RT: Request Tracker

RT 6.0.2 Release Notes

RT 6.0.2 -- 2025-10-22
======================

We're pleased to announce the general availability of RT 6.0.2. This
release includes significant new features including a calendar view for
saved searches, enhanced history filtering and paging, and comprehensive
memory management improvements. Details on these and other updates,
bug fixes, and enhancements are below. This release also contains
security fixes noted below.

https://download.bestpractical.com/pub/rt/release/rt-6.0.2.tar.gz
https://download.bestpractical.com/pub/rt/release/rt-6.0.2.tar.gz.asc

SHA-256 sums

f3706fcfd2a6dfbdea58f3e9c64a7d17ae39bdd5928aeac61c4767f30f6b05c4  rt-6.0.2.tar.gz
8b19db97e2f33e49c75155b8827b5c6cda9ba4e379f81a80a383d4af57638e95  rt-6.0.2.tar.gz.asc

Security

The following security issues are fixed in this release.

* RT 6.0 is vulnerable to CSV injection via ticket values with special
characters that are exported to a TSV from search results. This
vulnerability is assigned CVE-2025-61873. Thanks to Gareth Watkin-Jones
from 4armed for reporting this finding.

* RT 6.0 is vulnerable to XSS via calendar invitations added to
a ticket. This vulnerability is assigned CVE-2025-9158. Thanks to
Mateusz Szymaniec and CERT Polska for reporting this finding.

General user features

* Remove submit blocking class on back button push
* Add user config option to disable keyboard shortcuts (thanks gibus!)
* Add autocomplete feature for article search in top menu
* Add delete column for HTML CF on bulk update
* Support article autocomplete in SelfService
* Use SimpleSearch for article searches from top menu
* Show no results message for article search page
* Refactor SelfService article search to be consistent with privileged
* Style article autocomplete to fit in the top menu
* Remove hide control from article display component
* Display lifecycle name in Queue list (thanks @tbrumm!)
* Add calendar as a new display option for saved searches
* Add grid icon for selecting saved search display mode
* Add a modal that shows all assigned calendar date colors
* Support to dynamically select view mode for saved searches
* Show popup with ticket details when hovering over calendar entries
* Display popup values based on the Format
* Expand first items for multiple-day events in each week
* Display just ticket subject in calendar day entries
* Remove redundant browser tooltip from calendar events
* Show an error message when no dates for calendar are found
* Allow for ticket to move position up on calendar
* Clean up calendar styles and make it work with dark theme
* Add ticket history search to History menu
* Add a transaction type filter to history
* Save History filter settings in page layout
* Restore link style reverse history option for other history pages
* Show filtering options only for tickets and assets
* Add paging support to asset history widget
* Set paging options via the History widget in page layouts
* Add a new paging option for displaying ticket history
* Limit page layout history options for assets
* Apply page-specific history filters from page layout config for assets
* Amend paging support of asset history widget
* Make "Reverse history order" work on selfservice asset history page
* Scroll to the top of the history window on page change
* Make history options work with history search
* Make filter form work with all history display modes
* Close the history filter menu on apply
* Respect empty type list when user deselects all transaction types
* Show search history input only if fulltext search is enabled
* Enable history search in self service
* Respect history search state when refreshing history after inline edits
* Remove the border color override and use bootstrap default
* Support to quickly correspond/comment on tickets from search results
* Show TimeTrackingDisplayCF on the user time worked report
* In articles autocomplete, page until we get max results
* Pause auto-refresh on saved searches in preview mode
* Notify the user that the display mode change is a preview
* Keep the saved search refresh button on the left
* Initialize TomSelect objects for new cloned modals in page layouts
* Determine custom role visibility based on page layout
* Hide Visibility page for asset custom roles
* Add page layout history link for queue history
* Reduce modal width for ticket/asset filters
* Use default bootstrap table styles and remove custom CSS
* Avoid the blue outline for svgs on focus
* Align tom-select input focus borders with RT inputs
* Standardize menus in titlebox headers
* Update AddWatchers for the new @HiddenRoles argument

Documentation

* Don't reference specific versions in headings
* Provide guidance on starting a test server (thanks andrew!)
* Document the ModifySuggestions callback change
* Improve formatting for @EmailDashboardLanguageOrder docs
* Add docs for the new calendar display mode
* Document the new custom role visibility location

Administration

* Process Configurations before other RT objects in initialdata
* Do not exclude ___Approvals queue in dumped json file
* Support changing the name of a page layout
* Support custom roles in CreateTickets templates (thanks @bdragon300!)
* Allow From to be passed as an argument to Forward (thanks @MarkHofstetter!)
* Add support to set default value(s) at CustomField creation (thanks elacour!)
* Update deprecation warning messages
* Skip the whole dormant period for old tickets when calculating SLA Due
* Decode arguments parsed from URI for htmx internal redirects
* Update page layout config when queue name changed
* Fix syntax error in ticket search filter
* Make REST2 optional and load only for the web server
* Add Watcher transactions to the short filter list
* Add Link transactions to the short filter list
* Support AfterCustomFieldValue callback after code refactor
* Add callbacks for link editing and display (thanks zach.kelly!)
* Add EndOfPage callback on article display page (thanks zach.kelly!)
* Deprecate old HiddenForURLs methods for custom roles
* Defer loading DateTime to reduce memory at startup
* Document memory saving tips for CLI
* Provide a way to override any RT config option in CLI tools
* Ensure SQL batches stay under 256MB
* Skip CSS::Inliner for content over 1MB in size
* Log unresolved ticket failures at warning log level
* Log forwarded IP address when running behind a reverse proxy (thanks
@wheldom01!)

Internals

* Update importer SQL to correctly interpolate groups table names
* Do not trigger any other htmx requests on parents for reload events
* Use Time::HiRes to ensure we can find Time::HiRes::time (thanks andrew!)
* Ensure changes are committed when adding CGM records without auto-commit
* Add dashboards to menu by id instead of name
* Count imported objects from cloned serialized data
* The path argument should not use loc() (thanks @mkosmach!)
* Align Articles autocomplete helper callback with other callbacks
* Don't export removed CleanEnv (thanks buehler!)
* delay is no longer the default for ShowHistory
* Dispose datepicker (tempusDominus) objects for elements to be swapped out
* Clean up obsolete hasDatepicker class that was from old jQueryUI
* Destroy TomSelect and Dropzone objects for elements to be swapped out
* Destroy CKEditor objects for elements to be swapped out
* Dispose bootstrap orphan tooltip/popover/dropdown/modal objects
* Update page layout config when queue name changed
* Eliminate redundant transaction detail click event listeners
* Migrate event listeners for menu dropdown to delegation
* Tweak js event listeners to not reference to themselves
* Avoid creating unnecessary global variables to prevent memory leaks
* Clean up js code for obsolete IE
* Drop obsolete style tweak for dropdowns in page menu
* Hide tooltips for dropdown elements in history widget header
* Use optional chaining for existing tom-select destroy
* Register dynamic modal handlers only once
* Batch updates to reduce the number of forced layouts in the browser
* Restrict day evaluation to the visible calendar month
* Reduce the blank padding around each day
* Calculate last day border width
* Ensure left and right side borders show correctly
* Ensure date selection form has correct hx-target
* Add dropup direction for TomSelect dropdowns
* Remove noisy debug log messages no longer needed
* Update tom-select build instructions to include overrides
* Refactor GetCalendarTickets to return a single data structure
* Refactor handling for multiple day calendar events
* Run a PreCheck to check for linked Assets
* Run a PreCheck for configured ProcessArticles
* Run a PreCheck for configured LinkedQueues
* Run a PreCheck step for widgets that may not display
* Apply page-specific history filters from page layout config
* Limit the asset type list to relevant types
* Adapt history changes to work with assets
* Convert history actions to htmx and retain search options
* Use TicketList for History filter
* Add a TicketList mode for abbreviated transaction list
* Create GetTransactionTypes to provide a list of valid types
* Switch to vanilla tooltip initialization method
* Remove unnecessary blessed object arguments from paged history URL

Testing

* Add selenium test for include article feature on ticket update page
* Update dashboard tests to use id instead of name
* Test article menu searches
* Test SLA Due date for long-dormant tickets
* Add a groups test to the rights inspector test
* Use different attribute search examples (thanks zach.kelly!)
* Add github actions config for rt-server tests with Oracle
* Run github actions with updated 6.0.2 docker image
* Test UTF-8 data for ticket simple search
* Test adding custom field DefaultValues on create
* Add tests for the upcoming custom role support in CreateTickets
* Add tests for running Update-Tickets via CreateTickets template
* Add tests for SetStatus action used with rt-crontool
* Run tests against postgresql 16.10
* Add tests for calendar functions
* Demonstrate missing results from article autocomplete
* Pass necessary widget arguments for mechanize tests
* Update tests for custom role visibility changes

A complete changelog is available from git by running:
    git log rt-6.0.1..rt-6.0.2
or visiting
    https://github.com/bestpractical/rt/compare/rt-6.0.1...rt-6.0.2