[rt-announce] RT 4.0.23 released

Alex Vandiver alexmv at bestpractical.com
Thu Feb 26 11:39:04 EST 2015


RT 4.0.23 -- 2015-02-26
-----------------------

RT 4.0.23 contains important security fixes, as well as minor bugfixes.

https://download.bestpractical.com/pub/rt/release/rt-4.0.23.tar.gz
https://download.bestpractical.com/pub/rt/release/rt-4.0.23.tar.gz.sig

SHA1 sums

1067e0469184a6955e2822967eb7a2e287f7c17b  rt-4.0.23.tar.gz
17a153215b95d12e5aa0500d676089aed081d6df  rt-4.0.23.tar.gz.sig


This release is primarily a security release; it addresses CVE-014-9472,
a denial-of-service via RT's email gateway, as well as CVE-2015-1165 and
CVE-2015-1464, which allow for information disclosure and session
hijacking via RT's RSS feeds.

As part of these security updates, RT's dependency on the Encode module
has been changed, to Encode 2.64.  If upgrading, be sure to run
rt-test-dependencies to verify that your installed version of Encode
meets this requirement; if not, you will need to install a newer version
from CPAN.


Other changes include:

General user UI
 * Flush TSV download every 10 rows, for responsiveness
 * Pressing enter in user preference form fields no longer instead
   resets the auth token
 * Pressing enter in ticket create and modify form fields now creates or
   updates the ticket, instead being equivalent to "add more
   attachments", or the "search" on People pages.
 * Retain values in Quick Create on homepage if it fails

Command-line
 * Fix server name displayed at password prompt when RT is deployed at
   a non-root path like /rt

Admin
 * Empty email addresses are no longer caught as being "an RT address"
   if there exist queues without Correspond addresses set
 * Allow Parents/Children/Members/MemberOf in CreateTickets action
 * Allow RT-Originator to be overridden in templates
 * Add missing semicolon on Shredder suggested indexes
 * Ensure that HTML-encoded entities are indexed in FTS

Developer
 * Make Obfuscate callback in configuration options be passed the
   current user, as was documented
 * Remove obsolete _CacheConfig parameters
 * ACL checks are now applied in the ->AddRecord stage, not in ->Next;
   this means that collections accessed via ->ItemsArrayRef are now
   correctly ACL'd.

Documentation
 * New documentation on writing portlets
 * Add an =pod directive so the first paragraph of UPGRADING is not
   skipped
 * Clarify when UPGRADING-x.y steps should be run


A complete changelog is available from git by running:
    git log rt-4.0.22..rt-4.0.23
or visiting
    https://github.com/bestpractical/rt/compare/rt-4.0.22...rt-4.0.23


More information about the rt-announce mailing list