[rt-announce] RT 4.4.2 released

Shawn M Moore shawn at bestpractical.com
Wed Jul 26 16:38:03 EDT 2017


RT 4.4.2 -- 2017-07-26
======================

We're pleased to announce the general availability of RT 4.4.2. This
release introduces several important security fixes, a handful of
new features, and many bugfixes.

We have redesigned how time worked is calculated per user and for
children tickets. As always please be sure to review the UPGRADING-4.4
document.

The list of security fixes is included below, followed by new features
then by other improvements and bugfixes.

https://download.bestpractical.com/pub/rt/release/rt-4.4.2.tar.gz
https://download.bestpractical.com/pub/rt/release/rt-4.4.2.tar.gz.asc

SHA-256 sums

b2e366e18c8cb1dfd5bc6c46c116fd28cfa690a368b13fbf3131b21a0b9bbe68  rt-4.4.2.tar.gz
2185c2be31b352ad0a7605f9a4e4720b2c3607df75aae1c0cbace9eb9e6fcef8  rt-4.4.2.tar.gz.asc

 - Shawn M Moore, for Best Practical


Security
  * RT 4.0.0 and above are vulnerable to an information leak of cross-site
    request forgery (CSRF) verification tokens if a user visits a specific
    URL crafted by an attacker. This vulnerability is assigned
    CVE-2017-5943. It was discovered by a third-party security researcher.

  * RT 4.0.0 and above are vulnerable to a cross-site scripting (XSS) attack
    if an attacker uploads a malicious file with a certain content type.
    Installations which use the AlwaysDownloadAttachments config setting are
    unaffected. This fix addresses all existant and future uploaded
    attachments. This vulnerability is assigned CVE-2016-6127. This was
    responsibly disclosed to us first by Scott Russo and the GE Application
    Security Assessment Team.

  * One of RT's dependencies, a Perl module named Email::Address, has a
    denial of service vulnerability which could induce a denial of service
    of RT itself. We recommend administrators install Email::Address version
    1.908 or above, though we additionally provide a new workaround within
    RT. The Email::Address vulnerability was assigned CVE-2015-7686. This
    vulnerability's application to RT was brought to our attention by Pali
    Rohár.

  * RT 4.0.0 and above are vulnerable to timing side-channel attacks for
    user passwords. By carefully measuring millions or billions of login
    attempts, an attacker could crack a user's password even over the
    internet. RT now uses a constant-time comparison algorithm for secrets
    to thwart such attacks. This vulnerability is assigned CVE-2017-5361.
    This was responsibly disclosed to us by Aaron Kondziela.

  * RT's ExternalAuth feature is vulnerable to a similar timing side-channel
    attack. Both RT 4.0/4.2 with the widely-deployed RT::Authen::ExternalAuth
    extension, as well as the core ExternalAuth feature in RT 4.4 are
    vulnerable. Installations which don't use ExternalAuth, or which use
    ExternalAuth for LDAP/ActiveDirectory authentication, or which use
    ExternalAuth for cookie-based authentication, are unaffected. Only
    ExternalAuth in DBI (database) mode is vulnerable.

  * RT 4.0.0 and above are potentially vulnerable to a remote code execution
    attack in the dashboard subscription interface. A privileged attacker
    can cause unexpected code to be executed through carefully-crafted saved
    search names. Though we have not been able to demonstrate an actual
    attack owing to other defenses in place, it could be possible. This fix
    addresses all existant and future saved searches. This vulnerability is
    assigned CVE-2017-5944. It was discovered by an internal security audit.

  * RT 4.0.0 and above have misleading documentation which could reduce
    system security. The RestrictLoginReferrer config setting (which has
    security implications) was inconsistent with its implementation, which
    checked for a slightly different variable name. RT will now check for the
    incorrect name and produce an error message. This was responsibly
    disclosed to us by Alex Vandiver.

New features
  * Custom fields now have a "New values must be unique" option.

  * Custom fields now support value canonicalization (for example,
    automatically changing input values to be all uppercase). See the
    @CustomFieldValuesCanonicalizers config option.

  * Ticket timers provide a comment box for quickly adding ticket comments
    to describe your time worked.

  * You can now set up default values for assets on a catalog level.

  * You can choose to display result counts on ticket search portlets using
    the new $ShowSearchResultCount config setting.

  * There is now a "Load all history" link for the "as you scroll" history
    loading mode, to allow you to use browser-based text search.

  * We now display a list of recently-viewed tickets in the
    Search -> Tickets -> Recently Viewed menu.

  * We have made RT::Extension::AdminConditionsAndActions part of core
    RT, so you can now easily configure the conditions and actions of
    your scrips right within the admin UI.

General user UI
  * Avoid breaking sorting of non-ticket searches in dashboards
  * Avoid duplicate one-time recipients (I#31938, I#31939)
  * Suppress ticket Ccs and AdminCcs from one-time recipients
  * Allow ordering assets with "CustomField.Foo" syntax
  * Avoid divide-by-zero in charts with no data (I#32143)
  * Add ability to link multiple assets to a new ticket from asset bulk
    update
  * Add quick asset create portlet for user summary
  * Add encrypt/sign controls to ticket forward page
  * Fix browser-based search navigation link generation (I#32197)
  * Remove self-service password change form under ExternalAuth
  * Respect SetInitialCustomField right in self-service (I#32233)
  * Declare page as being in user's language for browser spellcheck (I#32082)
  * Fix error with merge tickets being used on bulk update (I#32237)
  * Avoid overaggressively generating external attachment links
  * Add $HideOneTimeSuggestions config to hide one-time recipient
    addresses behind a click
  * Add "All recipients" checkboxes to modify people page and one-time
    recipients on update
  * Dashboards are now displayed in alphabetically-sorted order
  * Remove dashboard from menu if it can't be loaded (I#29719)
  * Avoid wrapping one-time recipient checkbox separately from its
    label (I#32117)
  * Use only top-level attachments for generating one-time recipient lists
    to avoid e.g. phishing addresses
  * Fix accidental usage of server timezone for end users (I#32315)
  * Add user preference for browser context menu instead of
    CKEditor's, for native spellcheck (#32274)
  * QuickCreate on a dashboard no longer sends you to the homepage (I#25573)
  * Respect HideTimeFieldsFromUnprivilegedUsers in correspond
    transactions with time worked
  * Fix occasionally-missing background-color for comments
  * Add a Timer column to search results for launching ticket timer
  * Fix error preventing merging tickets with lazily-created watcher
    groups (I#32490)
  * Add a __CurrentUserName__ TicketSQL placeholder
  * You can now search tickets using Queue LIKE '…' and Queue NOT LIKE '…'
  * Make "Show all" link for attachment lists more prominent (I#32459)
  * Respect SetInitialCustomField for multi-valued CFs (I#32491)
  * Fix bulk update for asset custom fields (I#32509)
  * Add support for CF grouping in asset bulk update (#32198)
  * Add "reattach" as an attachment warning keyword
  * Sort one-time recipient addresses (I#31879)
  * Fix article quicksearch degrading the article menu (#31591)
  * Avoid noisy "CF changed from 0 to 0" messages (I#32440)
  * Avoid showing a truncated list of articles due to permissions (I#31989)
  * Avoid double-encoded text attachments loaded from ExternalStorage
  * You can now chart tickets by SLA (I#31824)
  * Add "Show all" button for attachments on ticket forward page
  * Relabel "Password" portlet on user page to "Access control" (I#31379)
  * Fix UI for bulk update of "List"-type select-multiple CFs (I#32562)
  * Avoid discarding checkbox changes in Recipients panel (I#32290)
  * Clean up article custom fields display (I#32641)
  * Add SLA field to bulk update if any queues have SLA enabled
  * Include the new Request Tracker logo
  * Fix overly-large bookmark star on mobile UI (I#32727)
  * Stop double-escaping HTML which is made into links (I#31169)
  * Fix keyboard shortcut UI for selecting tickets on old themes (I#32748)
  * Add Reports menu with several predefined reports

Command-line
  * Fix rt-ldapimporter --debug logging output (I#32196)
  * Improve rt-ldapimporter documentation
  * Produce output from etc/upgrade/upgrade-assets

Email
  * Avoid overaggressively trimming whitespace from MIME encoded-words
  * Add config option $OverrideMailPrecedence to help avoid out-of-office
    autoreplies
  * Fix issues with encrypted attachments being unreadable/absent

Database
  * Skip DBA password prompt on SQLite
  * Avoid warnings when upgrading old saved searches (I#32235)
  * … and fix up those old saved searches (I#16856)
  * Restart asset and catalog ID sequences for Pg and Oracle in
    etc/upgrade/upgrade-assets
  * Add index on Attachments table column Filename (I#32033)
  * Replace deprecated NOCREATEUSER with NOSUPERUSER for
    Postgres 9.6 (I#32511)
  * Avoid deadlock in SetOwner race condition which we believe affected
    only MySQL (I#32381)
  * The previous may have caused inconsistent ticket ownership, and so
    the 4.4.2 upgrade step will find and fix such issues
  * Add rt-validator rules for possible issues around ticket owner

rt-serializer/rt-importer
  * Fix several incorrect references in output (I#31803, I#31804, I#31805,
    I#31808)
  * Add --exclude-organization option  (I#31812, I#31813)
  * Add --limit-queues and --limit-cfs options
  * Suppress semi-unmigrated link relationships by default
  * Add --hyperlink-unmigrated option
  * Fix queue change transactions to mention unmigrated queues by name
  * Support for dashboards in menu preference (I#31810)
  * Support for RT at a Glance preference (I#31809)
  * Don't skip RT->System searches
  * Avoid breaking rights granted to users (I#31806)

Web Administration
  * Add checkbox for selecting all custom field values in admin UI
  * Log a history entry when adjusting whether a user is Privileged
  * Log history entries when adding/removing a group member both to
    the group and to the member
  * Hide disabled scrips by default, adding a "include disabled scrips"
    checkbox (I#30131)
  * Add missing timezone field on user create/modify (I#29977)
  * Add RT extension names and versions to System Configuration page (I#31482)
  * Add a "SetCustomFieldToNow" scrip action whose Argument is CF name
  * Fix default values config when CustomFieldGroupings introduces
    duplicate CFs (I#32441)
  * Fix ExternalAuth failure after viewing System Configuration
    page (I#32469)
  * Support custom field groupings for groups
  * User searches can now be sorted by user CF

Server Administration
  * Avoid error messages in 4.0.1 upgrade step
  * Improve automatic identification of `find` command
  * Add RefreshIntervals config option for managing homepage and
    dashboard refresh
  * Remove unnecessary conditionals on RT_Config Set calls for Assets (I#32087)
  * Log failure to unlink temp file after email parse (I#32142)
  * Make automatically linking a used article to the ticket configurable
    with $LinkArticlesOnInclude config
  * Add a --webpath option to rt-server
  * Avoid undef warnings with mbox MailCommand and FastCGI
  * Avoid regex deprecation warnings on perl 5.21.1+
  * Avoid issues with modern Perl versions excluding ./ from @INC
  * Reduce log levels of custom field loading issues caused by ordinary
    end-user actions (I#31742)
  * Add Host option for S3 ExternalStorage
  * Add SelfServiceCorrespondenceOnly config to filter history
  * Adapt SMIME probe to work with openssl 1.1
  * Tell S3 each file's content type rather than letting it guess wrong
  * Double bcrypt cost for password hashing
  * Fix unknown address log in ExternalAuth
  * Search $RT::LocalEtcPath for RT_SiteConfig.d includes
  * Avoid "Couldn't load object RT::Transaction #0" warnings (I#31548)
  * Log when Quicksearch wasn't replaced with QueueList as required by
    4.4 upgrade (I#32475)
  * Warn if ServiceBusinessHours config incorrectly specifies Sunday as
    day 7 rather than day 0 (I#32487)
  * Avoid broken DateTime::Locale versions (I#31542)
  * Avoid incompatible DBD::mysql version (I#32670)

Developer
  * /Elements/MessageBox now has a Placeholder parameter
  * /Asset/Elements/SelectCatalog now takes a ShowNullOption parameter
  * /Asset/Elements/SelectStatus now handles multiple lifecycles
  * Support processing time-related transaction CFs on ticket forms
  * Clarify the usage of skip_update in /Ticket/Update.html BeforeUpdate
    callback
  * Pass %ARGS from /Ticket/Modify.html to EditCustomFields
  * Disable reading of RT_SiteConfig.d during tests
  * Fix whitespace-related test failures under Mojolicious 7.0
  * Fix test failures when /usr/bin/sendmail absent
  * Factor out _OutgoingMailFrom into a separate method for extensibility
  * Ensure that Test::NoWarnings is skipped if skip_all is used
  * Fix bug where RT::Ticket->Create's SquelchMailTo would squelch only
    to the first address (I#31600)
  * Avoid test failure caused by hash randomization
  * Add an RT::Ticket->Atomic method for avoiding race conditions and
    deadlocks; if you have a custom page that calls Process* functions or
    $Ticket->ApplyTransactionBatch, consider using $Ticket->Atomic
  * ExternalStorage backends can now store/retrieve files by methods other
    than SHA256 of content by returning the identifier from ->Store
  * Concatenate each JS file with a newline to avoid breakage with custom
    JS files ending with a // comment and no trailing newline (I#32539)
  * Add $InitialdataFormatHandlers to open up initialdata to other formats
  * Set up default args for customizations calling SignEncrypt directly
  * Support managing groups as watchers in REST by specifying group id
  * New callbacks:
      /Elements/ShowCustomFieldWikitext WikiFormatArgs
      /Asset/Search/index.html Initial
      /Search/Elements/Chart AfterChartTable
      /Elements/EditCustomFields ModifyFieldClasses
      /Elements/ShowCustomFields ModifyFieldClasses
      /SelfService/index.html BeforeMyRequests, AfterMyRequests
      /SelfService/Closed.html BeforeMyRequests, AfterMyRequests
      /Ticket/Elements/ShowAttachments BeforeList, AfterList
      /Ticket/Create.html BeforeRequestors
  * Improved callbacks:
      /Elements/Tabs Privileged adds Search_Args, Has_Query, and ARGSRef
          parameters
      /Elements/Tabs SelfService adds ARGSRef parameter
      /Ticket/ModifyDates.html Default adds results parameter
      /Elements/SelectDates BeforeDateInput adds Object, ARGSRef, and
          ShowTimeRef parameters
      /Elements/SelectDates AfterDateInput adds Object and ARGSRef parameters
      /Elements/ShowTransaction Default adds CreatorObj parameter

Documentation
  * Include assets example in CustomFieldGroupings doc (I#32141)
  * Update links to the RT wiki
  * Improve Amazon S3 ExternalStorage docs
  * Improve LDAP import examples
  * Add docs for CustomRoles in initialdata
  * Update mailing list references to point to community forum
  * Improve documentation around creating a custom theme (I#31800)
  * Fix syntax error in SLA examples
  * Document how to include a config file for your extension
  * Add docs/customizing/scrip_conditions_and_action.pod for scrip
    conditions and actions
  * Expand Overlay docs to include many common extension patterns
  * Document how to include custom fields in format strings

Internationalization
  * Improve translatability of "Refresh home page every x minutes." now
    that "x" is configurable with @RefreshIntervals
  * Update translations for: Brazilian Portuguese, Croatian, Czech, Dutch,
    Finnish, French, German, Greek, Latvian, Polish, Russian, Slovenian,
    Spanish, and Swedish

A complete changelog is available from git by running:
    git log rt-4.4.1..rt-4.4.2
or visiting
    https://github.com/bestpractical/rt/compare/rt-4.4.1...rt-4.4.2



More information about the rt-announce mailing list