RT 4.4.6 -- 2022-07-13
RT 4.4.6 is now available for general use. The list of changes
included with this release is below. In addition to the new features
and bug fixes listed below, this release contains security fixes.
https://download.bestpractical.com/pub/rt/release/rt-4.4.6.tar.gz
https://download.bestpractical.com/pub/rt/release/rt-4.4.6.tar.gz.asc
SHA-256 sums
1eff5bd9e556b5d6682ccd0e5b2f3dcc2c49a9ec4e215dadb90c4caf5e435e9e rt-4.4.6.tar.gz
f93cefaa0c4d5047118168aa2212752fe4e5906d8696bcf8fc287a2345b53a71 rt-4.4.6.tar.gz.asc
Security
The following security issues are fixed in this release. Thanks to the
Polish Financial Supervision Authority IT Security Department (UKNF)
for reporting the issue below.
-
RT is vulnerable to cross-site scripting (XSS) when displaying attachment
content with fraudulent content types. This vulnerability is assigned
CVE-2022-25802. -
RT did not perform full rights checks on accesses to file or image type
custom fields, possibly allowing access to these custom fields by users
without rights to access to the associated objects (like the ticket it
is associated with).
General user features
- Add a message and link to the new GnuPG key trust admin page
- Update user admin menu to just Keys
- Convert datetime cf values to user timezone on ticket clone
- Search Name/Summary case insensitively for SelfService article search
- Group custom field values by category
- Fix the bug that transaction cfs can not be saved on queue default values page
- Check email of custom role members on ticket create
- Improve checking of CustomFieldValue SortOrder
- Improve "not a unique value" error messages to show more hints
- Validate "unique values" custom fields correctly on web create
- Improve recognition of urlified subject tags
- Support different custom field groupings at category level
Administration
- Add --no-auto-commit option for rt-importer
- Add Article and Asset counts to RT Size
- Add index on ObjectCustomFields.ObjectId
- In rt-shredder CLI tool, make setting sqldump actually work (thanks, grifferz!)
- Suppress warnings with rt-fulltext-indexer --quiet
- Exit success if rt-fulltext-indexer is running
- Add --log support in RT::Interface::CLI
- Explicitly set SSL_verify_mode in mailgate
- In rt-importer, put all dependencies of current object to the head of stack
to reduce memory usage - Support to sync Disabled field for groups in LDAP import
- When shredding users, only replace fields that match the to-be-wiped user
- Replace obsolete AC_HELP_STRING with supported AS_HELP_STRING
- Removed unused Revision macro
- RT 3 is EOL so no one should be configuring an rt3 group
- RT 4 and later do not support modperl 1, remove the option
Documentation
- Document the "quiet" option of rt-importer
- Update docs for rt-fulltext-indexer --quiet
- Add docs on mason cache fix
- Fix incorrect internal doc link
- Fix typo in %CustomFieldGroupings config doc
- Document the "Disabled" field mapping for ldap-import
Internals
- Reduce code duplication of checking formats of CustomFieldGroupings
- Update cf groupings tests for code duplication cleanup
- Failing tests for lifecycles without SeeQueue
- Walk around ACLs when working with lifecycles to avoid incorrect use
of the default lifecycle - Update tests as now user could modify status without SeeQueue
- Update the removed call of RT::Ticket::DueAsString in docs
- Remove obsolete "error" and "warning" methods in rt-fulltext-indexer
- Add test setting select CF to a value not in values list
- Support to canonicalize select values
- Validate cf values in advance before really adding them
- Set values for select CFs used in tests
- Add CF values on user create
- Drop the harmful extra canonicalization code as HasEntry canonicalizes too
- Test datetime cfs edits on ticket clone and edit pages
- Update tests for the default order change of custom field values
- Update EmailAddress index to case insensitive for Pg
- Test queue default values page
- Store mason cache created time in mason interpreter
- Clear callback cache too when mason cache is cleared
- Use mason's remove_object_files instead of implementing it ourselves
- Test "Clear Mason Cache" functionality
- Test user/group Disabled field in LDAP import
- In shredder, avoid duplicated single member group resolvers
- Add multiple db connection tests mainly for Oracle
- In dashboards, pass user object to ShowUser* elements
- Test shredder for user that owns multiple tickets
- Abstract methods to get/set/reset current interface and use them accordingly
- Add tests for current interface
- Update tests for the new canonicalized format of CustomFieldGroupings
- Add tests for queue level cf groupings
- Move query-builder related tests to its own test file
- Test validation of "unique values" custom fields on web UI
- Refactor custom field loop code to make it happy on perl prior to 5.22
- Optionally load RT::Authen::ExternalAuth in case Net::LDAP is not installed
- Make sure to not redirect for logout direct response tests
- In CF grouping, return record class in scalar context for backward compatibility,
specifically with RTIR - Correctly handle custom field groupings on queue default values page
- Test custom field groupings on queue default values page
- Make RT happy with perl 5.36
- Prevent warnings when updating image links in rendered HTML
A complete changelog is available from git by running:
git log rt-4.4.5..rt-4.4.6
or visiting
rt-4.4.5...rt-4.4.6