RT: Request Tracker

RT 3.8.9 Release Notes

We are happy to announce that RT 3.8.9 is now available. You can
download it from:


This release of RT contains 9 months of small improvements and bug fixes. It
includes a fix for the security issue announced here:


If you have previously installed RT-Extension-SaltedPasswords, it will
automatically disable itself after the upgrade. You may then safely
remove it from @Plugins.

Important upgrade notes:

In addition to the normal /opt/rt3/sbin/rt-setup-database upgrade step,
there are a few standalone upgrade scripts you should run. You can find
full details in the "UPGRADING" file in the distribution.  Please review
'UPGRADING FROM 3.8.8 and earlier' and ensure you follow each of the

A list of changes is below.


SHA1 sums

4dc78880220ccc8bf7b49b2c4efca0eeb3372133  rt-3.8.9.tar.gz
95dc126acaba7b5069f83bf042c31e6857e7397f  rt-3.8.9.tar.gz.sig


 * Move to a SHA-256 based password hashing scheme
 * Redirect users to their desired pages after login.
    This prevents possible back button attacks after a user logs out.
 * Clone Scrip's TicketObj since we change the CurrentUser and it can leak
    information (Custom field values, etc)


 * Fixes to the RH Layout in config.layout


 * New AdminCustomFieldValues right that allows user to add/remove CF values, but not edit the CF


 * Add ResolveDefaultUpdateType to choose between Comment or Correspond on Resolve
 * When using Set($MailCommand, 'testfile') log all mail to the same tmpfile
 * Add a callback to allow extensions to redirect a user to an external auth logout URL using RT's logout button. This ensures that the user's RT session is cleared
 * Add SuppressAutoOpenOnUpdate preference


 * Clean up README
 * Update UPGRADING.mysql documentation for users of older mysql
 * Flag that "Let this user be granted rights" means "Privileged"
 * Fix rt-crontool examples to use a real Condition
 * Undocument SenderMustExistInExternalDatabase since the code was never merged
 * Better document SetOutgoingMailFrom
 * Better document shrink_cgm_table.pl


 * Add support for Postgres 9
 * No longer record transactions for ACL Equivalence Groups
 * Don't delete all RT MySQL ACLs before invoke GRANT
 * Quote database name for GRANT on MySQL
 * Insert extensions' schema and acl files as the DBA
 * Fix searches for empty Attachments on Oracle


 * Better handling of mail generated by Outlook
 * When RT's SendmailCommand fails, record it in ticket history
 * New GPG tests and bugfixes for corner cases
 * use EmailOutputEncoding for Content-Type.charset
 * Handle failures in MIME Encoding better
 * Small bugfixes for text/html templates
 * Fix MIME decoding on ticket subjects
 * Remove stray colons and whitespace in the default Admin Comment template


 * Fix an infinite loop when using the 3.4-compat theme
 * Fixes to CollectionList sorting
 * css positioning tweaks for page menus
 * Fixes for Bulk Update when users click 'Add More Files'
 * Skip all watchers when offering to add CCs as Watchers
 * Fix ahah.js to handle more than one CF 'Include page' link
 * Ensure that Nobody is always at the front of the Select Owner list
 * Link Basics in SelfService to the Update page
 * Fix toggling js to only run once
 * Ensure signatures are included in Jumbo edits
 * Better identify (in the UI) a misconfigured GPG setup
 * GPG key management UI updates
 * Add classes/ids to the Custom Field Editing pages
 * CSS Fixes for preferences widgets
 * Fix truncated top values on Charts
 * Wording and layout changes for the 'update password' widget
 * Ensure that we keep Anchor tags on redirects
 * Fix loading a new search on the Chart/Graph pages
 * Change Attachment size label from Bytes to Megabytes
 * Respect timezones in timestamps in /Approvals/
 * Charset fixes for Ticket Attachment downloads
 * Bar graph fixes for large numbers of bars
 * Allow a callback on QuickCreate to pass a default Status
 * Fix Approvals to make one search for approval tickets that distincts and orders them
 * Link from Group Membership lists to User admin pages
 * New callbacks (autohandler, default queue, aborting ticket updates, after requestor on create)
 * Fix non-local local links and add t: syntax
 * Editing Transaction custom fields now shows errors inline
 * Use the ShowUser element more consistently across the UI


 * Improvements to extract-message-catalog (translation tool)
 * Let shrink_cgm_table and shrink_transactions display "percent complete"
 * Added a simple script to naively generate a RTAddressRegexp
 * Install rt-attributes-viewer originally shipped with 3.8.8
 * bin/rt now searches for global configs in LOCAL_ETC_PATH also


 * No longer refuse to start if you upgraded from a version of RT that allowed you to have invalid Scrips
 * Handle broken Reminders links when users change their Organization
 * Trim whitespace from CustomFieldValues consistently
 * RFC2616 dates are always in UTC
 * Scrips can no longer have an empty Condition, Action or Template
 * make multi-value REST fields separated with commas ignore spaces
 * Localize ENV changes under mod_perl
 * Don't page group memberships for a User
 * Skip disabled Queues when a Simple Search term matches a Queue Name
 * Add TransactionObj to CreateTickets templates to match the docs
 * Fix the use of Tickets_Local.pm in rt-email-dashboards and rt-crontool
 * Escape more characters in graphviz output
 * Fix message when you fail to delete a saved search to tell you Permission Denied
 * Include Rules with Scrips when previewing recipients
 * Ensure that distribution upgrades that break Scalar::Util show up in apache logs
 * Fix warnings on empty Collection List headers
 * Log errors from safe_run_child
 * Refuse to run if webmux.pl and RT.pm are mismatched
 * Actually log the error that caused "Can't load a principal for id #"
 * Switch to using $Approver->Name in templates since an AdminCc can approve
 * Allow fastcgi_server to specify a port
 * Guard against SavedSearches with no content
 * Ensure our output is always flagged as utf-8
 * Allow queries like "Priority > -2"
 * Fixes to Private/Public key methods
 * Return 'set private key' from SetPrivateKey, not 'unset private key'
 * Protect STDOUT under mod_perl - among other things, this fixes Scrips that use system()
 * Fix forwarding of messages without a top level textual part