Our next public training is happening in Seattle on June 19th and 20th. Join us and learn from the experts how to get the most out of RT as a user and administrator, as well as a preview of what's to come in RT 4.2. Whether you're a native of the Pacific Northwest or will be flying in from afar, you'll leave our two-day training class with a much better understanding of the features, functionality, and administration of RT. Interested? Find more details here or sign up today!

We discovered a number of security vulnerabilities which affect both RT3.8.x and RT 4.0.x. We released RT versions 3.8.17 and 4.0.13 to resolve these vulnerabilities, as well as patches which apply atop all released versions of 3.8 and 4.0.

The vulnerabilities addressed by 3.8.17, 4.0.13, and the below patches include the following:

RT 4.0.0 and above are vulnerable to a limited privilege escalation leading to unauthorized modification of ticket data. The DeleteTicket right and any custom lifecycle transition rights may be bypassed by any user with ModifyTicket. This vulnerability is assigned CVE-2012-4733.

RT 3.8.0 and above include a version of bin/rt that uses semi-predictable names when creating tempfiles. This could possibly be exploited by a malicious user to overwrite files with permissions of the user running bin/rt. This vulnerability is assigned CVE-2013-3368.

RT 3.8.0 and above allow calling of arbitrary Mason components (without control of arguments) for users who can see administration pages. This could be used by a malicious user to run private components which may have negative side-effects. This vulnerability is assigned CVE-2013-3369.

RT 3.8.0 and above allow direct requests to private callback components. Though no callback components ship with RT, this could be used to exploit an extension or local callback which uses the arguments passed to it insecurely. This vulnerability is assigned CVE-2013-3370.

RT 3.8.3 and above are vulnerable to cross-site scripting (XSS) via attachment filenames. The vector is difficult to exploit due to parsing requirements. Additionally, RT 4.0.0 and above are vulnerable to XSS via maliciously-crafted "URLs" in ticket content when RT's "MakeClicky" feature is configured. Although not believed to be exploitable in the stock configuration, a patch is also included for RTIR 2.6.x to add bulletproofing. These vulnerabilities are assigned CVE-2013-3371.

RT 3.8.0 and above are vulnerable to an HTTP header injection limited to the value of the Content-Disposition header. Injection of other arbitrary response headers is not possible. Some (especially older) browsers may allow multiple Content-Disposition values which could lead to XSS. Newer browsers contain security measures to prevent this. Thank you to Dominic Hargreaves for reporting this vulnerability. This vulnerability is assigned CVE-2013-3372.

RT 3.8.0 and above are vulnerable to a MIME header injection in outgoing email generated by RT. The vectors via RT's stock templates are resolved by this patchset, but any custom email templates should be updated to ensure that values interpolated into mail headers do not contain newlines. This vulnerability is assigned CVE-2013-3373.

RT 3.8.0 and above are vulnerable to limited session re-use when using the file-based session store, Apache::Session::File. RT's default session configuration only uses Apache::Session::File for Oracle. RT instances using Oracle may be locally configured to use the database-backed Apache::Session::Oracle, in which case sessions are never re-used. The extent of session re-use is limited to information leaks of certain user preferences and caches, such as queue names available for ticket creation. Thank you to Jenny Martin for reporting the problem that lead to discovery of this vulnerability. This vulnerability is assigned CVE-2013-3374.

In addition to releasing RT versions 3.8.17 and 4.0.13 which address these issues, we also collected patches for all releases of 3.8.x and 4.0.x into a download available at:

http://download.bestpractical.com/pub/rt/release/security-2013-05-22.tar.gz

The README in the tarball contains instructions for applying the patches. If you need help resolving these issues locally, we will provide discounted pricing for single-incident support; please contact us at sales@bestpractical.com for more information.

Versions of RT older than 3.8.0 are unsupported and do not receive security patches; please contact sales@bestpractical.com if you need assistance with an older RT version.

It's my pleasure to announce RT 4.0.12 is now available for download.

This release of RT repairs a regression in 4.0.11. If you use the Rich Text Editor, the red background on Reply was missing due to the update of CKEditor to support IE10. It also includes a database upgrade, so please make sure to run 'make upgrade-database'.

Features

• Date and DateTime Custom Fields now have the same 'smart' date parsing that core RT date fields have.
• Improved logging when the sending of a Correspond or Comment fails.
• The Quick Search preferences page now has Select/Clear All buttons.
• Unprivileged users can now change Language and Time Zone.
• Warn MySQL users if their max_allowed_packet is dangerously low.

Bugfixes

• Repair 4.0.11 regression where red background on Reply with the RichText Editor was lost.
• Quiet warnings in the verbose user format.
• Allow changing the case of a Group's name (prevented by earlier code stopping you from having two groups with the same name).
• Allow changing the case of a Class's name.
• Avoid warnings when using empty Templates.
• Update our InnoDB checks for MySQL 5.6 compatibility.
• Clarification of when SetOutgoingMailFrom and OverrideOutgoingMailFrom are available.
• Improve layout of collection lists in IE.
• Fix Attach more files button in Self Service.
• Set caching headers on autocomplete endpoints.
• Restore and improve prematurely deleted documentation for DontSearchFileAttachments.
• Correct the encoding of Dashboard email Subject headers.
• Fix the default roles on User->WatchedQueues.
• Document the need to grant SeeCustomField in UPGRADING-3.4.
• Nudge menus below the shadows in aileron.
• Fix missing headers and a syntax error in the /REST/1.0/attachment/NN endpoint.

Localization

• Improve the display of numbers when using the French localization.
• Built in components and searches (such as Bookmarked Tickets) are now localizable.
• Use PostgreSQL error codes in the full-text-indexer instead of matching on error messages that may be in a non-english language.
• Localize 'Dashboard' during creation.
• Mark 'Modify this user' as localizable.

Developer

• Test can now be run against a remote DB server.
• Install etc/upgrade to make some rt-setup-database actions easier without requiring access to the install directory.
• RT_TEST_PARALLEL_NUM controls the -j param in make parallel-test
• Work around a git bug in git archive when packaging releases. This caused the third party sources to bloat the 4.0.11 tarball.
• Fix examples in the CreateTickets documentation.
• RT Ticket types (ticket, approval, reminder) are now always forced to lower case.
• Allow the use of 'NOT IN' in Limits (assuming a new enough DBIx::SearchBuilder).

A complete changelog is available from git by running:

git log rt-4.0.11..rt-4.0.12

or viewing Github's comparison.

Many people work with RT exclusively via email. During an email thread attached to a ticket, they might CC someone on a response because they want them to see what's being discussed, answer a question, etc. The new person will see that email, but if they aren't added as a Watcher of some sort on the RT ticket, they'll miss other correspondence.

We've released a new extension we've found handy in detecting when this happens so you can add people to a ticket to keep them in the loop. RT::Extension::NonWatcherRecipients, despite the big name, is a simple extension that detects extra email addresses and notifies you about them. The typical recipients are the AdminCcs on the ticket, since they can go into RT and update the Watchers, so it installs a new template called "NonWatcherRecipients Admin Correspondence". You can select this as a replacement for the standard "Admin Correspondence" template and see this sort of message when extra emails are found:

------------------------------------------------------------------------
From: "A User" <a-user@example.com>
The following people received a copy of this email but are not on the ticket.
You may want to add them before replying:
https://YourRT.com/Ticket/ModifyPeople.html?id=12345
Cc: "Non Watcher" <non-watcher@example.com>
------------------------------------------------------------------------

The link takes you to the People page for that ticket so you can easily add the new people.

If you have customized templates you can drop in the following:

{ RT::Extension::NonWatcherRecipients->FindRecipients(
Transaction => $Transaction, Ticket => $Ticket ) }

Bug reports or comments are welcome at bug-RT-Extension-NonWatcherRecipients@rt.cpan.org, pull requests via github.

We're happy to announce the release of RT::Extension::MandatoryOnTransition, an extension that allows you to make fields required in RT before a ticket can move to a different status.

This is an often-requested feature, typically in the form of "we want to require a subject on create," "we want to require users to enter time before they can resolve a ticket" or "we want to require users to enter a value for this custom field before they resolve." There have been various solutions for this feature, most focused on specific cases.

As we considered this feature, we also thought about the flexibility of lifecycles, and wanted to create something that would apply to any transition our users might come up with, not just the stock statuses. The result is RT::Extension::MandatoryOnTransition which, as the title suggests, allows you to make fields mandatory for any transition.

Once installed, you can set mandatory fields and transitions with some configuration:

Set( %MandatoryOnTransition,
'QueueName' => {
'from -> to' => [ 'BasicField', 'CF.MyField', ],
},
);

You can limit to one queue or apply the rule globally with a '*'. The inner hash defines the transition on which you want to apply the rule. The entries should map to entries in the lifecycle for that queue. If you haven't configured a custom lifecycle, you can find the default RT lifecycle configuration in your etc/RT_Config.pm file.

If you put a condition on resolve, the fields you define, including custom fields, are displayed on the Resolve page to allow users to easily enter a value. However, the extension currently doesn't apply the restrictions on the "Quick" actions like "Quick Resolve." If you want to enforce the required fields, you'll need to disable quick actions on those transitions in your lifecycle config (see the lifecycles documentation for details). We may add support for quick actions in the future.

We hope you find this extension useful. Bug reports or comments are welcome at bug-RT-Extension-MandatoryOnTransition@rt.cpan.org, pull requests via github.

We recently released RT::Extension::Announce which gives you an easy way to insert announcements on your RT homepage so all users can see the message. You may want to display a banner during maintenance or maybe an unscheduled outage to make sure the people fielding customer tickets know that something is going on.

The messages are set and managed in a dedicated queue, created when you install the module. This allows you to manage who can post announcements using permissions on the queue. You can also show messages only to select groups if you don't need to notify everyone.

More details are available in the RT::Extension::Announce documentation. Bugs or comments welcome at bug-RT-Extension-Announce@rt.cpan.org, pull requests via github.