RT 4.4.0 release candidate 1 released

We're extremely excited to announce the availability of RT 4.4.0rc1: the first release candidate for the next major version of RT. 

We would be thrilled to hear your experiences installing or upgrading to this release; the more feedback we get, the sooner the official release of RT 4.4.0 can occur. Please be sure to review the upgrading documentation available in docs/UPGRADING-4.4, as there are a number of backward-incompatible changes that come along with the new version number.
 
In addition, to help kick off RT 4.4, we're having a public training session in Chicago on December 14-15! This two-day session covers RT basics, as well as development, and will highlight the new features in today's release candidate. If Chicago isn't a good fit for you, we'll be having public sessions in Washington DC, and Hamburg, Germany, in Q1 and Q2 of 2016 (respectively). To purchase a seat via credit card for the Chicago training, please visit shop.bestpractical.com. If you prefer to pay via other methods, or you have questions, please write in to training@bestpractical.com. And, as always, we welcome suggestions for training locations in the future.
 
A list of the major new features in RT 4.4.0 is included below. Many of the new features will also be described and demoed in a series of blog posts here on blog.bestpractical.com in the coming weeks.
  
  • RT now includes the Assets extension for tracking your physical and digital resources.
  • Attachments can now be stored outside of the database either on disk, in Dropbox, or on Amazon S3. Attachments can also be directly served from S3.
  • SLA tracking is now part of core RT. You can define many different service levels that take your business hours and holidays into account.
  • External authentication and LDAP integration are now shipped as core RT features.
  • RT now has support for custom roles, along the lines of Requestor, Owner, Cc, and AdminCc. These roles can be single-member or multi-member. Privileges can be assigned to members of custom roles, you can search based on custom role membership, you can notify custom role members in scrips, and so on.
  • RT now has a modern file upload interface which allows you to select multiple files in one fell swoop, drag and drop attachments onto RT, and inline preview certain file types like images.
  • We've added a "scroll" option for gradually loading in ticket history as the user scrolls down, much like "infinite scroll". This considerably improves perceived performance.
  • Existing attachments on a ticket can be reused in subsequent replies, so you don't have to upload them again.
  • We now provide some basic Articles configuration for new deploys so that you can start using the feature immediately.
  • You can now break up your RT_SiteConfig.pm file into logically-related chunks under the RT_SiteConfig.d/ directory.
  • You can now specify default values at the queue level for certain ticket fields, including custom fields.
  • RT now warns you when you write the word "attach" (or "attached", etc) but haven't provided any attachments yet, to avoid "sorry, I forgot this attachment" followup mail.
  • RT now understands many more types of "human" date strings.
  • Users can now choose any subset of the seven weekdays to receive their daily dashboard subscriptions.
  • The query builder display format panel has seen several improvements; most importantly adjusting the display columns no longer reloads the entire page.
  • We've added a popout ticket timer for helping you track time inside RT. The timer is associated with a ticket and will add the time to it for you.
  • RT now ships with keyboard shortcuts for primarily for navigating ticket search results.
  • We ship a (disabled-for-upgrades, enabled-for-new-deploys) scrip for carrying over time worked to parent tickets. Similarly, we ship a scrip for tracking time worked per user.
  • We've added a way to quickly create new linked tickets in queues other than the one that the current ticket is in.
  • There's a new site-level config setting and user preference for hiding unset fields on ticket display pages.
  • Custom fields now have a customizable "entry hint" for helping users understand what they should be entering as values.
  • TicketSQL and the search builder now support Status = '__Active__' and Status = '__Inactive__' type queries, so you no longer need to enumerate all statuses like Status = 'new' OR Status = 'open' OR Status = 'stalled'
  • The mailgate has been completely redesigned and modernized.

 

 For more information including a complete list of changes please see our official release announcement.

 

Share this post:

Please Join Us For RT 4.4 Training in Chicago!

We’ve been hard at work on the next new major release of RT and it’s almost here! The first release candidate for RT 4.4 will be available in early November!

To celebrate the new release of RT, we’ll be holding our next RT training in Chicago, IL on December 14-15, 2015.

This training will introduce you to the new features in RT 4.4 as part of a comprehensive overview of RT. Whether you're an old hand at RT or a recent convert, you'll have a good understanding of all of RT's features and functionality by the end of the session.

