[rt-users] [rt-announce] RT 4.0.8 Released

Alex Vandiver alexmv at bestpractical.com
Thu Oct 25 17:51:29 EDT 2012

RT 4.0.8 contains important security fixes, in addition to bugfixes.


SHA1 sums

7be074e86929c69b4f17d10503646ff070f7fa3b  rt-4.0.8.tar.gz
7ee1ecf25a99472d0d75665ed577941cb94c64e7  rt-4.0.8.tar.gz.sig

This release, in addition to being a bugfix release, also resolves a
number of security vulnerabilities.  It resolves CVE-2012-4730,
CVE-2012-4731, CVE-2012-4732, CVE-2012-4734, CVE-2012-4735, and

* Custom Fields BasedOn can be set from intialdata again.
* Fix the 3.8.4 NotifyGroup upgrade script to properly join notification
  groups with a comma.
* Correct the use of the 'approved' state from Lifecycles.  It is now
  used only when all approvals are completed.
* Use database-level row locking to ensure that scrips do not suffer
  from race conditions with scrips from other processes.
* Remove multiple slashes so that page menus display and the active item
  is correctly highlighted.
* Improve MaxAttachmentSize documentation.
* Ensure that ticket links in the iCal feed are CSRF whitelisted.

* New alias validator sbin/rt-validate-aliases which helps keep RT and
  /etc/aliases in sync.
* Add support for GPG mails in inline format (PGP partitioned encoding)
  that are also encoded for transfer with Base64 or quoted printable.
* Add a BeforeLocalization callback to message headers.
* If you have DBIx::SearchBuilder 1.62 or higher and are using full
  text indexing on Pg or Oracle, rt-fulltext-indexer uses a faster query
  to find unindexed attachments.

* Add rt-apache for running a test instance of apache.
* Add the rt-static-docs tool for generating HTML versions of our docs.

A complete changelog is available from git by running 

git log rt-4.0.7..rt-4.0.8
or visiting

 - Alex

rt-announce mailing list
rt-announce at lists.bestpractical.com

More information about the rt-users mailing list