RT: Request Tracker

RT 5.0.5 Release Notes

RT 5.0.5 -- 2023-10-19

RT 5.0.5 is now available for general use. The list of changes
included with this release is below. In addition to a batch of
updates, new features, and fixes, there are several important
security updates provided in this release. See below for details.


SHA-256 sums

90f845daaa436198c334b6e9cf5afb1df9f4445dcc165d0bcae35de9eb9be8ef  rt-5.0.5.tar.gz
0c6f256434ae9d18e08e5267ae0dd6af817378c48a01e9bdc49a7cadbe43c47a  rt-5.0.5.tar.gz.asc


The following security issues are fixed in this release. Thanks to
Tom Wolters of Chapter8 and the National Cyber Security Centre in
The Netherlands for reporting the the first two findings.

* RT is vulnerable to accepting unvalidated RT email headers in
incoming email and the mail-gateway REST interface. This vulnerability
is assigned CVE-2023-41259.

* RT is vulnerable to information leakage via response messages returned
from requests sent via the mail-gateway REST interface. This vulnerability
is assigned CVE-2023-41260.

Related to the above, in addition to upgrading to this new version, access
to the mail-gateway REST endpoint can, and in most cases should, be restricted
to only the RT server itself (localhost). This access restriction can typically
be applied in the web server running with your RT (Apache or other). This
configuration is more clearly documented as part of this release and we recommend
all RT admins review your web server configuration and consider restricting access
to this mail-gateway REST endpoint.

* RT 5.0 is vulnerable to information leakage via transaction searches made by
authenticated users in the transaction query builder. This vulnerability is
assigned CVE-2023-45024. Thanks to edk and bakerst of Libera Chat for reporting
this finding.

* RT 5.0 can reveal information about data on various RT objects in errors and
other response messages to REST 2 requests.

General user features

* Include "Create" transactions when checking if there are unread messages
* Support HasUnreadMessages and HasNoUnreadMessages criteria for ticket search
* Make simple search result refresh always function
* Support to download custom field attachments from SelfService
* Allow additional ticket relationship graph directions
* Add the missing Principals autocomplete URL for Self Service
* On the People page, list current user in "All Recipients" if it's a watcher
* Align existing attachment list
* Show direct members for charts grouped by watchers in perl calculation
* Add the same separator as ticket cfs for user cfs in Spreadsheet
* Exclude owner email address from one time Cc/Bcc inputs
* Require unique name for Conditions and Actions
* Enable the selectpicker class for multiselect cfs
* Don't highlight "RT for" as the active menu
* Show that a principal is disabled while editing people inline
* Fix empty updates sending emails with html signatures
* Remove mobile restrictions for CKEditor
* Get the Stylesheet of the called user object instead of its CurrentUser
* Tweak quoted selection content and quote it with blockquote for html
* Fix lifecycle new status removal
* Improve Lifecycle validation messages
* Allow to wrap for normal collection list headers
* Make search chart tables responsive
* Adjust EmailInput element to use the correct autocomplete helper
* Make Principals Helper compatible with EmailInput element
* Add a __SelectedUser__ search placeholder and portlet to set it
* Do not disable inline edit after errors
* Fix Find Group portlet input size
* Fix Find Asset portlet input size
* Avoid adding duplicated prefixes like "Ticket ID: " on bulk update pages
* Use id prefix for core field update messages consistently
* Rebalance page menu when the entire page (not just DOM) is ready
* Return success when disabling a disabled record via REST 2
* On ticket update, update names in Cc/Bcc select boxes when
  checking/unchecking one-time "All recipients"
* On dashboard edit, drop height CSS rules for each section in source
  selection boxes to prevent overlap


* Add documentation for using rt-crontool with multiple --action parameters
* Fix formatting in docs for $DateTimeFormat config examples
* Document default Name setting in RT::User
* Provide examples for CanonicalizeEmailAddress match and replace
* Fix docs on RT::Queue::IsWatcher
* Fix the link to RT_Config's External-storage section in pod
* Custom Roles cannot apply globally; correct docs
* Fix typo in transaction-type argument in rt-crontool docs (thanks rob@lonap.net!)
* Fix "Reffered" typo in metadata doc (thanks nreiling!)
* Fix 'followoing' typo in docs (thanks nreiling!)
* Clarify usage of the $EmailSubjectTagRegex setting
* Fix ticket_metadata.pod: Incorrect documentation of parent/child (thanks nreiling!)
* Improve documentation for RT::Search modules
* Document MySQL 8 support (actual MySQL 8 support was added in RT 5.0.4)
* Document web deployment with apache+proxy_fcgi
* Remove trailing / from mailgate url examples
* Fix users -> uses typo in query builder docs
* Document the new __SelectedUser__ search placeholder
* Remove duplicate REST 2 asset examples
* Document changes to some update messages
* Update NAME header in rt-munge-attachments POD (thanks andrew!)


* Remove state criteria for invalid utf8 error warnings to allow
  the full-text indexer to continue to run
* Improve template 'Error: public key'
* Don't error if users4 index has been removed
* Update required versions for GD::Graph and Date::Extract
* A client terminating a connection shouldn't kill a FCGI process (thanks andrew!)
* Add configuration option $AllowGroupAutocompleteForUnprivileged
* Allow selection of SSL providers with SMIME
* Add new page where admins can preview results of search modules
* Add RT::Interface::Web::ReportsRegistry package, allowing extensions to
  add custom reports more easily
* Index SortOrder of ObjectCustomFieldValues
* Re-work indexes on Links table
* Bump SearchBuilder to 1.77 to fix a possible sorting issue
* Add a dropdown with values for RedistributeAutoGeneratedMessages config
* Fill up CachedGroupMembers at the end of importer for performance
* Add --all to serializer to export all data with UIDs and not check dependencies
* Reload scrubber rules for current process that changes configs
* Create a local version of $RULES{img} to update it dynamically based on configs
* Tweak code logic to short-circuit config checks when img rules are pre-defined
* Update legacy timezones
* Add --limit-queues and --no-queues support for rt-dump-initialdata
* Support to dump and import CustomFieldDefaultValues attributes with cf name
* Add new Scrip Logging page
* In the Lifecycle editor, set on_create status only if it's absent
* Add expiration option for auth tokens


* Explicitly check rights when loading and deleting RT System saved
  searches rather than catching with an error
* Don't mark fields in JOIN conditions as limited
* Fix simple ticket search tests to make sure tickets are really found
* Don't default Name to EmailAddress in LoadOrCreateByEmail
* Many changes to improve automated testing via Github Actions
* Set MasonLocalComponentRoot via RT->Config->Set so apache can see it
* Encode content for textual "message/..." attachments to fix issues with
  $TreatAttachedEmailAsFiles and some types of messages
* Convert ticket link graph generator to GraphViz2
* Update tests for EN datetime locale change to space
* In sessions, pass datetime in UTC as LastUpdated is stored that way
* Switch to Test::MockTime::HiRes in date api test
* Drop obsolete apache and fastcgi test configs
* Limit ObjectType in articles custom field searches
* Disable buildkit in github tests to continue using the local network feature
* Update expired certificates and related tests
* Pass action to GetCurrentUser of email interface
* Tweak Serialize methods for REST2 where no serializer arg is passed
* Do not quote bind numbers for SQLite
* Add rt-clean-attributes to git ignored files
* Create a new object to avoid circular references that happen on RT::CurrentUser
* Fix memory leaks in recursive anonymous subroutines
* Add new utilities to Makefile.in (thanks firefart!)
* Support WebPath configuration when checking ResultPage
* Get query string from REQUEST_URI for correctness and also better performance
* Support to run tests with apache+proxy_fcgi
* Remove trailing artifacts before adding query part
* Check return value of CanonicalizePrincipal in case username/email is invalid
* Drop the useless /s as the regexes don't contain "."
* No need to check listen address if FCGI is managed by Server::Starter
* Wrap raw "do" SQL into eval to show more error details
* Reduce unnecessary Load calls after creation for performance
* No need to convert ascii strings
* Support to create principals in batch beforehand
* Tweak UID generation code and also cache user UID for performance
* Skip rights checks for serializer/importer
* Cache various objects for records
* Skip rights check on ACE access for system user
* Skip rights check on Attachment access for system user
* Avoid duplicates of postponed id resolution
* Add batch mode to importer for data serialized with --clone or --all
* Serialize/Import subscriptions correctly
* Serialize/Import bookmarks correctly
* Filter class rights before adding to IN clause
* Allow to set columns to their default value or NULL
* No need to explicitly set SubjectTag as it's NULL by default
* Convert empty strings to NULL for Category of CustomFieldValues
* Pass $message to the ModifyContent callback
* Remove unused local variable that is very misleading
* Don't generate $args that is equal to '?'
* Append $args to "Edit Search" even if we have no query
* Add default value for calls to LookupType
* Fix typo, this block is to check GroupId
* ACL in initialdata is applied globally by default
* Handle system internal and role groups for ACL deletion in initialdata
* Do not keep track of ObjectScrips ids when calculating changes
* Calculate ObjectCustomField changes based on source RT if possible
* Handle ObjectScrip updates for scrips in initialdata
* Handle ObjectCustomRole updates for custom roles in initialdata
* Handle ObjectClass updates for article classes in initialdata
* Add methods for adding and removing a logger
* Add LogScripsForUser config option
* Add logging of all scrip stages
* Add HasLogs column for Scrips
* Add HasLogs to Scrip AdminSearchResultFormat
* Add Logging tab to Scrip Admin menu
* Show Scrip errors for UserDefined code
* Set on_create status only if it's absent
* Fix typo in time left label param

A complete changelog is available from git by running:
    git log rt-5.0.4..rt-5.0.5
or visiting