RT: Request Tracker
RT 5.0.8 Release Notes
RT 5.0.8 -- 2025-04-29 ====================== RT 5.0.8 is now available for general use. The list of changes included with this release is below. In addition to a batch of updates, new features, and fixes, several security issues are addressed. See below for details. https://download.bestpractical.com/pub/rt/release/rt-5.0.8.tar.gz https://download.bestpractical.com/pub/rt/release/rt-5.0.8.tar.gz.asc SHA-256 sums 0a12419c6111c37384e912432cec872109d528657079e363bbe4ddf613e42286 rt-5.0.8.tar.gz 55852e075c068f190444a372df02dae4f324d3c7bf7a4635886849f1805b88a6 rt-5.0.8.tar.gz.asc Security The following issues are addressed with these security updates: * RT 4.4 and 5.0 are vulnerable to Cross Site Scripting via injection of malicious parameters in a search URL. This vulnerability is assigned CVE-2025-30087. Thanks to Fabian Russwurm and the Siemens Red Team for reporting this finding. * RT 4.4 and 5.0 use the default OpenSSL cipher, 3DES (des3), for encrypting SMIME email. This is an outdated cipher algorithm, so the default is changed to aes-128-cbc. In addition, we have made this option configurable so you can pick an alternate cipher now or in the future, or revert to des3 if needed for compatibility. This vulnerability is assigned CVE-2025-2545. Thanks to Ángel González Berdasco and INCIBE-CERT - Spanish National CSIRT for reporting this finding. Thanks to Benjamin Vermunicht and Elias Bout of the NATO Cyber Security Centre (NCSC) for reporting the following two findings. * RT 5.0 is vulnerable to Cross Site Scripting via JavaScript injection in an Asset name. This vulnerability is assigned CVE-2025-31501. * RT 5.0 is vulnerable to Cross Site Scripting via JavaScript injection in an RT permalink. This vulnerability is assigned CVE-2025-31500. General user features * Make all ckeditor toolbar groups the same height * Skip recipients with deferred email delivery on encryption check * Only store address part of emails for UpdateCc/UpdateBcc inputs * Keep all default values for email inputs * Disable InlineEdit/EnableJSChart for dashboard mail test via web UI * Handle an edge case where only search Order contains multiple values * Fix truncated labels in search filter modal * Skip rendering filter component for unsupported collections * Add Active/Inactive in Asset Query Builder status dropdown * Use the same "right" position value in css and js for topactions * Strip leading/trailing spaces from Queue name automatically on create/update * Add Nobody to autocompletion of assets single member roles * Show default queue name if possbile on ticket create * Add Catalog List portlets * Fix unbalanced divs in user anonymize modal * Add user specific fields back for multi-member role GroupBy in search charts * In ticket history, show scroll if needed for wide content * Add missing Link columnmap definitions for assets * Don't return a disabled Default Queue * Notify the admin if they disabled the system DefaultQueue * Add loading lazy attribute to img tags in transactions * Allow users to delete dashboard subscriptions * Support to specify ReverseHistoryOrderLink in history menu * Add name attribute to Create New Ticket button * Highlight active selectize dropdown elements in dark mode * Highlight autocomplete dropdown items on hover in dark mode * Fix overflow on ticket search filter modal * Use owner name instead of id for owner dropdown in search filter * Improve layout of user preferences page * Remove modal class selection for creating articles * Support PriorityAsString in search charts * Fix main nav overlap on dark theme mobile * Update prefs page to support single column layout * Fix resizing quick create asset button * Update asset simple search for single col layout * Fix resizing quick create article button * Update articles overview for single column layout * Fix titlebox-title overlap on dark theme mobile * Prevent users from untaking tickets owned by someone else * Consistently set both $DefaultClass and $ClassObj on article create Documentation * Update Automating RT docs * Fix typo in shredder pod * Document Link filtering feature in search result Format * Fix WithMember arguments in CreateTickets template example * Include developer upgrade documents in static docs build * Update RTAddressRegexp docs to align with new IsRTAddress * Document RT's Unread Messages feature * Update simple search instructions * Add screenshot of approval page * Update asset images to be consistent with other docs Administration * Add Scheduled Processes feature to schedule rt-crontool from the web UI * Check thoroughly if an email is an RT address * Internally, always pass import flag value within LDAP import * Remove duplicate CLI options * Show system config values instead of user overridden ones on configuration page * Drop unnecessary and outdated version requirement of DBIx::SearchBuilder * Migrate rt-externalize-attachments to use RT::Interface::CLI * Skip unnecessary post actions when importing cloned serialized data * Support to shred external contents of attachments/objectcustomfieldvalues * Switch to WebService::Dropbox to use Dropbox API v2 * Implement Delete for Dropbox external storage * Support updating user data from environment variables * Set LOCAL_PLUGIN_PATH based on customplugindir in config.layout * Cache `clear` output to avoid unnecessary system calls for better performance * Fix endless loop when using --ids * Add cgm-only mode to rt-validator * Quote new references to the Groups table for MySQL 8 * Add REST2 /users/privileged and /users/unprivileged endpoints * Add /Admin/Global/RightsHistory.html page * Add menu page options for global rights changes history * Refresh system attributes so new logo can show up right after submission * Revert "Drop unused submit trigger in lifecycle UI" to allow saves of layout changes * Add a Custom Role selection page to the Catalog admin pages * Add LocalizedDate date formatter * Make the Timezone config option a Select widget * Add Shredder Plugin for Transactions * Add Shredder Plugin for Assets * Add shredder links to Asset and Transaction search * Add quiet mode for rt-ldapimport for use in cron * Prevent uninitialized warnings on Logout page * Wipeout full text index records during shredding * Quote tables names in shredder generated SQL file Internals * Enable SMIME tests * Document environment variables for Crypt tests * Update expired test revoked certs by generating them by ourselves * Make SMIME revocation check with OSCP work with OpenSSL 3 * Test smime encryption behavior for deferred recipients without valid keys * Test IsRTAddress with queue addresses * Fix IsRTAddress in CanonicalizePrincipal in case User param is an object * Test order loop on search result headers where OrderBy contains only one value * Test config values are not overridden by user prefs on configuration page * Check singleton before fully loading RT * Allow user override in RightsInspector Search method * Update tests as we added ExternalStorageDump plugin * Test shredding external contents * Move check for objects referencing external content * Fix call to _EncodeLOB for ObjectCustomFieldValue records * Update tests as we added WebRemoteUserAdditionalMapping config * Add logging for user attribute setting during auto-creation * Unset input name of custom field value placeholders in query builder * Add Content arg to ReplaceContent method * Check OwnTicket on ticket level in case the right is granted on ticket roles * Test automatic owner change on queue change * Test chart to group by requestor email * Change free port detection to how PSGI binds to a port * Drop unused CGM joins for recursive role member searches * Do not check Content-Type.charset when guessing charset of email headers * Pass $self to RT::Group::_AddMember to connect created txns with current object * Pass queue info to SelectOwner in FilterTickets * Refactor SQL of RT::Users::WhoHaveGroupRight for better performance * Update test image with new HTML-RewriteAttributes * Set obsolete Pragma header only if the content should not be cached * Cache binary attachments for better performance * Add tests for Rights Inspector * Test REST2 /users/privileged and /users/unprivileged endpoints * Support empty DisplayPath to indicate current URL * Add Initial callback to /Helpers/Autocomplete/Owners * Stop using the session to pass report info to JS Chart * Limit LookupType in search for custom roles applied on a specified object * Do not override passed in $Transactions in /Elements/ShowHistoryPage * Clean up unused declared arguments in /Elements/ShowHistory * Update tests for the deletion of article PreCreate page * Add overlays support to most RT modules that do not have it yet * Test overlays of RT packages * Index Via column of CachedGroupMembers * Implement cascaded deletion of cached group members on DB level * Test cascaded deletion of cached group members * Optimize TicketSQL with watcher bundling for queries without parens * Access queue name directly when checking configuration settings * Remove wrongly quoted formats on web config update * Show unquoted string values on system configuration page * Update tests for removed quotes * Remove undesired attributes like "array(0x...)" in link autocomplete inputs A complete changelog is available from git by running: git log rt-5.0.7..rt-5.0.8 or visiting https://github.com/bestpractical/rt/compare/rt-5.0.7...rt-5.0.8