Versions of RT between 4.2.0 and 4.2.2 (inclusive) are vulnerable to adenial-of-service attack via the email gateway; any installation which accepts mail from untrusted sources is vulnerable, regardless of the permissions configuration inside RT. This vulnerability is assigned CVE-2014-1474.

This vulnerability is caused by poor parsing performance in the Email::Address::List module, which RT depends on. We recommend that affected users upgrade their version of Email::Address::List to v0.02 or above, which resolves the issue.

After extracting the contents, the module can be installed by running:

perl Makefile.PL
make
make install

The first step should be sure to use the same perl that RT runs using. If you are unsure, the first line of /opt/rt4/sbin/standalone_httpd should contain the full path to the relevant perl binary. The last step will likely need to be run with root permissions. After this process, you should restart your webserver.

If you need help resolving this issue locally, we will provide discounted pricing for single-incident support; please contact us at sales@bestpractical.com for more information.

We are pleased to announce that RT 4.2.2 is now available.This release is primarily a bugfix release; of particular note is that it contains schema changes for MySQL. Though the changes are limited, it is especially important to take, and verify you can recover from, a database backup prior to upgrading.

Also notable is that this release fixes a bug in 4.2.0 and 4.2.1 where failures of the HTML-to-text conversion would silently cause mail to fail to be sent. When using the rich text editor, RT will also now quote the the HTML parts of email, and not simply their text equivalents.

Other changes include:

Documentation

• Wording fixes in Shredder
• Clean up examples in Lifecycles documentation
• Document additional indexes that increase performance of Shredder
• Replace a suggested GnuPG option with one which is not deprecated
• Note that errors reported from the GnuPG infrastructure may be caused by GnuPG not being configured, but having been automatically enabled.

Database

• Ensure that even disabled scrips get the same id-to-name change that other scrips got during the 4.0 → 4.2 upgrade.
• On MySQL, alter the character set of all columns used to store email addresses to UTF-8
• Ensure that invalid byte sequences that may have snuck into the database previously (on earlier versions on MySQL, for instance) are not blindly interpreted as UTF-8 when retrieved from the database. As a result, invalid bytes will be returned from the API as the four characters "\xHH", where HH is the hexadecimal encoding of the byte.
• Ensure that all data containing non-ASCII is quoted-printable encoded for PostgreSQL, instead of merely all data not claiming to be text/plain
• Additional warnings prevention on Oracle; tests now pass cleanly
• Allow fully-automated database upgrades using --upgrade-from and --upgrade-to options to rt-setup-database
• Clean out any remaining traces of RTFM that lingered in custom fields and custom field values that were disabled at the time of the previous upgrade step.
• Bullet-proof a 3.8 → 4.0 upgrade step for Scrips with no Condition

Serializer/importer

• Install rt-serializer and rt-importer into sbin/
• Ensure that incremental upgrade steps only run on incremental serializations, not all exports
• Fix a runtime error in the incremental upgrade path to 4.2
• Ensure that inflated Users and Groups are created with the same id as their Principal
• Disable in-memory record caching when serializing and importing to improve performance
• Only search non-Disabled custom fields when looking up BasedOn in initialdata files
• Set up logging properly; warnings are now displayed during serialization and importing

Email

• Don't die if HTML → text conversion throws an error, which would silently prevent outgoing mail from being sent. Instead, fall back to just sending text/html with no text/plain
• Replying to an HTML mail with the rich text editor will now quote the HTML part, not the equivalent text version.
• Set a transfer encoding on outgoing dashboards; this resolves issues with long lines when using the Sendmail MTA.
• Cope with mangled and overly-quoted recipient headers occasionally generated by Outlook.

General user UI

• Stop localizing custom field names, for consistency
• Show a useful error on "show outgoing mail" if the user has no rights to see the page, rather than displaying an empty page.
• Adjust UI to not block header on "show outgoing email" page
• Hide the Take and Steal menu items if you already own the ticket, closing a regression in 4.2.0 and above.
• Autocompletion custom fields now properly autocomplete when placed in custom field groupings
• Improve rendering on Internet Explorer 6
• Fix cascaded custom fields on Internet Explorer 8 and below.
• Fix third-level cascading custom fields, broken in 4.2.1
• Minor rendering bugs with Charts placed on homepages and dashboards
• Whitelist "show outgoing email" and chart results from CSRF protection
• RT 4.0.7 introduced a performance regression when building ticket searches that query Links; switch back to a much better-indexed query.
• Fix "Clone ticket" functionality with Select-multiple custom fields.
• Show the queue ID for the current queue in the ticket edit page, even if the user does not have SeeQueue; this prevents the user from accidentally changing the queue.
• Respect custom field groupings on user preferences page

Query Builder

• Warnings avoidance for searches with more than 1000 results.
• Allow IS NULL to search for dates which are unset
• Properly quote CF names containing non-ASCII characters in query builder, broken since 4.2.0
• Add "UpdatedBy" TicketSQL limit

Admin

• Correct a package load order problem which prevented the web installer from working since 4.2.0
• Report the correct setting name in rt-validate-aliases
• Fix real-time updating of Theme CSS on Internet Explorer 8 and below
• Fix a minor display bug in the CF Admin pages, where the queue number instead of queue name would be displayed in requests shortly after server startup.
• Add "Extra Info" as a possible field for "More About Requestor"

REST

• Allow searching for users, queues, and groups in REST
• Prevent a server error when attempting to guess content-type in the REST interface.

