github bestpractical/rt rt-5.0.9
on GitHub

latest release: rt-6.0.2
2 days ago

RT 5.0.9 -- 2025-10-22

RT 5.0.9 is now available for general use. The list of changes
included with this release is below. In addition to a batch of
updates, new features, and fixes, several security issues are
addressed. See below for details.

https://download.bestpractical.com/pub/rt/release/rt-5.0.9.tar.gz
https://download.bestpractical.com/pub/rt/release/rt-5.0.9.tar.gz.asc

SHA-256 sums

913e9403ad422e0064ac9378baf2b13ba2b4c0119c891fe2cb4f2b51f3a5aeb8 rt-5.0.9.tar.gz
e357206ebcd9d1615fb6dba668963502ad1a920b3c66ac6cbcbba47fb59621d1 rt-5.0.9.tar.gz.asc

Security

The following security issues are fixed in this release.

  • RT 5.0 is vulnerable to CSV injection via ticket values with special
    characters that are exported to a TSV from search results. This
    vulnerability is assigned CVE-2025-61873. Thanks to Gareth Watkin-Jones
    from 4armed for reporting this finding.

  • RT 5.0.4 - 5.0.8 are vulnerable to XSS via calendar invitations added to
    a ticket. This vulnerability is assigned CVE-2025-9158. Thanks to
    Mateusz Szymaniec and CERT Polska for reporting this finding.

General user features

  • Remove submit blocking class on back button click
  • Remove duplicate Asset entry in the shredder objects list
  • Add missing WebPath for modify scheduled process (thanks zach.kelly!)
  • Default to the current class for existing articles
  • Add user config option to disable keyboard shortcuts (thanks gibus!)

Documentation

  • Fix typo after rt-clean-sessions link in README
  • Provide guidance on starting a test server (thanks andrew!)
  • Document the ModifySuggestions callback change
  • Improve formatting for @EmailDashboardLanguageOrder docs

Administration

  • Support to update extension configs via web UI
  • Check meta IsJSON to determine if config is JSON
  • Make doc_url optional for plugin config options
  • Add NoReset config meta option
  • Do not allow to change $SendmailPath from web UI for security
  • Merge extension config meta with existing meta
  • Refactor stringify code to simplify logic for config edit page
  • Fix current value of DefaultQueue on config edit page when it's queue name
  • Show default queue's name on configuration page and config updated messages
  • Support import/export of @configuration for JSON serializer
  • Process Configurations before other RT objects in initialdata
  • Do not exclude ___Approvals queue in dumped json file
  • Support custom roles in CreateTickets templates (thanks @bdragon300!)

Internals

  • Update importer SQL to correctly interpolate groups table names
  • Convert <style> blocks to inline before scrubbing the HTML
  • Enable encode_entities and ignore_style_type_attr options for CSS::Inliner
  • Bypass ACL cache for owner validation on ticket queue change
  • Ensure changes are committed when adding CGM records without auto-commit
  • Add dashboards to menu by id instead of name
  • Count imported objects from cloned serialized data
  • The path argument should not use loc() (thanks @mkosmach!)
  • Align Articles autocomplete helper callback with other similar callbacks
  • Don't export removed CleanEnv (thanks buehler!)
  • Add support to set default value(s) at CustomField creation (thanks elacour!)
  • Skip CSS::Inliner for content over 1MB in size
  • Log unresolved ticket failures at warning log level
  • In the importer, ensure SQL batches stay under 256MB

Testing

  • Update docker image for tests
  • Update GitHub actions/checkout to v4
  • Update GitHub actions/cache to v4
  • Update simple-slack-notify GitHub action
  • Confirm that all of the shredder plugin pages load correctly
  • Test owner updates on queue change
  • Test showing incorrect class for new article
  • Add tests for Configurations export/import
  • Update dashboard tests to use id instead of name
  • Add a groups test to the rights inspector test
  • Add github actions config for rt-server tests with Oracle
  • Run github actions with updated 6.0.2 docker image
  • Test adding custom field DefaultValues on create
  • Add tests for custom role support in CreateTickets
  • Add tests for running Update-Tickets via CreateTickets template
  • Add tests for SetStatus action used with rt-crontool
  • Run tests against postgresql 16.10

A complete changelog is available from git by running:
git log rt-5.0.8..rt-5.0.9
or visiting
rt-5.0.8...rt-5.0.9

Check out latest releases or
releases around bestpractical/rt rt-5.0.9

Don't miss a new rt release

NewReleases is sending notifications on new releases.

Get notifications