,

Security vulnerability in RT 4.2.x - CVE-2014-7227

,

We have discovered a security vulnerability in RT 4.2.x, detailed below.We are releasing RT version 4.2.8 to resolve this vulnerability, as well as patches which apply atop all released versions of 4.2.

RT 4.2.0 and above may be vulnerable to arbitrary execution of code by way of CVE-2014-7169, CVE-2014-7186, CVE-2014-7187, CVE-2014-6277, or CVE-2014-6271 -- collectively known as "Shellshock." This vulnerability requires a privileged user with access to an RT instance running with SMIME integration enabled; it applies to both mod_perl and fastcgi deployments. If you have already taken upgrades to bash to resolve "Shellshock," you are protected from this vulnerability in RT, and there is no need to apply this patch. This vulnerability has been assigned CVE-2014-7227.

As there is no SMIME integration available for RT 4.0, it is not vulnerable to this attack. The RT-Crypt-SMIME extension for RT 3.6.0, while also vulnerable, is no longer supported.

Patches for all releases of 4.2.x are available (signature). Versions of RT older than 4.0.0 are unsupported and do not receive security patches; please contact sales@bestpractical.com if you need assistance with an older RT version.

The README in the tarball contains instructions for applying the patches. If you need help resolving this issue locally, we will provide discounted pricing for single-incident support; please contact us at sales@bestpractical.com for more information.

Share this post:

,

RT 4.0.22 and 4.2.7

,

We are pleased to announce that RT 4.0.22 and RT 4.2.7 have just been released. They are primarily a bugfix releases; most notably, they rework UTF8 data handling to work with versions of DBD::Pg 3.3.0 and above. On PostgreSQL, this requires a newer version of DBIx::SearchBuilder. A complete list of changes is available from the release notes.

Share this post:

, , ,

Announcing our Q4 Request Tracker Training: Los Angeles, California

, , ,

Great news! Our Q4 RT training session will be held in Los Angeles, CA on November 4-5, 2014! We do have a limit on how many people we can effectively teach, so please register as soon as you can to make sure you get a seat. If you can't make LA, please feel free to suggest a future location by dropping us a line at training@bestpractical.com! Also, we still have a few spots in our upcoming Boston training! If you haven't registered yet but want to attend, now is the time!

This training will introduce you to the new features in RT 4.2 as part of a comprehensive overview of RT. Whether you're an old hand at RT or a recent convert, you'll have a good understanding of all of RT's features and functionality by the end of the session.

The first day starts off with a tour of RT's web interface and continues with a detailed exploration and explanation of RT's functionality, aimed at non-programmer RT administrators. We'll walk through setting up a common helpdesk configuration, from rights management, constructing workflows and notifications, and the basics of Lifecycles.

The second day of training picks up with server-side RT administration and dives into what you need to safely customize and extend RT. We'll cover upgrading and deploying RT, database tuning, advanced Lifecycle configurations, writing tools with RT's API, building an extension, and demonstrate how to extensibly alter the web UI and internal functions.

It goes without saying that you'll get the most out of training if you attend both days of the course, but we've designed the material so that you can step out after the first day with a dramatically improved understanding of how to use RT.

For both days, the cost is USD $1,495. A single day is USD $995. Each class includes training materials, a continental breakfast, and snacks (lunch is not provided).

If you'd like to pay with Visa, MasterCard or Discover, please visit Best Practical's online store. Unfortunately we are unable to accept American Express or PayPal. If you'd prefer to pay with a purchase order, please email us at training@bestpractical.com. Be sure to include: if you want to attend both days or a single day and the full names and email addresses of attendees.

Finally, please contact us at training@bestpractical.com for discounted pricing if you are from an academic institution or if you'd like to send more than 3 people.

Share this post:

,

RT 4.2.5 released

,

We are pleased to announce that RT 4.2.5 has just been released. Is is primarily a bugfix releases; most notably, it explicitly updates a dependency to fix a previously-announced security vulnerability, resolves two serious bugs in the serializer, and fixes the "paste" feature in the Rich Text editor. A complete list of changes is available from the release notes.

Share this post:

,

Join us in September in our hometown for RT Training!

,

We're excited to announce that we will be hosting a Request Tracker training right here in Boston on September 9-10, 2014! We do have a limit on how many people we can effectively teach, so please register as soon as you can to make sure you get a seat. If you can't make Boston, we will have an upcoming session later this year in Los Angeles, CA. Please let us know if you have a suggestion for a future location by dropping us a line at training@bestpractical.com!

This training will introduce you to the new features in RT 4.2 as part of a comprehensive overview of RT. Whether you're an old hand at RT or a recent convert, you'll have a good understanding of all of RT's features and functionality by the end of the session.

The first day starts off with a tour of RT's web interface and continues with a detailed exploration and explanation of RT's functionality, aimed at non-programmer RT administrators. We'll walk through setting up a common helpdesk configuration, from rights management, constructing workflows and notifications, and the basics of Lifecycles.

The second day of training picks up with server-side RT administration and dives into what you need to safely customize and extend RT. We'll cover upgrading and deploying RT, database tuning, advanced Lifecycle configurations, writing tools with RT's API, building an extension, and demonstrate how to extensibly alter the web UI and internal functions.

It goes without saying that you'll get the most out of training if you attend both days of the course, but we've designed the material so that you can step out after the first day with a dramatically improved understanding of how to use RT.

For both days, the cost is USD $1,495. A single day is USD $995. Each class includes training materials, a continental breakfast, and snacks (lunch is not provided).

If you'd like to pay with Visa, MasterCard or Discover, please visit Best Practical's online store. Unfortunately we are unable to accept American Express or PayPal. If you'd prefer to pay with a purchase order, please email us at training@bestpractical.com. Be sure to include: if you want to attend both days or a single day and the full names and email addresses of attendees.

Finally, please contact us at training@bestpractical.com for discounted pricing if you are from an academic institution or if you'd like to send more than 3 people.

Thanks for your support of Request Tracker!

Share this post:

,

RTIR 3.0.2, and RT 4.0.20 and 4.2.4 released

,

We are pleased to announce that RT 4.2.4 and RT 4.0.20 have just been released. Both are primarily bugfix releases; a complete list of changes is available from the release notes (for 4.2.4 and for 4.0.20)

Simultaneously, we have also released RTIR 3.0.2; the release notes are available here.

Share this post:

, ,

RT 3.8 reaches End-of-Life

, ,

As previously announced, the 3.8 series of RT has now reachedend-of-life, and is no longer supported by Best Practical. This also ends support for RTFM, as well as RTIR 2.4 and 2.6, as those products depended on RT 3.8.

Best Practical continues to support the RT 4.0 (maintenance) series, as well as RT 4.2 (stable). RTFM was integrated into RT 4.0 as Articles, and is thus forward-compatible. RTIR 3.0 is available for RT 4.0, and we expect release candidates for RTIR 3.2 (compatible with RT 4.2) to be available shortly.

If you are currently still running RT 3.8 (or earlier!) and would like help with your upgrade, you can get in touch with us at sales@bestpractical.com for professional assistance.

Share this post:

, , ,

Join us for our Q2 Request Tracker training in Dallas!

, , ,

Hello! Best Practical is pleased to announce our second Request Tracker training for 2014! We will be in Dallas, Texas on May 20-21. We do have a limit on how many people we can effectively teach, so please register as soon as you can to make sure you get a seat. If you can't make Dallas, we will have upcoming sessions later this year in Boston, MA and Los Angeles, CA. Please let us know if you have a suggestion for a future location by dropping us a line at training@bestpractical.com!

This training will introduce you to the new features in RT 4.2 as part of a comprehensive overview of RT. Whether you're an old hand at RT or a recent convert, you'll have a good understanding of all of RT's features and functionality by the end of the session.

The first day starts off with a tour of RT's web interface and continues with a detailed exploration and explanation of RT's functionality, aimed at non-programmer RT administrators. We'll walk through setting up a common helpdesk configuration, from rights management, constructing workflows and notifications, and the basics of Lifecycles.

The second day of training picks up with server-side RT administration and dives into what you need to safely customize and extend RT. We'll cover upgrading and deploying RT, database tuning, advanced Lifecycle configurations, writing tools with RT's API, building an extension, and demonstrate how to extensibly alter the web UI and internal functions.

It goes without saying that you'll get the most out of training if you attend both days of the course, but we've designed the material so that you can step out after the first day with a dramatically improved understanding of how to use RT.

For both days, the cost is USD $1,495. A single day is USD $995. Each class includes training materials, a continental breakfast, and snacks (lunch is not provided).

If you'd like to pay with Visa, MasterCard or Discover, please visit Best Practical's online store. Unfortunately we are unable to accept American Express or PayPal. If you'd prefer to pay with a purchase order, please email us at training@bestpractical.com. Be sure to include:

  • If you want to attend both days or a single day
  • Full names and email addresses of attendees

Please contact us at training@bestpractical.com for discounted pricing if you are from an academic institution or if you'd like to send more than 3 people.

Thanks for your support of Request Tracker!

Share this post:

,

Security vulnerability in RT 4.2

,

Versions of RT between 4.2.0 and 4.2.2 (inclusive) are vulnerable to adenial-of-service attack via the email gateway; any installation which accepts mail from untrusted sources is vulnerable, regardless of the permissions configuration inside RT. This vulnerability is assigned CVE-2014-1474.

This vulnerability is caused by poor parsing performance in the Email::Address::List module, which RT depends on. We recommend that affected users upgrade their version of Email::Address::List to v0.02 or above, which resolves the issue.

After extracting the contents, the module can be installed by running: 

perl Makefile.PL
make
make install

The first step should be sure to use the same perl that RT runs using. If you are unsure, the first line of /opt/rt4/sbin/standalone_httpd should contain the full path to the relevant perl binary. The last step will likely need to be run with root permissions. After this process, you should restart your webserver.

If you need help resolving this issue locally, we will provide discounted pricing for single-incident support; please contact us at sales@bestpractical.com for more information.

Share this post:

,

RT 4.2.2 released

,

We are pleased to announce that RT 4.2.2 is now available.This release is primarily a bugfix release; of particular note is that it contains schema changes for MySQL. Though the changes are limited, it is especially important to take, and verify you can recover from, a database backup prior to upgrading.

Also notable is that this release fixes a bug in 4.2.0 and 4.2.1 where failures of the HTML-to-text conversion would silently cause mail to fail to be sent. When using the rich text editor, RT will also now quote the the HTML parts of email, and not simply their text equivalents.

Other changes include:

Documentation

  • Wording fixes in Shredder
  • Clean up examples in Lifecycles documentation
  • Document additional indexes that increase performance of Shredder
  • Replace a suggested GnuPG option with one which is not deprecated
  • Note that errors reported from the GnuPG infrastructure may be caused by GnuPG not being configured, but having been automatically enabled.

Database

  • Ensure that even disabled scrips get the same id-to-name change that other scrips got during the 4.0 → 4.2 upgrade.
  • On MySQL, alter the character set of all columns used to store email addresses to UTF-8
  • Ensure that invalid byte sequences that may have snuck into the database previously (on earlier versions on MySQL, for instance) are not blindly interpreted as UTF-8 when retrieved from the database. As a result, invalid bytes will be returned from the API as the four characters "\xHH", where HH is the hexadecimal encoding of the byte.
  • Ensure that all data containing non-ASCII is quoted-printable encoded for PostgreSQL, instead of merely all data not claiming to be text/plain
  • Additional warnings prevention on Oracle; tests now pass cleanly
  • Allow fully-automated database upgrades using --upgrade-from and --upgrade-to options to rt-setup-database
  • Clean out any remaining traces of RTFM that lingered in custom fields and custom field values that were disabled at the time of the previous upgrade step.
  • Bullet-proof a 3.8 → 4.0 upgrade step for Scrips with no Condition

Serializer/importer

  • Install rt-serializer and rt-importer into sbin/
  • Ensure that incremental upgrade steps only run on incremental serializations, not all exports
  • Fix a runtime error in the incremental upgrade path to 4.2
  • Ensure that inflated Users and Groups are created with the same id as their Principal
  • Disable in-memory record caching when serializing and importing to improve performance
  • Only search non-Disabled custom fields when looking up BasedOn in initialdata files
  • Set up logging properly; warnings are now displayed during serialization and importing

Email

  • Don't die if HTML → text conversion throws an error, which would silently prevent outgoing mail from being sent. Instead, fall back to just sending text/html with no text/plain
  • Replying to an HTML mail with the rich text editor will now quote the HTML part, not the equivalent text version.
  • Set a transfer encoding on outgoing dashboards; this resolves issues with long lines when using the Sendmail MTA.
  • Cope with mangled and overly-quoted recipient headers occasionally generated by Outlook.

General user UI

  • Stop localizing custom field names, for consistency
  • Show a useful error on "show outgoing mail" if the user has no rights to see the page, rather than displaying an empty page.
  • Adjust UI to not block header on "show outgoing email" page
  • Hide the Take and Steal menu items if you already own the ticket, closing a regression in 4.2.0 and above.
  • Autocompletion custom fields now properly autocomplete when placed in custom field groupings
  • Improve rendering on Internet Explorer 6
  • Fix cascaded custom fields on Internet Explorer 8 and below.
  • Fix third-level cascading custom fields, broken in 4.2.1
  • Minor rendering bugs with Charts placed on homepages and dashboards
  • Whitelist "show outgoing email" and chart results from CSRF protection
  • RT 4.0.7 introduced a performance regression when building ticket searches that query Links; switch back to a much better-indexed query.
  • Fix "Clone ticket" functionality with Select-multiple custom fields.
  • Show the queue ID for the current queue in the ticket edit page, even if the user does not have SeeQueue; this prevents the user from accidentally changing the queue.
  • Respect custom field groupings on user preferences page

Query Builder

  • Warnings avoidance for searches with more than 1000 results.
  • Allow IS NULL to search for dates which are unset
  • Properly quote CF names containing non-ASCII characters in query builder, broken since 4.2.0
  • Add "UpdatedBy" TicketSQL limit

Admin

  • Correct a package load order problem which prevented the web installer from working since 4.2.0
  • Report the correct setting name in rt-validate-aliases
  • Fix real-time updating of Theme CSS on Internet Explorer 8 and below
  • Fix a minor display bug in the CF Admin pages, where the queue number instead of queue name would be displayed in requests shortly after server startup.
  • Add "Extra Info" as a possible field for "More About Requestor"

REST

  • Allow searching for users, queues, and groups in REST
  • Prevent a server error when attempting to guess content-type in the REST interface.

Development

  • Allow running tests with an explicit set of plugins enabled.
  • Custom Action and Condition packages (as supplied by extensions; these are not the text entry boxes in the UI) are now loaded at server startup time, to catch compile-time errors in such classes early as well as reducing RT's memory footprint on mod_perl. Previously, these errors would have logged errors only when their Scrip failed to fire. This restores the behavior found in RT 3.8, which was mistakenly removed in RT 4.0.0.
  • Additional callbacks, including in charts, and on ticket reply pages
  • Remove an unused Makefile target

A complete changelog is available from git.

Share this post: