RT: Request Tracker

RT 4.2.10 Release Notes

RT 4.2.10 -- 2015-02-26

RT 4.2.10 contains important security fixes, as well as minor bugfixes.


SHA1 sums

92af386e9c09a0e9489ec1cd55b66c65b77d22be  rt-4.2.10.tar.gz
8e65ce02b62df85c7d679dab8d4bde8ef343ec48  rt-4.2.10.tar.gz.asc

This release is primarily a security release; it addresses CVE-014-9472,
a denial-of-service via RT's email gateway, as well as CVE-2015-1165 and
CVE-2015-1464, which allow for information disclosure and session
hijacking via RT's RSS feeds.

As part of these security updates, RT's dependency on the Encode module
has been changed, to Encode 2.64.  If upgrading, be sure to run
rt-test-dependencies to verify that your installed version of Encode
meets this requirement; if not, you will need to install a newer version
from CPAN.

This release is also a bugfix release; most notably, it addresses a bug
which causes RT to generate blank outgoing text/plain parts.  This fix
requires installing the HTML::FormatExternal module, and having an
external tool (w3m, elinks, etc) installed on the server.

It also introduces indexed full-text searching for MySQL without the
need to recompile MySQL to use the external Sphinx tool; instead, a
MyISAM table is used for indexing.  On MySQL 5.6 and above, an
additional InnoDB table can also be used.

The complete list of changes includes:

General user UI
 * Speed up the default simple search on all FTS-enabled installs by not
   OR'ing it with a Subject match.  This returns equivalent results for
   almost all tickets, and allows the database to make full use of the
   FTS index.
 * Pressing enter in user preference form fields no longer instead
   resets the auth token (#19431)
 * Pressing enter in ticket create and modify form fields now creates or
   updates the ticket, instead being equivalent to "add more
   attachments", or the "search" on People pages (#19431)
 * Properly encode headers in forwarded emails that contain non-ASCII
   text (#29753)
 * Allow users to customize visibility of chart/table/TicketSQL in saved
 * Allow groups to be added as requestors on tickets
 * Perform group searches case-insensitively on People page (#27835)
 * Ticket create transactions for tickets created via the web UI now
   contain mocked-up From, To, and Date headers; this causes them to
   render more correctly when forwarded
 * Update wording of error message for saved searches without a
   description (#30435)
 * Flush TSV download every 10 rows, for responsiveness
 * Retain values in Quick Create on homepage if it fails (#19431)
 * Limit the custom field value autocomplete to 10 values, like other
   autocompletes (#30190)
 * Fix a regression in 4.0.20/4.2.4 which caused some users to have
   blank homepages (#30106)
 * Fix styling on "unread messages" box on Ballard and Web2 themes
 * Fix format of Date headers in RSS feeds (#29712)
 * Adjust width of transaction date to accommodate all date formats
 * Allow searching for tickets by queue lifecycle

 * Fix server name displayed at password prompt when RT is deployed at
   a non-root path like /rt (#22708)

 * If the optional HTML::FormatExternal module is installed, use w3m,
   elinks, links, html2text, or lynx to format HTML to text.  This
   addresses problems with the pure-Perl HTML-to-text converted which
   resulted in blank outgoing emails.  (#30176)
 * Add support for native (non-Sphinx) indexed full-text search on
   MySQL.  This uses the InnoDB fulltext engine on MySQL 5.6, and an
   additional MyISAM table on prior versions of MySQL.
 * Support MySQL database names with dashes in them (#7568)
 * Properly escape quotes and backslashes in config options in web
   installer (#29990)
 * Increase length of template title form input
 * Clarify wording on updating old Organization values by rt-validator
 * Resolve a runtime error for SMIME without secret keys (#30436)
 * Empty email addresses are no longer caught as being "an RT address"
   if there exist queues without Correspond addresses set (#18380)
 * Allow Parents/Children/Members/MemberOf in CreateTickets action
 * Allow RT-Originator to be overridden in templates
 * Ensure that HTML-encoded entities are indexed in FTS
 * Fix uninitialized value warnings from charts grouped by date
 * Remove no-op $CanonicalizeOnCreate configuration variable;
   RT::User->CanonicalizeUserInfo is always called
 * Make NotifyGroup action respect AlwaysNotifyActor argument
 * Fix X-RT-Interface header on incoming email on existent tickets
 * Warn on startup if queues have invalid lifecycles set (#28352)

 * Add AfterHeaders callback to ShowMessageHeaders
 * Update all upgrade steps to use .in files (#18856)
 * Add policy tests to enforce the new upgrade step standards
 * Remove +x bit from multiple non-executable files
 * Make Obfuscate callback in configuration options be passed the
   current user, as was documented
 * Remove obsolete _CacheConfig parameters
 * Preferentially use IN rather than multiple OR clauses
 * Respect RowsPerPage for external custom field values
 * Localize default statuses from RT_Config.pm, instead of hardcoding
 * Add callbacks within Dates box after each type of Date
 * Pass the CustomFieldObj down to CustomFieldValue objects intact, so
   its ContextObj can be inspected; this is particularly useful for
   external custom fields.
 * Allow more than one right per @ACL in initialdata
 * Don't hardcode share/html in tests, for non-default layouts
 * Base detection of new themes on presence of main.css file, not
   base.css file (#30554)
 * Allow for relative "lib" in @INC when running tests
 * Allow EditComponentName customfield callback to alter Rows/Cols

 * Memory usage improvements in both serialization and import
 * Templates, Scrips, and ObjectScrips now serialize correctly
   when not cloning

 * Document how to enable un-indexed full-text-search, and its drawbacks
 * Note that after restoring from backups, PostgreSQL may need to have
   statistics updated
 * New documentation on writing portlets
 * Add an =pod directive so the first paragraph of UPGRADING is not
 * Clarify when UPGRADING-x.y steps should be run
 * Better document known bugs with Sphinx FTS
 * Add missing semicolon on Shredder suggested indexes

A complete changelog is available from git by running:
    git log rt-4.2.9..rt-4.2.10
or visiting