RT: Request Tracker

RT 4.4.7 Release Notes

RT 4.4.7 -- 2023-10-19
======================

RT 4.4.7 is now available for general use. The list of changes
included with this release is below. In addition to a batch of
updates, new features, and fixes, there are several important
security updates provided in this release. See below for details.

https://download.bestpractical.com/pub/rt/release/rt-4.4.7.tar.gz
https://download.bestpractical.com/pub/rt/release/rt-4.4.7.tar.gz.asc

SHA-256 sums

47af1651d5df3f25b6374ff6c1da71c66202d61919d9431c17259fa3df69ae59  rt-4.4.7.tar.gz
01a7707d44c60ce8faece9fe6cb6411c87578137c7e88da7a87c9f29620b5795  rt-4.4.7.tar.gz.asc

Security

The following security issues are fixed in this release. Thanks to
Tom Wolters of Chapter8 and the National Cyber Security Centre in
The Netherlands for reporting these findings.

* RT is vulnerable to accepting unvalidated RT email headers in
incoming email and the mail-gateway REST interface. This vulnerability
is assigned CVE-2023-41259.

* RT is vulnerable to information leakage via response messages returned
from requests sent via the mail-gateway REST interface. This vulnerability
is assigned CVE-2023-41260.

Note that in addition to upgrading to this new version, access to the mail-gateway
REST endpoint can, and in most cases should, be restricted to only the RT
server itself (localhost). This access restriction can typically be applied
in the web server running with your RT (Apache or other). This configuration
is more clearly documented as part of this release and we recommend all RT
admins review your web server configuration and consider restricting access
to this mail-gateway REST endpoint.

General user features

* Include "Create" transactions when checking if there are unread messages
* Support HasUnreadMessages and HasNoUnreadMessages criteria for ticket search
* Make simple search result refresh always function
* Support to download custom field attachments from SelfService
* Allow additional ticket relationship graph directions
* Add the missing Principals autocomplete URL for Self Service
* On the People page, list current user in "All Recipients" if it's a watcher

Administration

* Remove state criteria for invalid utf8 error warnings to allow
  the full-text indexer to continue to run
* Improve template 'Error: public key'
* Don't error if users4 index has been removed
* Update required versions for GD::Graph and Date::Extract
* Make RT work with MySQL 8
* Update DBIx::SearchBuilder to 1.69 to work with MySQL 8
* A client terminating a connection shouldn't kill a FCGI process (thanks andrew!)
* Add configuration option $AllowGroupAutocompleteForUnprivileged
* Allow selection of SSL providers with SMIME
* Add new page where admins can preview results of search modules

Documentation

* Add documentation for using rt-crontool with multiple --action parameters
* Fix formatting in docs for $DateTimeFormat config examples
* Document default Name setting in RT::User
* Provide examples for CanonicalizeEmailAddress match and replace
* Fix docs on RT::Queue::IsWatcher
* Fix the link to RT_Config's External-storage section in pod
* Custom Roles cannot apply globally; correct docs
* Fix typo in transaction-type argument in rt-crontool docs (thanks rob@lonap.net!)
* Fix "Reffered" typo in metadata doc (thanks nreiling!)
* Fix 'followoing' typo in docs (thanks nreiling!)
* Clarify usage of the $EmailSubjectTagRegex setting
* Fix ticket_metadata.pod: Incorrect documentation of parent/child (thanks nreiling!)
* Improve documentation for RT::Search modules
* Document restricting access to the mail-gateway REST endpoint

Internals

* Explicitly check rights when loading and deleting RT System saved
  searches rather than catching with an error
* Don't mark fields in JOIN conditions as limited
* Fix simple ticket search tests to make sure tickets are really found
* Don't default Name to EmailAddress in LoadOrCreateByEmail
* Many changes to improve automated testing via Github Actions
* Set MasonLocalComponentRoot via RT->Config->Set so apache can see it
* Encode content for textual "message/..." attachments to fix issues with
  $TreatAttachedEmailAsFiles and some types of messages
* Convert ticket link graph generator to GraphViz2
* Update tests for EN datetime locale change to space
* In sessions, pass datetime in UTC as LastUpdated is stored that way
* Switch to Test::MockTime::HiRes in date api test
* Drop obsolete apache and fastcgi test configs
* Limit ObjectType in articles custom field searches
* Disable buildkit in github tests to continue using the local network feature
* Update expired certificates and related tests
* Don't return ticket details in REST mail-gateway return messages
* Sanitize incoming RT email headers


A complete changelog is available from git by running:
    git log rt-4.4.6..rt-4.4.7
or visiting
    https://github.com/bestpractical/rt/compare/rt-4.4.6...rt-4.4.7

Security contact information
© 2002-2024 Best Practical Solutions LLC.