Development

• Allow running tests with an explicit set of plugins enabled.
• Custom Action and Condition packages (as supplied by extensions; these are not the text entry boxes in the UI) are now loaded at server startup time, to catch compile-time errors in such classes early as well as reducing RT's memory footprint on mod_perl. Previously, these errors would have logged errors only when their Scrip failed to fire. This restores the behavior found in RT 3.8, which was mistakenly removed in RT 4.0.0.
• Additional callbacks, including in charts, and on ticket reply pages
• Remove an unused Makefile target

A complete changelog is available from git.

We are pleased to announce RT4.0.19 is now available. This release is primarily a bugfix release; of particular note is that it contains schema changes for MySQL, the first notable such in the 4.0 series. Though the changes are limited, it is especially important to take, and verify you can recover from, a database backup prior to upgrading.

Other changes of note:

Documentation

• Add documentation for rt-crontool
• Clean up examples in Lifecycles documentation
• Document additional indexes that increase performance of Shredder
• Replace a suggested GnuPG option with one which is not deprecated
• Note that errors reported from the GnuPG infrastructure may be caused by GnuPG not being configured, but having been automatically enabled.

Database

• On MySQL, alter the character set of all columns used to store email addresses to UTF-8
• Ensure that invalid byte sequences that may have snuck into the database previously (on earlier versions on MySQL, for instance) are not blindly interpreted as UTF-8 when retrieved from the database. As a result, invalid bytes will be returned from the API as the four characters "\xHH", where HH is the hexadecimal encoding of the byte.
• Ensure that all data containing non-ASCII is quoted-printable encoded for PostgreSQL, instead of merely all data not claiming to be text/plain
• Additional warnings prevention on Oracle; tests now pass cleanly
• Allow fully-automated database upgrades using --upgrade-from and --upgrade-to options to rt-setup-database
• Clean out any remaining traces of RTFM that lingered in custom fields and custom field values that were disabled at the time of the previous upgrade step.
• Bullet-proof a 3.8 → 4.0 upgrade step for Scrips with no Condition

Email

• Set a transfer encoding on outgoing dashboards; this resolves issues with long lines when using the Sendmail MTA.
• Cope with mangled and overly-quoted recipient headers occasionally generated by Outlook.

General user UI

• When using the back button to return to a reply page with the rich text editor, contents will no longer be doubly HTML-encoded
• Improve rendering on Internet Explorer 6
• Fix cascaded custom fields on Internet Explorer 8 and below.
• Support cascaded selects for all Select render types (dropdown, select box, radio buttons, checkboxes)
• Minor rendering bugs with Charts placed on homepages and dashboards
• Add "mark as seen" functionality to SelfService ticket display pages
• Link the ModifyPeople page when the user has Watch or WatchAsAdminCc
• Whitelist "show outgoing email" and chart results from CSRF protection
• RT 4.0.7 introduced a performance regression when building ticket searches that query Links; switch back to a much better-indexed query.
• Fix "Clone ticket" functionality with Select-multiple custom fields.
• Show the queue ID for the current queue in the ticket edit page, even if the user does not have SeeQueue; this prevents the user from accidentally changing the queue.

Query Builder

• Support CF.Foo in addition to CF.{Foo} and '__CF.{Foo}__' in format strings. This follows the trend of allowing brace-less forms whenever possible.
• Ensure that format strings from the Query Builder escape quotes correctly, and correctly parse existing formats with quotes.
• Autocomplete CF values for custom fields of type "Autocomplete" in the Query Builder.
• Warnings avoidance for searches with more than 1000 results.

Admin

• Fix real-time updating of Theme CSS on Internet Explorer 8 and below
• Fix a minor display bug in the CF Admin pages, where the queue number instead of queue name would be displayed in requests shortly after server startup.
• Add "Extra Info" as a possible field for "More About Requestor"

iCal

• Ensure that iCal dates are formatted with a leading space on the first nine days of each month, for correctness.
• Show iCal dates (when omitting times) in the user's timezone, not UTC

REST

• Prevent a server error when attempting to guess content-type in the REST interface.

Development

• Custom Action and Condition packages (as supplied by extensions; these are not the text entry boxes in the UI) are now loaded at server startup time, to catch compile-time errors in such classes early as well as reducing RT's memory footprint on mod_perl. Previously, these errors would have logged errors only when their Scrip failed to fire. This restores the behavior found in RT 3.8, which was mistakenly removed in RT 4.0.0.
• rt-dump-metadata has slightly more documentation and options
• Additional callbacks, including in charts, and on ticket reply pages
• Show customized rights under their appropriate categories
• Remove an unused Makefile target
• Ensure that RT::Template->Create returns (result,message) and not simply result

A complete changelog is available from git.