RT: Request Tracker

RT 5.0.3 Release Notes

RT 5.0.3 -- 2022-07-13

RT 5.0.3 is now available for general use. The list of changes
included with this release is below. In addition to the new features
and bug fixes listed below, this release contains security fixes.


SHA-256 sums

e23aee3cb291ccad5e521aeabe0fcd2f076bcfa8b7f801af498a7505e53d8441  rt-5.0.3.tar.gz
6cfc32a9bf2d09768a5ac2b103f21d6675dfc3490c06190562296e5b2082ccce  rt-5.0.3.tar.gz.asc


The following security issues are fixed in this release. Thanks to the
Polish Financial Supervision Authority IT Security Department (UKNF)
for reporting the first two issues below.

* RT is vulnerable to cross-site scripting (XSS) when displaying
attachment content with fraudulent content types. This vulnerability
is assigned CVE-2022-25802.

* RT 5.0 is vulnerable to unvalidated, or open, redirects in ticket
searches. This vulnerability is assigned CVE-2022-25803.

* RT did not perform full rights checks on accesses to file or image type
custom fields, possibly allowing access to these custom fields by users
without rights to access to the associated objects (like the ticket it
is associated with).

As an additional security note, RT 5.0.3 also updates jQuery to
version 3.6.0 and that includes a security fix (CVE-2020-11022).

General user features

* Add a message and link to the new GnuPG key trust admin page
* Update user admin menu to just Keys
* Convert datetime cf values to user timezone on ticket clone
* Search Name/Summary case insensitively for SelfService article search
* Group custom field values by category
* Fix the bug that transaction cfs can not be saved on queue default values page
* Check email of custom role members on ticket create
* Improve checking of CustomFieldValue SortOrder
* Improve "not a unique value" error messages to show more hints
* Validate "unique values" custom fields correctly on web create
* Improve recognition of urlified subject tags
* Support different custom field groupings at category level
* Only use col-2/10 layout for transaction custom fields
* Cache CustomDateRanges in ColumnMap for performance
* Add response/comment css class after CKEditor is fully loaded in dark mode
* Default to not render old appearance of EntryHint for MultiUserRoleInput
* Add tooltip for custom role inputs on search bulk page
* Respect $Name argument in SelectDashboard
* Support to specify attribute name of system default dashboard, mainly for RTIR
* Don't trigger inline edit if user clicks links, buttons or their children
* Strip leading/trailing spaces from Group name automatically on create/update
* Support custom roles by name on ticket update
* Switch to link button for "Close" in modal of "Grant Dashboard Rights"
* Support to customize global MyRT configuration page
* Remove unneeded padding on ticket update
* Try harder to not only wrap help tooltip in labels
* Allow deleting RT addresses from roles
* Remove extra closing </div> element on custom role admin page
* Migrate plain checkboxes to bootstrap's custom-checkbox for consistency
* Show correct tooltips with multiple charts
* Verify PGP signatures on the original decrypted content
* Do not try to decrypt PGP public keys
* Don't warn if mixed newlines are found in decrypted GPG content
* Refresh status for Category select box on custom field edit page
* Remove duplicate my reminders portlet from default dashboard
* Notify user when unable to include an article
* Add configurable search for Include Article
* Allow DefaultCatalog to be unset in Web Interface
* Center values on custom field edit page
* Add the HTML CustomField type
* Allow HTML signatures
* Allow browser spellchecker to work in CKEditor windows
* Fix improper HTML tag nesting in EditDates
* Bypass selectize's client filter by showing all search results
* Change display from block to inline for create elements
* In the Theme editor, restore "try" behavior to the Try button rather
  than saving changes


* Upgrade jQuery to 3.6.0
* Upgrade jQuery UI to 1.13.0
* Upgrade bootstrap to 4.6.1
* Upgrade bootstrap select to 1.13.18
* Add --no-auto-commit option for rt-importer
* Add Article and Asset counts to RT Size
* Add index on ObjectCustomFields.ObjectId
* In rt-shredder CLI tool, make setting sqldump actually work (thanks, grifferz!)
* Suppress warnings with rt-fulltext-indexer --quiet
* Exit success if rt-fulltext-indexer is running
* Add --log support in RT::Interface::CLI
* Explicitly set SSL_verify_mode in mailgate
* In rt-importer, put all dependencies of current object to the head of stack
  to reduce memory usage
* Support to sync Disabled field for groups in LDAP import
* When shredding users, only replace fields that match the to-be-wiped user
* Replace obsolete AC_HELP_STRING with supported AS_HELP_STRING
* Removed unused Revision macro
* RT 3 is EOL so no one should be configuring an rt3 group
* RT 4 and later do not support modperl 1, remove the option
* Reduce memory usage for rt-importer
* Suppress incorrect attachment warning when session attachments exist
* Set the UserAssetExtraInfo widget for display on web config page
* Register "Show Details" toggle handler only once for each button in scroll mode
* Remove modperl1 feature from cpanfile


* Document the "quiet" option of rt-importer
* Update docs for rt-fulltext-indexer --quiet
* Add docs on mason cache fix
* Fix incorrect internal doc link
* Fix typo in %CustomFieldGroupings config doc
* Document the "Disabled" field mapping for ldap-import
* Add example of adding dot for module installs
* Fix bracket in InitialdataFormatHandlers documentation
* Update recommendation for where to unpack source
* Document the GnuPG key in the %GnuPG configuration in RT::Crypt::GnuPG
* Document how to listen on IPv6 for rt-server
* Fix tls example in ExternalAuth LDAP docs
* Document how to use capath and cafile with LDAP
* Document UserAssetExtraInfo
* Document bind parameter improvements
* Add REST2 interface to docs


* Reduce code duplication of checking formats of CustomFieldGroupings
* Update cf groupings tests for code duplication cleanup
* Failing tests for lifecycles without SeeQueue
* Walk around ACLs when working with lifecycles to avoid incorrect use
  of the default lifecycle
* Update tests as now user could modify status without SeeQueue
* Update the removed call of RT::Ticket::DueAsString in docs
* Remove obsolete "error" and "warning" methods in rt-fulltext-indexer
* Add test setting select CF to a value not in values list
* Support to canonicalize select values
* Validate cf values in advance before really adding them
* Set values for select CFs used in tests
* Add CF values on user create
* Drop the harmful extra canonicalization code as HasEntry canonicalizes too
* Test datetime cfs edits on ticket clone and edit pages
* Update tests for the default order change of custom field values
* Update EmailAddress index to case insensitive for Pg
* Test queue default values page
* Store mason cache created time in mason interpreter
* Clear callback cache too when mason cache is cleared
* Use mason's remove_object_files instead of implementing it ourselves
* Test "Clear Mason Cache" functionality
* Test user/group Disabled field in LDAP import
* In shredder, avoid duplicated single member group resolvers
* Add multiple db connection tests mainly for Oracle
* In dashboards, pass user object to ShowUser* elements
* Test shredder for user that owns multiple tickets
* Abstract methods to get/set/reset current interface and use them accordingly
* Add tests for current interface
* Update tests for the new canonicalized format of CustomFieldGroupings
* Add tests for queue level cf groupings
* Move query-builder related tests to its own test file
* Test validation of "unique values" custom fields on web UI
* Refactor custom field loop code to make it happy on perl prior to 5.22
* Optionally load RT::Authen::ExternalAuth in case Net::LDAP is not installed
* Make sure to not redirect for logout direct response tests
* In CF grouping, return record class in scalar context for backward compatibility,
  specifically with RTIR
* Correctly handle custom field groupings on queue default values page
* Test custom field groupings on queue default values page
* Make RT happy with perl 5.36
* Encapsulate inline Perl in <%perl> block
* Add callbacks to allow customization of AuthTokens page
* Use bind variables in DBIx::SearchBuilder by default
* Update tests to force BuildSelectQuery to not use bind values
* Refactor bare select queries to use bind values
* Give Pg a hint about the data type of the argument
* Bump DBIx::SearchBuilder to 1.71 to use bind parameters for searches
* Remove duplicated tests
* Drop old REST2 code that's for RT4
* Fix server fatal error for invalid cookie logins in REST2
* Add tests for custom roles on ticket update
* Use a loose regex to cover all DefaultDashboard attributes
* Load queue object in GetDefaultQueue to make sure it's valid and visible
* Add tests for DefaultQueue config rights check
* Abstract "Return to Search Results" and "Hide unset fields" to DropdownMenu
* Separate "collapse" and passed in bodyclass for widget body
* Update tests because of the space removal between label text and help icon
* Test the deletion of RT addresses from ticket roles
* Do not use bind variables in intermediate subqueries
* Add chart tests for queries with JOINs
* Update the EXPORTED version in configure script
* Test GnuPG encrypted+signed+pubkey emails composed by Thunderbird
* Ignore HotList column for RT::Class on importing
* Don't flag of properly deleted attributes in rt-validator
* Add RT::Article::Load
* Test group name's leading/trailing spaces removal behavior on create/update
* Add lifecycle_mappings test for case variant statuses
* Search attributes with extra limits on a clean cloned search builder object
* Support to canonicalize content for customized DefaultDashboard attributes
* Set current interface for REST2
* Add current interface tests for REST2
* Call ValidateCustomFields in Ticket/Display.html
* Support to search CLOB fields for Oracle

A complete changelog is available from git by running:
    git log rt-5.0.2..rt-5.0.3
or visiting