AND LENGTH(Password) = 40;

After completing the upgrade steps mentioned above, passwords for affected users should be restored from backups, the admin UI (assuming an administrator can log in), or (as a last resort) setting them explicitly via:

perl -I/opt/rt4/local/lib -I/opt/rt4/lib -MRT=-init  \
-e 'my $u = RT::User->new( RT->SystemUser );'   \
-e '($u->Load("username"))[0] or die "Failed to load user";' \
-e '$u->SetPassword("new_password");'

Adjust the username and password on the last two lines accordingly. You may need to adjust /opt/rt4/local/lib and /opt/rt4/lib on the first line if your RT is not installed into the default location of /opt/rt4

A complete changelog is available from git.

Share this post:

,

RT 4.0.16 released

,

RT 4.0.16 is now available.

This release fixes an important regression in the Shredder tool included in 4.0.14 and 4.0.15. Attempting to run the Shredder tool from the command line would fail with a compile-time error.

A complete changelog is available.

Share this post:

RT 4.0.15 Released

RT 4.0.15 is now available.

This release fixes an important regression in the ugprade scripts included in 4.0.14. If you attempted to upgrade from 3.8 with the RT FAQ Manager tables (FM_*) in your database, one of the upgrade scripts would error out.

If you were planning to upgrade from 3.8 using 4.0.14, please use 4.0.15 instead. If you have already upgraded to 4.0.14, there is no functional change in 4.0.15.

A permanent changelog is available.

Share this post:

RT 4.0.14 Released

I'm happy to pleased that RT 4.0.14 is now available.

This release is primarily a bugfix release. It also contains automated tests for security vulnerabilities announced earlier

A complete changelog is available.

Share this post:

RTIR Release Scheduling

As the next major version of RT for Incident Response (RTIR) is in final testing before release, we wanted to document our plans for the current RTIR release series.

RTIR 3.0 will join RT 4.0 as our stable series and will receive regular bugfix releases. All new development will be centered on RTIR 3.2 which will be compatible with RT 4.2 (the current RT development series).

Once RT 4.2 and RTIR 3.2 are released, we expect that RTIR 2.4 and 2.6 will follow the same end-of-life schedule as RT 3.8 and the RT FAQ Manager announced here.

At this time, RTIR 2.4 and 2.6 are only receiving security or critical bugfixes, such as these patches.

If you would like to help test the next RTIR release, the third release candidate is available.

Share this post:

Applying patches from rt.cpan.org tickets

Ever try to apply patches from a bug report in rt.cpan.org? Up until a few days ago, it was a bit of a pain because curl and wget didn't work without supplying your username and password. This prevented simple patch application like so:

curl -sL https://rt.cpan.org/Ticket/Attachment/.../.../foo.patch \
| git am -s

As of earlier this week, that's fixed! Now you can apply patches quite easily by copying the link in RT directly to your terminal and it will just work.

Share this post:

,

We're coming to Seattle for training in June

,

Our next public training is happening in Seattle on June 19th and 20th. Join us and learn from the experts how to get the most out of RT as a user and administrator, as well as a preview of what's to come in RT 4.2. Whether you're a native of the Pacific Northwest or will be flying in from afar, you'll leave our two-day training class with a much better understanding of the features, functionality, and administration of RT. Interested? Find more details here or sign up today!

Share this post:

,

Security vulnerabilities in RT

,

We discovered a number of security vulnerabilities which affect both RT3.8.x and RT 4.0.x. We released RT versions 3.8.17 and 4.0.13 to resolve these vulnerabilities, as well as patches which apply atop all released versions of 3.8 and 4.0.

The vulnerabilities addressed by 3.8.17, 4.0.13, and the below patches include the following:

RT 4.0.0 and above are vulnerable to a limited privilege escalation leading to unauthorized modification of ticket data. The DeleteTicket right and any custom lifecycle transition rights may be bypassed by any user with ModifyTicket. This vulnerability is assigned CVE-2012-4733.

RT 3.8.0 and above include a version of bin/rt that uses semi-predictable names when creating tempfiles. This could possibly be exploited by a malicious user to overwrite files with permissions of the user running bin/rt. This vulnerability is assigned CVE-2013-3368.

RT 3.8.0 and above allow calling of arbitrary Mason components (without control of arguments) for users who can see administration pages. This could be used by a malicious user to run private components which may have negative side-effects. This vulnerability is assigned CVE-2013-3369.

RT 3.8.0 and above allow direct requests to private callback components. Though no callback components ship with RT, this could be used to exploit an extension or local callback which uses the arguments passed to it insecurely. This vulnerability is assigned CVE-2013-3370.

RT 3.8.3 and above are vulnerable to cross-site scripting (XSS) via attachment filenames. The vector is difficult to exploit due to parsing requirements. Additionally, RT 4.0.0 and above are vulnerable to XSS via maliciously-crafted "URLs" in ticket content when RT's "MakeClicky" feature is configured. Although not believed to be exploitable in the stock configuration, a patch is also included for RTIR 2.6.x to add bulletproofing. These vulnerabilities are assigned CVE-2013-3371.

RT 3.8.0 and above are vulnerable to an HTTP header injection limited to the value of the Content-Disposition header. Injection of other arbitrary response headers is not possible. Some (especially older) browsers may allow multiple Content-Disposition values which could lead to XSS. Newer browsers contain security measures to prevent this. Thank you to Dominic Hargreaves for reporting this vulnerability. This vulnerability is assigned CVE-2013-3372.

RT 3.8.0 and above are vulnerable to a MIME header injection in outgoing email generated by RT. The vectors via RT's stock templates are resolved by this patchset, but any custom email templates should be updated to ensure that values interpolated into mail headers do not contain newlines. This vulnerability is assigned CVE-2013-3373.

RT 3.8.0 and above are vulnerable to limited session re-use when using the file-based session store, Apache::Session::File. RT's default session configuration only uses Apache::Session::File for Oracle. RT instances using Oracle may be locally configured to use the database-backed Apache::Session::Oracle, in which case sessions are never re-used. The extent of session re-use is limited to information leaks of certain user preferences and caches, such as queue names available for ticket creation. Thank you to Jenny Martin for reporting the problem that lead to discovery of this vulnerability. This vulnerability is assigned CVE-2013-3374.

In addition to releasing RT versions 3.8.17 and 4.0.13 which address these issues, we also collected patches for all releases of 3.8.x and 4.0.x into a download available at:

http://download.bestpractical.com/pub/rt/release/security-2013-05-22.tar.gz

The README in the tarball contains instructions for applying the patches. If you need help resolving these issues locally, we will provide discounted pricing for single-incident support; please contact us at sales@bestpractical.com for more information.

Versions of RT older than 3.8.0 are unsupported and do not receive security patches; please contact sales@bestpractical.com if you need assistance with an older RT version.

Share this post:

,

RT Training in Seattle, Washington — June 19th & 20th

,

Best Practical Solutions provides unparalleled instruction in how to get the most out of RT.

Our second training of 2013 will be held in Seattle, Washington on June 19th & 20th. Space is limited, so RSVP as soon as possible so we can guarantee you a seat.

This training will introduce you to the new features in RT 4 as part of a comprehensive overview of RT. Whether you're an old hand at RT or a recent convert, you'll have a good understanding of all of RT's features and functionality by the end of the session.

The first day starts off with a tour of RT's web interface and continues with a detailed exploration and explanation of RT's functionality, aimed at non-programmer RT administrators. We'll walk through setting up a common helpdesk configuration, from rights management, constructing workflows and notifications, and the basics of Lifecycles.

The second day of training picks up with server-side RT administration and dives into what you need to safely customize and extend RT. We'll cover upgrading and deploying RT, database tuning, advanced Lifecycle configurations, writing tools with RT's API, building an extension, and demonstrate how to extensibly alter the web UI and internal functions.

It goes without saying that you'll get the most out of training if you attend both days of the course, but we've designed the material so that you can step out after the first day with a dramatically improved understanding of how to use RT or show up on the second day and get quickly up to speed on how to make RT do your bidding.

Pricing and Payment

The cost of the class includes training materials, a continental breakfast and an afternoon snack. Please note that lunch will not be provided.

Single Day - USD 995
Both Days - USD 1495 (25% savings)

To Register

If you'd like to pay with Visa, MasterCard or Discover, please visit Best Practical's online store. Unfortunately we are unable to accept American Express or PayPal.

If you'd prefer to pay with a purchase order, please email us at training@bestpractical.com. Be sure to include:

  • If you want to attend both days or a single day
  • Full names and email addresses of attendees

Please also contact us at training@bestpractical.com for discounted pricing if you are from an academic institution or if you'd like to send more than 3 people.

Future training locations

If you can't make it to this training session, feel free to drop us a line to suggest locations for the future.

Share this post:

,

RT 4.0.12 released

,

It's my pleasure to announce RT 4.0.12 is now available for download.

This release of RT repairs a regression in 4.0.11. If you use the Rich Text Editor, the red background on Reply was missing due to the update of CKEditor to support IE10. It also includes a database upgrade, so please make sure to run 'make upgrade-database'.

Features

  • Date and DateTime Custom Fields now have the same 'smart' date parsing that core RT date fields have.
  • Improved logging when the sending of a Correspond or Comment fails.
  • The Quick Search preferences page now has Select/Clear All buttons.
  • Unprivileged users can now change Language and Time Zone.
  • Warn MySQL users if their max_allowed_packet is dangerously low.

Bugfixes

  • Repair 4.0.11 regression where red background on Reply with the RichText Editor was lost.
  • Quiet warnings in the verbose user format.
  • Allow changing the case of a Group's name (prevented by earlier code stopping you from having two groups with the same name).
  • Allow changing the case of a Class's name.
  • Avoid warnings when using empty Templates.
  • Update our InnoDB checks for MySQL 5.6 compatibility.
  • Clarification of when SetOutgoingMailFrom and OverrideOutgoingMailFrom are available.
  • Improve layout of collection lists in IE.
  • Fix Attach more files button in Self Service.
  • Set caching headers on autocomplete endpoints.
  • Restore and improve prematurely deleted documentation for DontSearchFileAttachments.
  • Correct the encoding of Dashboard email Subject headers.
  • Fix the default roles on User->WatchedQueues.
  • Document the need to grant SeeCustomField in UPGRADING-3.4.
  • Nudge menus below the shadows in aileron.
  • Fix missing headers and a syntax error in the /REST/1.0/attachment/NN endpoint.

Localization

  • Improve the display of numbers when using the French localization.
  • Built in components and searches (such as Bookmarked Tickets) are now localizable.
  • Use PostgreSQL error codes in the full-text-indexer instead of matching on error messages that may be in a non-english language.
  • Localize 'Dashboard' during creation.
  • Mark 'Modify this user' as localizable.

Developer

  • Test can now be run against a remote DB server.
  • Install etc/upgrade to make some rt-setup-database actions easier without requiring access to the install directory.
  • RT_TEST_PARALLEL_NUM controls the -j param in make parallel-test
  • Work around a git bug in git archive when packaging releases. This caused the third party sources to bloat the 4.0.11 tarball.
  • Fix examples in the CreateTickets documentation.
  • RT Ticket types (ticket, approval, reminder) are now always forced to lower case.
  • Allow the use of 'NOT IN' in Limits (assuming a new enough DBIx::SearchBuilder).

A complete changelog is available from git by running:

git log rt-4.0.11..rt-4.0.12

or viewing Github's comparison.

Share this post: