RT: Request Tracker
RT 4.4.5 Release Notes
RT 4.4.5 -- 2021-09-14 ====================== We're pleased to announce the general availability of RT 4.4.5. The list of changes included with this release is below. In addition to a large number of updates and fixes, there is one security update provided in this release. https://download.bestpractical.com/pub/rt/release/rt-4.4.5.tar.gz https://download.bestpractical.com/pub/rt/release/rt-4.4.5.tar.gz.asc SHA-256 sums c3025d5fe5bf5479d07318652fa904f4940f5172801a2aae4e397779b519556e rt-4.4.5.tar.gz a00b68c84b8285ee4a2d104ca8f70dc5e4ea478dfd1a5378bcf7369259e10ac0 rt-4.4.5.tar.gz.asc Security * In previous versions, RT's native login system is vulnerable to user enumeration through a timing side-channel attack. This means an external entity could try to find valid usernames by attempting logins and comparing the time to evaluate each login attempt for valid and invalid usernames. This vulnerability does not allow any access to the RT system. This vulnerability is assigned CVE-2021-38562 and is fixed in this release. General user features * Update Starts on SLA changes even if Starts was already set * Accept usernames for email input fields on ticket create/update * Support group:NAME and group:ID in non-single role input fields * Create an autocompleter for Principals (works with both users and groups) * Support more characters for user/group names in non-single role input fields * Normalize and validate time inputs * Support to generate different dashboard content for each recipient * Use user timezone for date "=" queries in ticket search * Add "Create Via Email" and "Create Via Web" conditions * Fix table wrapping error in Ticket/Update.html * Don't escape queue name in title generation stage as it'll be escaped later * Allow to squelch recipients that also exist in one time inputs * Show all valid statuses on Asset bulk update page * In the datepicker, reset the time part after date input is cleared * Support columns as values in ticket search (ticket values on right-hand side in searches) * Support a friendly syntax for custom field columns as values in ticket search * Allow to specify CF Content/LargeContent columns in the keyword part of SQL * Support role searches like Owner = CF.cid or Owner = Creator * Improve UI of unread messages notification * Sync one time inputs back to checkboxes on ticket update page * Automatically load more txns to fill browser window on scroll history mode * Fix duplicated closing tag for attachment delete links * Remove search string including numbers in ticket autocomplete search on select * Fix RecentlyViewedTickets to deal with shredded/merged tickets * Fix bug that kept 11 tickets in the "recently visited" list instead of 10 * Show dependencies (like dashboards) and confirm before deleting saved searches * Fill up cells of record's last row in search results * Add support of "Lifecycle =" and "Queue LIKE" to GetReferencedQueues for more search options * Support copying saved charts like searches * Fix wrongly duplicated one-time addresses on ticket update page * Add various missing ColumnMap entries * Fix error when removing multiple holders of an asset * Add basic stacked bar chart support * Remove extra closing div on Login/Logout pages * Add option to disable ticket linking in articles by class * Add entry hint as custom field tooltip * Disable submit on enter when input's autocomplete list shows up * Support quoted custom fields as values * Exclude end time when limiting txn date to a day * Trigger UpdateCc/UpdateBcc input change only once when clicking "All recipients" * Sync one-time checkboxes to text inputs in a consistent way * Translate selfservice articles search button * Support shallow searches for ticket roles * Support to search user defined group names in watcher limit * Support order by watcher's custom fields for ticket search * Support more watcher fields including user cfs in search result format * Add more watcher fields including user cfs to OrderBy/Columns in search builder * Upgrade OrderBy "Owner" to new version "Owner.Name" in saved searchs * Create a standard RT Time Worked report * Add grouping by custom roles for ticket search charts * Reduce space used by Current search on Query Builder to avoid saved search overlap * Group by direct members of role groups for ticket search charts * Use Name as the default watcher field in search results * Allow clearing roles on bulk updates page Administration * Generalize Owner logic in Shredder to any Single role group * In shredder, remove SetWatcher rows in transaction history as well * Add setting $AssetMultipleOwner to allow many owners on assets * Default --libs-group value from "bin" to "root" * Add --dry-run option to rt-crontool * In validator, ensure tickets and queues have all of their default role groups, individually * In validator, prompt to create missing default role groups * Skip merged tickets in role groups validation * Allow to create missing queue-level custom role groups when needed * For external auth, support cf mappings like CF.foo and UserCF.foo * Support array and code in attr_map of external auth * Don't quote table names in shredder SQL output * Avoid "Wide character in print" warnings when generating shredder SQL output * Add QuoteWrapWidth option for text quoted during reply/comment * Set the $AttachmentListCount config's default value to 5 * Clarify external auth logging when users are not found * Fix removal of scrips when shredding queues * Avoid errors in shredder when Organization has a hyphen * Avoid errors in shredder when username has a hyphen * Avoid errors in shredder when queue name have a hyphen * Log number of records returned from LDAP search * Support searching NULL(unset) values on user/group admin pages * Only show hints for user CFs configured in external settings on create * Fix removal of custom fields when shredding queues * Add transaction records for dashboard/savedsearch changes * For articles, do not encode HTML if skip Escape HTML option selected * In rt-crontool, add reload-ticket option to refresh metadata before processing * Avoid a known problem version of Mojo::DOM::CSS * Update DBIx::SearchBuilder to 1.68 to avoid segfaults on MariaDB 10.2+ * Add parallel support for crontool * Add Parallel::ForkManager to dependency for parallel crontool * Log the object that exceeds DependenciesLimit in shredder * Remove SetOwner rows in transaction history on user shred * Add ExternalAuth to the exceptions for requiring a password * Reset ObjectCustomField sort order when re-enabling a Custom Field * Update ObjectCustomField sort order only if necessary on re-enable * Pass SavedChartSearchId from chart portlet * Skip rights check when setting default object custom field values * Add support to clear mason cache via web interface * Add LDAP email authentication to External Auth * Don't shred subgroups' member relationships when shredding ticket role groups * Provide a way to select privileged and unprivileged users in admin * Remember IncludeSystemGroups value on page navigation * Add statement-log option to render statement logs in CLI * Support to set sort order of applied custom roles * Show custom roles in correct order on queue watcher and ticket pages * Add no-sqldump option to rt-shredder to avoid generating backups * Add paging support for group Members page * Tweak css for page links to not overflow in Firefox * Add $ShowSearchNavigation option to skip building search navigation links * Add ability to search for disabled users Email Encryption/Signing * Support separate certificates for SMIME encryption and signing * Add encryption and signing options for digest email * Provide an option to skip GnuPG tests * Handle encrypted outgoing emails in digest email * Add OtherCertificatesToSend option for SMIME * Set path to GnuPG binary in GnuPG::Interface constructor * Fix uninitialized warnings of $latest_user_main_key for gpg 2.2 * Handle FAILURE keyword for gpg 2.2 * Add gpg.conf for gpg 2.2 so we can specify passphrase in command line * Update warning message tests for gpg 2.2 * Don't override fingerprint if it exists already * Make t/mail/crypt-gnupg.t pass with gpg 2.2 * Quit gpg-agent after tests for gpg 2.2 * Move signed_old_style_with_attachment.eml to emails directory * Always use temp gpg homedir to get a cleaner env * Add extra ignored keywords for gnupg 2.2.x * Fix unit test to cope with variations in how different versions of OpenSSL print certificates * Default cert-digest-algo from SHA1 to SHA256 * Bump GnuPG::Interface to 1.00 to support gpg 2.2 * Report the cert authority in an "assured by ..." clause * Report the S/MIME signer correctly when there is no EmailAddress * Fix a bug in the logic that suppresses the "email is unsigned" warning * Add AgorithmName to info returned by ParseKeysInfo * For GnuPG, add a tooltip with additional info about the signature * Add ability to download GnuPG public keys * Store and display additional info about S/MIME signatures * Extract email addresses from S/MIME certificates as specified in RFC 5750 * Support SMIME certificate revocation using OCSP/CRL * Add deprecation warnings to RT::Test::GnuPG and RT::Test::SMIME. * Allow specification of outbound signing/encryption protocol on a per-queue basis * In Admin/Users/Keys.html, do not call "UseForOutgoing" when we have no $Queue object * Explain conversion of legacy list args to a hash in CheckRecipients * Add