We also can’t wait to tell you about what we’ve added for you in RT 4.4, including Assets, for tracking physical and digital resources. We’ll show you how to set up service-level agreements (SLA) which take your business hours and holidays into account. There’s a new builtin timer for tracking time worked on tickets. You can upload multiple files at once with a quick drag-and-drop, as well as reuse existing attachments on replies.

We’ll also show how RT 4.4 improves things behind the scenes for you. You can have your users authenticate against external services (LDAP). RT can now seamlessly store attachments outside of its database, putting them on the filesystem, uploading to Amazon S3, or in Dropbox. You can even serve them directly out of S3. You can create custom role groups and assign them to queues and tickets. These custom roles can have their own permissions and notifications and so are foundational for improving your automation. There are some major performance enhancements like gradual ticket history loading that will improve your team’s experience every day.

Agenda

The first day of training starts off with a tour of RT's web interface and continues with a detailed exploration and explanation of RT's functionality, aimed at non-programmer RT administrators. We'll walk through setting up a common helpdesk configuration, from rights management, constructing workflows and notifications, and the basics of Lifecycles.

The second day of training picks up with server-side RT administration and dives into what you need to safely customize and extend RT. We'll cover upgrading and deploying RT, database tuning, advanced Lifecycle configurations, writing tools with RT's API, building an extension, and demonstrate how to extensibly alter the web UI and internal
functions.

It goes without saying that you'll get the most out of training if you attend both days of the course, but we've designed the material so that you can step out after the first day with a dramatically improved understanding of how to use RT.

Attending

We do have a limit on how many people we can effectively teach, so please register as soon as you can to make sure you get a seat. If you can't make Chicago, please feel free to suggest a future location by dropping us a line at training@bestpractical.com!

For both days, the cost is USD $1,495. A single day is USD $995. Each class includes training materials, a continental breakfast, and snacks (lunch is not provided).

If you'd like to pay with Visa, MasterCard or Discover, please visit Best Practical's online store. Unfortunately we are unable to accept American Express or PayPal. If you'd prefer to pay with a purchase order, please email us at training@bestpractical.com. Be sure to include: if you want to attend both days or a single day and the full names and email addresses of attendees.

Finally, please contact us at training@bestpractical.com for discounted pricing if you are from an academic institution or if you'd like to send more than 3 people.

Share this post:

Security vulnerabilities in RT

We have discovered security vulnerabilities which affect both RT 4.0.x and RT 4.2.x.  We are releasing RT versions 4.0.24 and 4.2.12 to resolve these vulnerabilities, as well as patches which apply atop all released versions of 4.0 and 4.2.
 
The vulnerabilities addressed by 4.0.24, 4.2.12, and the below patches include the following:
 
RT 4.0.0 and above are vulnerable to a cross-site scripting (XSS) attack via the user and group rights management pages.  This vulnerability is assigned CVE-2015-5475.  It was discovered and reported by Marcin Kopeć at Data Reliance Shared Service Center.
 
RT 4.2.0 and above are vulnerable to a cross-site scripting (XSS) attack via the cryptography interface.  This vulnerability could allow an attacker with a carefully-crafted key to inject JavaScript into RT's user interface. Installations which use neither GnuPG nor S/MIME are unaffected.
 
Patches for all releases of 4.0.x and 4.2.x are available (signature). Versions of RT older than 4.0.0 are unsupported and do not receive security patches; please contact sales@bestpractical.com if you
need assistance with an older RT version.
  
The README in the tarball contains instructions for applying the patches.  If you need help resolving this issue locally, we will provide discounted pricing for single-incident support; please contact us at sales@bestpractical.com for more information.

Share this post:

RT 4.2.11 released

We have released RT version 4.2.11. This is a bugfix release; most notably, it improves indexing time for full-text search, as well as improving support for Apache 2.4 and MySQL 5.5. Interactive command-line tools (including upgrade tools) will now also default to displaying warnings to STDERR, to aid in awareness of potential errors.

See the release notes for a complete list.

Share this post:

We're hiring!

We are looking for a motivated, customer service oriented engineer to participate in all aspects of the software development cycles including requirements gathering, design, development, implementation, upgrades, maintenance and documentation. You will be responsible for ensuring that new or upgraded systems are fully deployed and functioning per the clients specification. You will also design and code new functionality or add new functionality to our products to add new features. Other responsibilities will include debugging issues and correcting defects reported by our users, testing new releases and updating code to address errors and overall performance. We work in a very dynamic and fast paced environment so you will need to be flexible to handle a consistent variety of things on a daily basis.

Qualifications

You should be a self-starter who has 3+ years experience with Perl, as well as some experience with at least a few of the following buzzwords:

  • Open source development practices
  • Distributed source control (git, branching, patches)
  • Test driven development (smoke testing, Test::More)
  • User interface design (HTML, CSS)
  • Documentation (user-facing, API)
  • Javascript (jQuery, AJAX)
  • SQL databases (MySQL, PostgreSQL, Oracle, SQLite)
  • Optimization, profiling and debugging
  • UNIX systems administration (web servers, mail servers)

It’s ok if you don’t know everything out of the gate but you should be able to learn on the fly and be comfortable asking questions before you get in over your head. Being vocal is a really important quality and being able to manage competing priorities with the help of your colleagues and project manager is key. RT is a large codebase to dive into, so you should be prepared to work with a project that’s too big to hold in your head all at once. If you want to see what you’ll be getting yourself into, you can find all of our open source code on github.

Location

You will be working from our office in Somerville, MA. The hours are somewhat flexible (East or West coast business hours), and we all telecommute some of the time...though we work from our office in the heart of Davis Square most days. While we do a fair amount of our collaboration in-person, you should also be comfortable using email and instant messaging to coordinate and get work done, as we have a few employees in other parts of the globe.

Compensation

DOE - This is a full-time salaried position, but the details are negotiable. We're a small, self funded company. The standard benefits apply, of course: health insurance, dental insurance, and junk food to make that dental insurance worthwhile.

How to apply

Send something approximating a cover letter, a resume in plain text, HTML or PDF, and a sample of some code you've written to resumes@bestpractical.com. If you're involved in open source development of one kind or another, please tell us about it. If you have a CPAN ID tell us what it is; we won't consider applications without some sort of code example to look at. We'll be paying particular attention to the readability, comments, and tests.

Share this post:

RT 4.2.10 released

We have released RT version 4.2.10 to resolve CVE-2014-9472, CVE-2015-1165, and CVE-2015-1464, along with a number of bugfixes; see the release notes for a complete list.

Share this post:

RT 4.0.23 released

We have released RT version 4.0.23 to resolve CVE-2014-9472, CVE-2015-1165, and CVE-2015-1464, along with a number of bugfixes; see the release notes for a complete list.

Share this post:

Security vulnerabilities in RT

We have discovered security vulnerabilities which affect both RT 4.0.xand RT 4.2.x. We are releasing RT versions 4.0.23 and 4.2.10 to resolve these vulnerabilities, as well as patches which apply atop all released versions of 4.0 and 4.2.

The vulnerabilities addressed by 4.0.23, 4.2.10, and the below patches include the following:

RT 3.0.0 and above, if running on Perl 5.14.0 or higher, are vulnerable to a remote denial-of-service via the email gateway; any installation which accepts mail from untrusted sources is vulnerable, regardless of the permissions configuration inside RT. This denial-of-service may encompass both CPU and disk usage, depending on RT's logging configuration. This vulnerability is assigned CVE-2014-9472.

RT 3.8.8 and above are vulnerable to an information disclosure attack which may reveal RSS feeds URLs, and thus ticket data; this vulnerability is assigned CVE-2015-1165. RSS feed URLs can also be leveraged to perform session hijacking, allowing a user with the URL to log in as the user that created the feed; this vulnerability is assigned CVE-2015-1464.

We would like to thank Christian Loos for reporting CVE-2014-9472 and CVE-2015-1165; CVE-2015-1464 was found by internal review.

Patches for all releases of 4.0.x and 4.2.x are available (signature). Versions of RT older than 4.0.0 are unsupported and do not receive security patches; please contact sales@bestpractical.com if you need assistance with an older RT version.

The README in the tarball contains instructions for applying the patches. If you need help resolving this issue locally, we will provide discounted pricing for single-incident support; please contact us at sales@bestpractical.com for more information.

Share this post: