,

RTIR 2.6.0 Release Candidate 1

,

I'm pleased to announce that the first release candidate for RTIR 2.6.0 isnow available for download.

The major change in RTIR 2.6 is improved control of custom fields in RTIR. In earlier releases, all of RTIR's custom fields were prefixed with '_RTIR_'. RTIR 2.6 continues our work to move RTIR to using standard RT APIs and extension mechanisms. It's now easier than ever to add and remove fields in RTIR with fewer side effects and less custom code.

This upgrade is NOT fully automated. It's very important that you validate all custom code stored in RT's database. You can read more about the upgrade procedure in the "UPGRADING" document included in the distribution. If you already have a support contract for your RTIR instance or are interested in picking one up, Best Practical can make staff available to help you plan your upgrade.

RTIR 2.6 is intended for use with RT 3.8.

Information on other changes in RTIR 2.6.0RC1 is below.

http://download.bestpractical.com/pub/rt/devel/RT-IR-2.6.0rc1.tar.gz http://download.bestpractical.com/pub/rt/devel/RT-IR-2.6.0rc1.tar.gz.sig

SHA1 sums:

0e832292326abf129690af6f9a39c6d070d6e95a  RT-IR-2.6.0rc1.tar.gz
189cab91270c41b0bcf3b7c380b6d779e004ca38  RT-IR-2.6.0rc1.tar.gz.sig


Changes:
* INCOMPATIBLE: prefix '_RTIR_' has been deleted from
all custom fields in RTIR. See UPGRADING for upgrade
instructions.
* INCOMPATIBLE: New option %RTIR_CustomFieldDefaults
that replaces several $RTIR_*_default options that
were there before, don't forget to update config.
* almost all default Custom Fields of RTIR now can be
disabled or un-applied. Read more in Administration
Tutorial.
* IP CF can be changed to single value
* On create with linking (a new child from an incident or a new
incident from a child) use default values for custom fields
from linked object
* allow to use any custom field for lookup, not only IP,
no UI at the moment, but can be used via arguments of a URL
in clicky actions or linked CFs
* switch SimpleSearch over to the buttonless version
* RTIR's SimpleSearch searches by IP in all queues if
query is an IP only
* we have search in any RTIR's queue, so we need default
search format, new entry in $RTIRSearchResultFormats
config option
* switched over RT's style for RTIR's query builder
* RT::IR->OurQueue(...) method
* RT::IR->CustomFields(...) method
* refactored test suite for re-use in RTIR's extensions
* better described Incident input field on Create pages

Share this post:

,

RT 4 - An update

,

A good long time ago, I announced that we'd begun work on a massive re-engineering effort to update and improve RT, replacing large parts of the internals with a new web framework, overhauling the UI and numerous subsystems inside the RT core. I told you that we'd be releasing this as "RT 4" as quickly as we could, though it was a pretty serious development effort. While we were always circumspect about release dates, I hinted to a few of you that you might see RT 4 in early 2008.

If you've ever come to one of our public RT developer/administrator training classes, you'll have heard me warn you never to trust a vendor when they promise a release date, even if that vendor is me.

If you haven't ever come to one of our public training sessions, we're running one in Washington DC on October 25th and 26th. You can find out more at http://bestpractical.com/training.

It should go without saying that we missed our original early-2008 target date. As we worked, we discovered just how much bigger the project was than we'd originally intended. At the same time, the RT 4 codebase was different enough that users would probably have to completely rewrite their local customizations and changes.

We've put a number of engineer-years into RT 3.999. It's been difficult to accept, but over the past six months we've come to the conclusion that the RT 3.999 codebase isn't going to be the next step in RT's evolution. That's the bad news. There's some good news, too. Since we first branched RT 4 development in late 2007 (before we released RT 3.8), we've remained committed to RT 3. RT 3.8 has seen almost 2000 commits and approximately 250,000 lines of changes. Those changes run the gamut from bug fixes to security improvements and major new features.

Over the past four months, we've been hard at work on RT 3.9, a new development branch based on RT 3.8. Many of the features we've been working on in RT 3.9 are driven by a generous and supportive customer, but we've also been able to backport a number of features from our original RT 4 effort. As of today, some of the bigger features you can find in RT 3.9 are:

  • A new access-control editing UI
  • Performance improvement
  • Date custom fields
  • Timestamp custom fields
  • IP Address custom fields
  • IP Address Range custom fields
  • A new "ticket lifecycle" state engine
  • A mobile-optimized web interface
  • Browser-based theme and logo customization

We expect fast full-text searching on Postgres and Oracle, as well some other cool features, to land in RT 3.9 within the next few weeks. Later today, we will release RT 3.9.4, the first beta version on the new road to RT 4.0.0. This is a DEVELOPMENT SNAPSHOT and not intended for production deployment. It should be possible to upgrade your test databases from RT 3.8.8 to RT 3.9.4. If you run into trouble, please report it to rt-devel at lists.bestpractical.com.

Sign up for the last RT admin/developer training of 2010! Join us October 25 and 26th in Washington, DC. In addition to the regular technical content, I'll be talking about RT's future and showing you how to get started with RT 4. You can find out more at http://bestpractical.com/training

Before you do anything with RT 3.9, you should _definitely_ read the UPGRADING document, as it describes some fairly substantial changes. We're not yet promising that the APIs in 3.9 are stable or that we've documented every problem and upgrade headache. That said, we do want to hear about what you like (and what you don't). Again, rt-devel at lists.bestpractical.com is the right place to report such things.

You'll have RT 4.0.0RC1 by December 25, 2010.

Share this post:

, ,

Last RT Training Session in 2010! — Washington DC on Oct 25 & 26

, ,

This year we ran training sessions for RT in San Francisco, Dublin, and Moscow, and now it's time for our last one until 2011 in Washington DC!

Best Practical Solutions provides unparalleled instruction in how to get the most out of RT. We've been teaching users and administrators how to get the most out of RT since 2001. Since 2003, we've offered intensive one-day RT administrator training sessions to the general public.

Training is split across two days. The first day starts off with a tour of RT's web interface and continues with a detailed exploration and explanation of RT's functionality, workflows and configurability. We'll touch on basic administration, but concentrate largely on helping you and your team get the most out of your RT instance.

The second day of training picks up with basic RT administration and covers everything from point-and-click configuration to installation of RT, development best practices and database tuning.

It goes without saying that you'll get the most out of training if you attend both days of the course, but we've designed the material so that you can step out after the first day with a dramatically improved understanding of how to use RT or show up on the second day and get quickly up to speed on how to make RT do your bidding.

A spot at either day costs $995 USD, but you can save 25% if you attend both days of training. That's just $1495 USD!

If you reserve before September 20th, you can save an additional 20% by mentioning the discount code BLOG10. If you buy online, we'll automatically apply the discount.

Each class includes a morning snack, coffee/tea, and an afternoon snack, as well as all training materials.

Day 1 - RT User Training

This intensive day-long tutorial about RT starts with basic day-to-day use and continues with detailed training about advanced RT features including saved searches, dashboards, data analysis and options for automating your workflow.

This session will cover:

  • The purpose and general use of RT
  • New features in RT 3.8
  • Saved Searches and customizing searches
  • RT's Dashboards feature
  • Customizing RT's workflow to match your own
  • Automating common procedures
  • How to make simple custom reports based on RT's data
  • A short intro to RTFM, the RT FAQ Manager
  • General Q&A Session

Day 2 - RT Administration and Development

This intensive day-long session aimed at RT administrators and developers covers everything from installation to backups, interface and backend customizations. You'll learn how to customize RT to meet your organization's unique needs and how to make sure that RT stays fast, reliable and flexible.

This session will cover:

  • New features in RT 3.8 RT's system architecture
  • A guided tour of the RT source code
  • Extension mechanisms you can use to customize RT
  • RT Installation, including the basics of Configuration
  • Examples of how to optimize RT for your organization
  • How to tie RT into your existing authentication infrastructure
  • Building your own tools that talk to the RT backend
  • Customizing RT's workflow to match your own
  • Automating common procedures
  • How to write custom reports based on RT's data
  • Custom coding, modifications, and callback creation
  • A brief preview of RT4
  • General Q&A Session

If you couldn't make it to any of the cities we visited this year, please drop us a line to request a public training in your area. We haven't yet scheduled training for 2011; your feedback will help us decide where to offer additional sessions.

Private Training

We also offer private training sessions tailored to your organization's needs. For more information about on-site training for your organization, please drop us a line at training@bestpractical.com.

Reservations

We like to keep class sizes relatively intimate. Please register soon or we may not be able to guarantee you a seat.

When you register, please tell us which date(s) you are registering for, and whether you'd like to register for the whole training session or for only a single day.

If you'd like to pay via credit card, please visit Best Practical's online store at https://shop.bestpractical.com/

If you'd prefer to reserve a seat and have us bill you, please write to us at training@bestpractical.com. Be sure to include the full names and email addresses of all attendees you'd like to register for training.

Share this post:

RT for mobile devices

Over the past few weeks, I've been spending my time putting together an initial implementation of a modern phone-friendly interface for RT.

We've just published the source code to http://github.com/bestpractical/rt-extension-mobileui and it will show up at http://search.cpan.org/dist/RT-Extension-MobileUI in the very near future.

This is very much an initial release and I know there are things that need improvement, though I'd greatly appreciate feedback to help figure out what those improvements should be.

We've tested this new UI on the iPhone, Android 2.x, BlackberryOS 4.5 and 5.0, Kindle 2.5 and in a number of desktop browsers.

Once you install the extension, you can have a look around from your desktop browser by visiting /m on your RT server.  The Mobile UI tries pretty hard to detect mobile browsers and push them to the mobile login page, though there's a link to get back to the full UI if it gets your browser wrong.

Right now, the mobile interface supports:

  • External Authentication
  • Regular RT Login
  • Creating Tickets
  • Search (using the same "Simple Search" as the main UI)
  • Display of saved searches
  • Ticket display
  • Ticket comment/reply
  • Ticket history
  • Attachment download
Android-update

More screenshots after the cut

iPhone Screenshots

Iphone-show
Iphone history
Iphone-search
Iphonecreate

Blackberry 8320 screenshots

8320-update
8320-search
8320-home

Android 2.1 Screenshots

Android-login
Android-home
Android-list
Android-basics
Android-update

Share this post:

,

RT 3.8.8 Released

, 







We are happy to announce that RT 3.8.8 is now available.You can download it from:
http://download.bestpractical.com/pub/rt/release/rt-3.8.8.tar.gz
http://download.bestpractical.com/pub/rt/release/rt-3.8.8.tar.gz.sig
SHA1 sums
be3ac598dcbf584f9bcd9a49248a9ccd3affb330 rt-3.8.8.tar.gz
fd2e1c570a7699f3a19c1101764fb5891ed42c17 rt-3.8.8.tar.gz.sig
This release contains several new features as well as a number
of code quality improvements, bug fixes and new configuration
options.
In particular, we'd like to thank Aaron Sigel for security
auditing work which led directly to a number of security
improvements in this release.
Noticeable features and improvements in this release include:
* Improvements to default Chart fonts and colors
New Hourly grouping options
Optional support for handling chart timezones in your database
* You can now interleave global and queue level custom fields
for display
* RSS feeds are available using an auth string rather than
credentials RT's RSS feeds should now work in significantly
more feed readers
* RTAddressRegexp improvements to prevent users from adding
an RT address as a watcher on a ticket
* Admin UI improvements, including the new
AdminSearchResultFormat config option
* Your current password is now required to change a password
via RT's web interface
* New web handler: bin/fastcgi_server which allows you to run
RT as a FastCGI external server
* Refactored Elements/ShowUser so it's easer to add custom
formats.
* Printed views of RT tickets should now be somewhat more
visually pleasing
* RT now uses less memory when building the First/Prev/Next/Last
links for the result of a big ticket search
* New config options: AttachmentUnits, AlwaysDownloadAttachments,
DefaultMailPrecedence, DefaultErrorMailPrecedence,
MessageBoxIncludeSignature*, UseOriginatorHeader and
LogoutRefresh. See RT_Config.pm for more information on these
and other configuration options.



A complete changelog is available in the original post

Share this post:

, ,

2010 RT Training Announcement - Bonus RT Training Session in Moscow, Russia!

, ,

Best Practical Solutions is happy to announce that this year there will be an additional training session in May 2010, driven by one of our lead RT developers, Ruslan Zakirov. The course will be held in Moscow, Russia and will be given in Russian. For more details, please read below or visit http://request-tracker.ru (in Russian).

Мастер-класс Request Tracker в Москве, Май 2010

Уникальная возможность лучше познакомиться с системой Request Tracker и узнать то, что Вы еще не знаете. В Москве, в мае пройдет мастер-класс. Это возможности из первых рук, от одного из разработчиков системы, получить ответы на интересующие Вас вопросы. Участие в мастер-классе позволит повысить свою квалификацию и успешно справляться с задачами администрирования и расширения RT под нужды вашей компании.

Заполни анкету прямо сейчас. 15го Марта будет известна стоимость (еще есть возможность повлиять на эту цифру), точные даты и место проведения. Все подробности на странице о мероприятии.

Share this post:

,

RT 3.8.7 Released

, 
We are happy to announce that RT 3.8.7 is now available. You candownload it from:http://download.bestpractical.com/pub/rt/release/rt-3.8.7.tar.gzhttp://download.bestpractical.com/pub/rt/release/rt-3.8.7.tar.gz.sig

SHA1 sums9de5860c5c58d40c5f6914cdde807ecc66a68f20 rt-3.8.7.tar.gz3088fb66f6ecbf57f04cd5aba3684645406c120f rt-3.8.7.tar.gz.sig

This is primarily a bugfix release of RT.Some important fixes are listed here:
  • Stop old DateTime or DateTime::Locales from exploding in Preferences
  • Move all JS for hierarchical CFs onto derivative field; remove DerivativeCFs method
  • Fix bug on Oracle when selecting against a CLOB
  • Call the method on the object, not the username string (Reported by Philip Shore)
  • Fix error when using WebExternalAuth and setting user info
  • When using WebExternalAuth don't issue a new session cookie on each request
  • Fix lost attachments when using WebExternalAuth. WebExternalAuthContinuous can be set back to 1
  • Mention missing index that was only added to upgrade scripts
  • Fixes for PlainTextMono config option introduced in 3.8.6
  • Fixes for updating charts and dashboards
  • Delete links from Bulk Update
A more complete changelog is available at the rt-announce mailing list archive.

Share this post:

Session Fixation Vulnerability in RT versions before 3.8.6 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
In late September, a customer contacted us to report a session fixation
vulnerability in RT 3.8.5 and all earlier versions back to and including
RT 3.0.0.  Over the course of the past month, we've worked to develop
and release a version of RT not vulnerable to this issue as well as a
"hot patch" to earlier versions of RT which eliminates the vulnerability
with minimal code changes.  RT 3.8.6, released on October 19th, is _not_
vulnerable.
We have been assigned CVE number CVE-2009-3585 for this issue.
This issue could allow a malicious attacker who can operate a server in
the same domain (example.com where RT is rt.example.com) to obtain and
redistribute an RT session identifier to an unsuspecting user before
they log into RT.  When that user logs in, the attacker would then be
able to hijack the user's session.
As part of an internal audit of the session handling code, we found and
fixed an additional, related vulnerability which could allow an attacker
with HTTP access to the RT server to construct a similar attack without
the need for a server within the same domain.
If you are using an external auth source (such as apache) you are
not vulnerable to this attack.  This only applies to RT's built-in
$WebExternalAuth setting.  RT-Authen-ExternalAuth does not protect you
from this attack.
I have attached six patches which should cover all vulnerable versions
of RT 3.  RT 3.6.10 will be released later today and will include a
version of this patch.  As mentioned before, RT 3.8.6 is _not_ vulnerable.
The SHA1s of patches are:
38e0a8ce3480807a5dd6cc4da0eb51183382cddd  RT-3.0.0-session_fixation.v3.patch
de22a6e67d7d9d163a392d92530818f3d28e0af2  RT-3.0.1-3.0.6-session_fixation.v3.patch
03fb855a449393ef93db67b800d396bdbfb38a8f  RT-3.0.7-3.6.1-session_fixation.v3.patch
7e5acff213a735894663f63fac90c95089a5e5d1  RT-3.6.2-3.6.3-session_fixation.v3.patch
9c60e647c848e35cea5a6ffe36bdd1f0a355c91f  RT-3.6.4-3.6.9-session_fixation.v2.patch
ada53ca94fdb4db3b185a7e14405d5a9ef76017f  RT-3.8-session_fixation.patch
RT 3.0.0
$ cd /opt/rt3/share
$ patch -p1 < /path/to/RT-3.0.0-session_fixation.v3.patch
RT 3.0.1-3.0.6
$ cd /opt/rt3/share
$ patch -p1 < /path/to/RT-3.0.1-3.0.6-session_fixation.v3.patch
RT 3.0.7-3.6.1
$ cd /opt/rt3/share
$ patch -p1 < /path/to/RT-3.0.7-3.6.1-session_fixation.v3.patch
RT 3.6.2-3.6.3
$ cd /opt/rt3/share
$ patch -p1 < RT-3.6.2-3.6.3-session_fixation.v3.patch
RT 3.6.4-3.6.9
$ cd /opt/rt3/share
$ patch -p1 < RT-3.6.4-3.6.9-session_fixation.v2.patch
RT 3.8.0-3.8.5
$ cd /opt/rt3/share
$ patch -p1 < /path/to/RT-3.8-session_fixation.patch
You should then clear your mason cache. If your RT is installed in /opt/rt3, you
would use this command:
$ rm -rf /opt/rt3/var/mason_data/obj/*
and restart your webserver, this is often accomplished with
$ /etc/init.d/httpd restart
(or)
$ /etc/init.d/apache restart
I apologize for any inconvenience that this issue may have caused you.
We go to great lengths to make sure that RT is robust and secure, but,
as with any software, occasionally we do find defects.  We do our best
to deal with them quickly and responsibly.
I'd like to thank Mikal Gule and the University of Oslo for bringing
this issue to our attention and working with us to triage it and test
the patches included below.  I'd also like to thank Thomas Goetz, who
also brought a variant of this issue to our attention.
If you require assistance evaluating whether your RT deployment is
vulnerable to this issue or deploying the patch, please don't hesitate to
contact us at sales@bestpractical.com.  While we're not able to provide
commercial support without charge, we'll make every effort to provide
help for this issue as quickly and as inexpensively as possible.
Best,
Jesse Vincent
Best Practical
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEUEARECAAYFAksT+WcACgkQEi9d9xCOQEafCwCYpvl6m0W0W/VQnFhzr8jwHdfX
dgCcDO6fi1XudFJc3jKYowci1VoqwxU=
=cI4e
-----END PGP SIGNATURE-----

Download RT-3.0.0-session_fixation.v3

Download RT-3.0.1-3.0.6-session_fixation.v3 

Download RT-3.0.7-3.6.1-session_fixation.v3 

Download RT-3.6.2-3.6.3-session_fixation.v3 

Download RT-3.6.4-3.6.9-session_fixation.v2 

Download RT-3.8-session_fixation

Share this post:

,

RTIR 2.4.2 Now Available!

,

Best Practical Solutions is happy to announce that RT for Incident Response (RTIR) 2.4.2 is now available. RTIR is an open-source incident handling system designed for the workflows of CERT and CSIRT teams around the world.

RTIR 2.4 is designed to work with RT 3.8.1 or newer.

You can download it from:
http://download.bestpractical.com/pub/rt/release/RT-IR-2.4.2.tar.gz
http://download.bestpractical.com/pub/rt/release/RT-IR-2.4.2.tar.gz.sig

SHA1 Sums
d3c677a11df65576b34027783e125e9492495d39 RT-IR-2.4.2.tar.gz7ab221cde2e7ca1519cf96d240ffd0b7657d0045 RT-IR-2.4.2.tar.gz.sig

This release contains a new feature and several bug fixes.

Features

  • Use priority widget from RT 3.8.3 in RTIR

Bug Fixes

  • Don't set $$skip to zero in SkipTransaction callback as it may conflict with other users of this callback. Just use return and as well check asap if the txn is already skipped.
  • Make proper overriding of WebNoAuthRegexp
  • Recheck Constituency cache if $const is _none
  • Adjust deserialization of IP from value with leading zeroes
  • RT::IR::States without Queue argument never worked properly
  • Don't show modify user link if user can not modify the user

Share this post:

, ,

2010 RT Training Sessions

, ,

Best Practical Solutions provides unparalleled instruction in how to get the most out of RT. We've been teaching users and administrators how to get the most out of RT since 2001. Since 2003, we've offered intensive one-day RT administrator training sessions to the general public.

2010 will bring three different training sessions for RT, with training split across two days. The first day starts off with a tour of RT's web interface and continues with a detailed exploration and explanation of RT's functionality, workflows and configurability. We'll touch on basic administration, but concentrate largely on helping you and your team get the most out of your RT instance.

The second day of training picks up with basic RT administration and covers everything from point-and-click configuration to installation of RT, development best practices and database tuning.

It goes without saying that you'll get the most out of training if you attend both days of the course, but we've designed the material so that you can step out after the first day with a dramatically improved understanding of how to use RT or show up on the second day and get quickly up to speed on how to make RT do your bidding.

A spot at either day costs $995 USD for US Training / 695 EUR for European Training. You can save 25% if you attend both days of training. That's just $1495 USD / 1042.50 EUR!

If you reserve before January 20th for the San Francisco session, February 15th for the Dublin session, or September 20th for the Washington DC session, you can save an additional 20% by mentioning the discount code BLOG10. If you buy online, we'll automatically apply the discount.

Each class includes a morning snack, coffee/tea, and an afternoon snack, as well as all training materials.

Day 1 - RT User Training

This intensive day-long tutorial about RT starts with basic day-to-day use and continues with detailed training about advanced RT features including saved searches, dashboards, data analysis and options for automating your workflow.

This session will cover:

* The purpose and general use of RT
* New features in RT 3.8
* Saved Searches and customizing searches
* RT's Dashboards feature
* Customizing RT's workflow to match your own
* Automating common procedures
* How to make simple custom reports based on RT's data
* A short intro to RTFM, the RT FAQ Manager
* General Q&A Session

Day 2 - RT Administration and Development

This intensive day-long session aimed at RT administrators and developers covers everything from installation to backups, interface and backend customizations. You'll learn how to customize RT to meet your organization's unique needs and how to make sure that RT stays fast, reliable and flexible.

This session will cover:

* New features in RT 3.8 RT's system architecture
* A guided tour of the RT source code
* Extension mechanisms you can use to customize RT
* RT Installation, including the basics of Configuration
* Examples of how to optimize RT for your organization
* How to tie RT into your existing authentication infrastructure
* Building your own tools that talk to the RT backend
* Customizing RT's workflow to match your own
* Automating common procedures
* How to write custom reports based on RT's data
* Custom coding, modifications, and callback creation
* A brief preview of RT4
* General Q&A Session

These sessions will be offered in:

San Francisco, CA, USA - February 22 & 23 2010
Dublin, Ireland - March 15 & 16 2010
Washington DC, USA - Oct 25 & 26 2010

If you can't make it to these cities, please drop us a line to request a public training in your area. We haven't yet scheduled training for 2011; your feedback will help us decide where to offer additional sessions.

Private Training
We also offer private training sessions tailored to your organization's needs. For more information about on-site training for your organization, please drop us a line at training@bestpractical.com.

Reservations
We like to keep class sizes relatively intimate. Please register soon or we may not be able to guarantee you a seat.

When you register, please tell us which date(s) you are registering for, and whether you'd like to register for the whole training session or for only a single day.

If you'd like to pay via credit card, please visit Best Practical's online store at https://shop.bestpractical.com/

If you'd prefer to reserve a seat and have us bill you, please write to us at training@bestpractical.com. Be sure to include the full names and email addresses of all attendees you'd like to register for training.

Share this post: