RT: Request Tracker
RT 5.0.9 Release Notes
RT 5.0.9 -- 2025-10-22 ====================== RT 5.0.9 is now available for general use. The list of changes included with this release is below. In addition to a batch of updates, new features, and fixes, several security issues are addressed. See below for details. https://download.bestpractical.com/pub/rt/release/rt-5.0.9.tar.gz https://download.bestpractical.com/pub/rt/release/rt-5.0.9.tar.gz.asc SHA-256 sums 913e9403ad422e0064ac9378baf2b13ba2b4c0119c891fe2cb4f2b51f3a5aeb8 rt-5.0.9.tar.gz e357206ebcd9d1615fb6dba668963502ad1a920b3c66ac6cbcbba47fb59621d1 rt-5.0.9.tar.gz.asc Security The following security issues are fixed in this release. * RT 5.0 is vulnerable to CSV injection via ticket values with special characters that are exported to a TSV from search results. This vulnerability is assigned CVE-2025-61873. Thanks to Gareth Watkin-Jones from 4armed for reporting this finding. * RT 5.0.4 - 5.0.8 are vulnerable to XSS via calendar invitations added to a ticket. This vulnerability is assigned CVE-2025-9158. Thanks to Mateusz Szymaniec and CERT Polska for reporting this finding. General user features * Remove submit blocking class on back button click * Remove duplicate Asset entry in the shredder objects list * Add missing WebPath for modify scheduled process (thanks zach.kelly!) * Default to the current class for existing articles * Add user config option to disable keyboard shortcuts (thanks gibus!) Documentation * Fix typo after rt-clean-sessions link in README * Provide guidance on starting a test server (thanks andrew!) * Document the ModifySuggestions callback change * Improve formatting for @EmailDashboardLanguageOrder docs Administration * Support to update extension configs via web UI * Check meta IsJSON to determine if config is JSON * Make doc_url optional for plugin config options * Add NoReset config meta option * Do not allow to change $SendmailPath from web UI for security * Merge extension config meta with existing meta * Refactor stringify code to simplify logic for config edit page * Fix current value of DefaultQueue on config edit page when it's queue name * Show default queue's name on configuration page and config updated messages * Support import/export of @Configuration for JSON serializer * Process Configurations before other RT objects in initialdata * Do not exclude ___Approvals queue in dumped json file * Support custom roles in CreateTickets templates (thanks @bdragon300!) Internals * Update importer SQL to correctly interpolate groups table names * Convert <style> blocks to inline before scrubbing the HTML * Enable encode_entities and ignore_style_type_attr options for CSS::Inliner * Bypass ACL cache for owner validation on ticket queue change * Ensure changes are committed when adding CGM records without auto-commit * Add dashboards to menu by id instead of name * Count imported objects from cloned serialized data * The path argument should not use loc() (thanks @mkosmach!) * Align Articles autocomplete helper callback with other similar callbacks * Don't export removed CleanEnv (thanks buehler!) * Add support to set default value(s) at CustomField creation (thanks elacour!) * Skip CSS::Inliner for content over 1MB in size * Log unresolved ticket failures at warning log level * In the importer, ensure SQL batches stay under 256MB Testing * Update docker image for tests * Update GitHub actions/checkout to v4 * Update GitHub actions/cache to v4 * Update simple-slack-notify GitHub action * Confirm that all of the shredder plugin pages load correctly * Test owner updates on queue change * Test showing incorrect class for new article * Add tests for Configurations export/import * Update dashboard tests to use id instead of name * Add a groups test to the rights inspector test * Add github actions config for rt-server tests with Oracle * Run github actions with updated 6.0.2 docker image * Test adding custom field DefaultValues on create * Add tests for custom role support in CreateTickets * Add tests for running Update-Tickets via CreateTickets template * Add tests for SetStatus action used with rt-crontool * Run tests against postgresql 16.10 A complete changelog is available from git by running: git log rt-5.0.8..rt-5.0.9 or visiting https://github.com/bestpractical/rt/compare/rt-5.0.8...rt-5.0.9