[rt-announce] RT 4.0.6 Released - Security Release

Alex Vandiver alexmv at bestpractical.com
Tue May 22 10:39:05 EDT 2012

RT 4.0.6 contains important security fixes, in addition to bugfixes.


SHA1 sums

f5c0dd16da21f0af8e9c093057aa58cbab08d06b  rt-4.0.6.tar.gz
1f862bbb1b335cd036d1c32c10d80f26e4ce99a1  rt-4.0.6.tar.gz.sig

This release, in addition to being a bugfix release, also resolves a
number of security vulnerabilities.  It resolves CVE-2011-2082,
CVE-2011-2083, CVE-2011-2084, CVE-2011-2085, CVE-2011-4458,
CVE-2011-4459, and CVE-2011-4460.

 * Remove CSS3PIE, which simply added rounded corners on IE7 and IE8, as
   it was causing numerous crashes of IE.
 * Show the current status in the status dropdown during ticket update,
   to allow forced setting of the status.  This functionality was
   available in RT 3.8, and is now being reinstated.
 * Use SearchBuilder queue limits to restrict what statuses and owners
   are displayed in drop-downs.
 * Make "New Ticket" a top-level SelfService menu item.
 * Display Lifecycle column correctly in queue admin lists.
 * Allow >64k attributes on MySQL; this is particularly useful for
   logos uploaded via the theming editor.
 * Remove two dependencies from the RT mailgate.
 * Adding new arbitrary links to tickets now works as expected in the
   REST interface.
 * Subject: lines in Forward Ticket templates are now respected.
 * Sort ticket link numbers numerically, not alphabetically.
 * Ticket reminders are no longer copied when creating a linked ticket;
   article and http:// links now are, however.
 * Use relative links (with no hostname) more consistently.
 * Correctly deal with non-ASCII attachment filenames which make use of
   MIME parameter value continuations.
 * Find queue-level CFs first in REST interface when there are
   duplicates by name.
 * Fix graphing of searches which reference Updated and other
   transaction-based limits.
 * Reminder statuses on open and resolve are now configurable
 * Fix quoting of CF names containing dashes and the like in the
 * Bump URI dependency to ensure utf8 URLs are correclty generated in
   Dashboard emails.
 * Permit <bdo> and language attributes when scrubbing HTML.

A complete changelog is available from git by running:
  git log rt-4.0.5..rt-4.0.6

 - Alex
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part
URL: <http://lists.bestpractical.com/pipermail/rt-announce/attachments/20120522/4c08fb66/attachment.pgp>

More information about the rt-announce mailing list