RT::Attachment->CryptStatus method * Fix error if a CA certificate does not define CRLDistributionPoints * Keep entire GnuPG fingerprint; don't truncate to 8 characters * Include S/MIME certificate serial number in tooltip * Add ability to download S/MIME certificates * Switch from key to fingerprint for user PrivateKey * Add admin page to manage GnuPG keys * Show "Preferred GnuPG key" input only if GnuPG is enabled * Migrate remaining RT::Test::SMIME in tests to RT::Test::Crypt * Bump GnuPG::Interface to 1.02 to fix secret key deletion issue for gnupg 2.2 * Disable using WKD on GnuPG tests that might attempt to use the network Developer * In Users autocomplete helper, add Initial callback to access incoming values * Fix Type/Recurse/MaxDepth params in Init callback of /Elements/ShowLinksOfType * Add EndOfHead callback to /Elements/Header * Add BeforeTitleBoxStart callback for ShowHistoryHeader * Add ARGSRef and HasTxnCFs args for Default callback of ShowTransaction * Parse Notify action argument assuming it's comma separated * Default lifecycle type to ticket on SelectStatus * Add support for setting user CFs on create * Add sort for external custom field values * Add callbacks to Forward.html * Add callbacks for customizing report queries * Pass ShowHints via a callback to provide a way to hide hints * Add Initial callback in self service Create.html * Add a callback to modify rights on ticket display sections * Add callback in Users autocomplete helper to modify users limit * Add attribute link support * Add callbacks to Admin->Groups->Members page * Allow RT_HOST to be set via environment variable for testing * Add configuration for CI testing with docker via TravisCI * Update configuration to move CI testing from TravisCI to Github Actions * Add ModifyContent callback to ShowTransactionAttachments * Don't touch attachment content's newlines in REST 1.0 * Encode attachment filename to UTF-8 like other fields in REST 1.0 * Force update MIME encoding for ticket creation via REST 1.0 * Exclude MIME attachments when requesting a transaction's content * Add callback for displaying additional content on admin home page * Fix Type/Recurse/MaxDepth param names for Init callback of ShowLinksOfType * Add ModifySystemAttributes callback to system configuration page * Implement RT::Attribute::CurrentUserCanSee for transaction rights check * Allow for string of user IDs to be passed for exclusion from autocomplete results * Add BeforeOption callback to customize Prefs/Other.html * Add BeforeProcessArguments callback to group members * Add option to render TxnRecipients input in ShowSimplifiedRecipients * Tweak RT::Date to parse ISO-8601 combined date and time representations * Add ModifyCollectionListArgs callback to user admin index page * Add callbacks to user admin index page * Call ApplyTransactionBatch only in the most outer Atomic call * Don't call ApplyTransactionBatch in Atomic when in DryRun mode * Add ValidateValue callback in ValidateCustomFields * Pass term and args to ModifyUsersLimit so it can behave differently based on it * Add ModifyGroupsLimit callback for Groups autocomplete * Sync callbacks of Users/Groups autcomplete to Principals Documentation * Fix configure's --libs-group help string * Add documentation for serializer/importer process * Document columns as values in ticket search * Move SignatureAboveQuote documentation to Message box properties * Fix pod warnings in RT::User docs * Document more helpful shredder indexes * Document DisplayTotalTimeWorked option and default to off * Document additional plackup options via rt-server * Document a fix for perl module permissions problem * Document new queue and lifecycle search options * Apply some changes from updated RT 5 docs * Add external docs images to local * Document recommended Apache MPM for RT * Cite explicit author for eye dropper icon * Add basic POD for RT::ObjectCustomFields * Document different sorting based on Postgresql local setting * Document the timezone comparison fix in UPGRADING * Update Articles docs to include disabling ticket linking * Document shrink-cgm-table upgrade step * Add context to the CF searching documentation * Add docs for new shallow search option * Clarify docs on how to pass additional CLI options to Init * Update rt-shredder documentation * Document the Transaction Batch bug fix * Document the database updates for the Owner.Name change * Convert pod link to private method to code format * Document custom role group search * Add docs for User Time Worked Report * Add docs describing chart group-by with roles * Document $UserAutocreateDefaultsOnLogin only once * Add --user to process dashboard subscriptions for a single user only Internals * Probe system level cache to speed up right check procedure * With Perl 5.18 and later, warn if permissions prevent a site config from being loaded * Switch to SHA-256 for snapshot checksums as in release notes * Reuse CanonicalizePrincipal in DeleteRoleMember * Dump parsed source code instead of "DUMMY" for sub references in tests * Defer AJAX recipients update a little bit to get form's latest status * Switch to "POST" when updating ticket search result format via AJAX * Concatenate strings before encoding conversion to avoid character breakage * Set proper transfer encoding to avoid long lines in email * Fix uninitialized warning in ticket searches with __active__ and __inactive__ items * Add ObjectsForCreating method to support privacy in saved searches * For saved searches, split objects lists for creating and loading * Try harder to get custom field objects to inspect in searches * Use CanonicalizePrincipal to attempt to load users * Handle subject tag if prefixed with http:// by email clients * Only remove extra CF values when they are actually extra * Confirm record is defined before calling id * Remove delete of old CF values as AddValueForObject already handles it * Fall through to false on watcher rights check * Allow queue CF rights to apply on single-queue searches in charts * Clear user CFs from form args if set on create * Add multipart/form-data encoding to EditAboutMe form * Set QUOTEVALUE only if necessary to use default behavior as much as possible * Handle multipart attached emails when TreatAttachedEmailAsFiles is enabled * Load Test::MockTime earlier to fully replace time functions in core * Sort hashes in attribute content to avoid unnecessary updates * Include related transactions for attribute serialization * Check txn's fields for its relationship with ticket * Fix inconsistent datatypes error for Oracle upgrade * Include related links for attribute serialization * Use the correct CurrentUserCanSetOwner return value in menus and ticket display * Avoid running multiple rt-externalize-attachments simultaneously in tests * Cache Roles method for ticket/queue objects * Don't declare variables in modifier statements as behavior is not defined in Perl * Only keep enabled roles in registered list * Tweak AppliesToObjectPredicate as all registered custom roles are enabled * Avoid duplicated items in index.html in generated docs website * Make sure RT::Queue::CustomRoles returns an empty collection if no rights * Filter queue custom roles by checking current user's right * Fix "Case sensitive search by Queues.Name" warnings in GetReferencedQueues * Don't set RowsPerPage if we can't find the pre-defined value * Fall back GroupId to 0 to avoid SQL syntax error * Use subquery when possible in case ticket ids are too many for search chart * Add the missing WebPath to user RelatedData urls * Add the missing WebPath to links in article saved searches * Add username to SQL statment log * Prefix "main." to main columns to avoid "ambiguous column name" error * Don't enable/disable related groups when enabling/disabling custom roles * Group search on queue watchers page is case insensitive * Enable previously disabled custom role groups * Don't recursively add members to ticket role groups in CachedGroupMembers * Check direct group members in recursive member methods for ticket role groups * Check direct group members in rights check for ticket role groups * Exclude ticket role groups for recursive validity check in CachedGroupMembers * Update shrink-cgm-table to remove indirect members of ticket role groups * Check role's direct group members for ticket watcher searches * Check role's direct group members for ticket watcher group searches * Convert simple OR'd statements in TicketSQL to use IN for better performance * Convert more OR'd clauses to use "IN" for performance * Skip internal users in user list on admin page * Convert rt-crontool to RT::Interface::CLI Init function * Add a rule to explicitly handle verbose|v in CLI * Remove Requestors from ticket Accessible as it's not a core field * Exclude user defined groups in role groups for _WatcherJoin * On Pg 9 switch key/value pair if value is CF value and key is not * Support to create ticket/asset role groups lazily * Default PrincipalId to 0 to avoid SQL error for not-existing role groups * Improve RoleGroup method to create the group if asked * Optionally validate Requestor/AdminCc/Cc as they could be lazily created * Ensure values returned from DistinctFieldValues are utf8 * Hide "Total" row for not-distinct results in search chart to avoid confusion A complete changelog is available from git by running: git log rt-4.4.4..rt-4.4.5 or visiting https://github.com/bestpractical/rt/compare/rt-4.4.4...rt-4.4.5