Revisions of request-tracker
Dirk Stoecker (dstoecker)
accepted
request 1156184
from
Tina Müller (tinita)
(revision 74)
- Use %autosetup instead of deprecated %patchN
Lars Vogdt (lrupp)
committed
(revision 73)
- update to 5.0.2
Security
* In previous versions, RT's native login system is vulnerable to user enumeration
through a timing side-channel attack. This means an external entity could try to
find valid usernames by attempting logins and comparing the time to evaluate each
login attempt for valid and invalid usernames. This vulnerability does not allow any
access to the RT system. This vulnerability is assigned CVE-2021-38562 and is fixed
in this release.
* RT uses the chart.js package and the previous version has vulnerabilities
described here: https://snyk.io/test/npm/chart.js/2.8.0 This RT release updates
chart.js to version 2.9.4 as recommended in that advisory.
General features and fixes
* Update Starts on SLA changes even if Starts was already set
* Accept usernames for email input fields on ticket create/update
* Support group:NAME and group:ID in non-single role input fields
* Create an autocompleter for Principals (works with both users and groups)
* Support more characters for user/group names in non-single role input fields
* Normalize and validate time inputs
* Support to generate different dashboard content for each recipient
* Use user timezone for date "=" queries in ticket search
* Add "Create Via Email" and "Create Via Web" conditions
* Fix table wrapping error in Ticket/Update.html
* Don't escape queue name in title generation stage as it'll be escaped later
* Allow to squelch recipients that also exist in one time inputs
* Show all valid statuses on Asset bulk update page
* In the datepicker, reset the time part after date input is cleared
* Support columns as values in ticket search (ticket values on right-hand side in searches)
* Support a friendly syntax for custom field columns as values in ticket search
* Allow to specify CF Content/LargeContent columns in the keyword part of SQL
* Support role searches like Owner = CF.cid or Owner = Creator
Lars Vogdt (lrupp)
committed
(revision 71)
- install GnuPG, RT-Shredder and SMIME work directories - enhance README.SUSE
Lars Vogdt (lrupp)
committed
(revision 70)
- sort the layout file to match the current RT5 path layout - install GnuPG and SMIME directories - recommend w3m, because of: "Running with the internal HTML converter can result in performance issues with some HTML. Install one of the following utilities with your package manager to improve performance with an external tool: w3m, elinks, links, html2text, lynx"
Lars Vogdt (lrupp)
committed
(revision 69)
- add missing runtime dependencies: + perl(Apache::DBI) + perl(Module::Pluggable) + perl(Pod::Select) + perl(Business::Hours) + perl(CSS::Minifier::XS) + perl(Data::Page::Pageset) + perl(JavaScript::Minifier::XS) + perl(Net::IP) + perl(Scope::Upper)
Lars Vogdt (lrupp)
committed
(revision 67)
- update to 5.0.1:
Database Changes
+ For MySQL and MariaDB, the default character set has been updated to
utf8mb4 to accommodate more unicode characters including emojis.
See README.MySQL and README.MariaDB for details.
+ The Id field in some tables is changed from INT to BIGINT to accommodate
large RT systems that may hit the maximum number of ids. Because this
change touches large RT tables like Transactions and Attachments,
this upgrade step may take a while to run.
+ You also will need free disk space equal to the size of these tables
while running because MySQL, MariaDB, and Postgres will create a temporary
copy of the table while running. If you don't have sufficient space,
it can cause this step to fail.
Notable Changes
+ System configuration options can now be changed by SuperUsers via the
web UI. File-based configuration options are still loaded. Changes made
via the web UI take precedence over file-based options if both are set.
+ If you prefer to keep all configuration in files and disable editing in
the web UI, set this option to 0:
Set($ShowEditSystemConfig, 0);
+ The variables which alter the set of HTML elements allowed in HTML
scrubbing have moved; they have been renamed, and are now found under
RT::Interface::Web::Scrubber.
+ The articles interface on tickets has been simplified, now showing only
a dropdown for selecting articles. This dropdown converts to an autocomplete
box when the dropdown contains more than $DropdownMenuLimit items.
+ With this simplified interface, the "hotlist" feature is no longer
needed as all articles in classes applied to a given queue are available
in the dropdown/autocomplete field. To prevent articles in a class from
appearing for a queue, you can unapply the class from that queue.
Lars Vogdt (lrupp)
committed
(revision 65)
- enhanced README.SUSE with a section about the new timers
Lars Vogdt (lrupp)
committed
(revision 64)
- replace cron scripts with systemd timer scripts on systems using systemd (boo#1115430)
Lars Vogdt (lrupp)
committed
(revision 63)
- recommend perl(HTML::FormatExternal) to allow RT to use external programms to render HTML to plain text (optional feature)
Lars Vogdt (lrupp)
committed
(revision 62)
- recommend perl(HTML::Gumbo), as this is an optional dependency for showing a broader set of rich text (HTML) message features
Lars Vogdt (lrupp)
committed
(revision 61)
- update to 4.4.4:
Security Updates
+ One of RT's dependencies, the Perl module Email::Address, has a denial
of service vulnerability which could induce a denial of service of RT
itself.
We recommend updating to Email::Address version 1.912 or later. The
Email::Address vulnerabilities are assigned CVE-2015-7686 and CVE-2015-12558.
CVE-2015-7686 was addressed in RT with a previous update.
Email::Address version 1.912 addresses both of these CVEs with updates
directly in the source module.
+ One of RT's dependencies, the Perl module Email::Address::List, relies
on and operates similarly to Email::Address and therefore also has
potential denial of service vulnerabilities.
These vulnerabilities are assigned CVE-2018-18898. We recommend
administrators install Email::Address::List version 0.06 or later.
+ An optional RT dependency, HTML::Gumbo, incorrectly escaped HTML in
some cases. Since RT relies on this module to escape HTML content,
it's possible this issue could allow malicious HTML to be displayed
in RT.
For RT's using this optional module, we recommend administrators
install HTML::Gumbo version 0.18 or later.
* The version of jQuery used in RT 4.2 and 4.4 has a Cross-site Scripting
(XSS) vulnerability when using cross-domain Ajax requests.
This vulnerability is assigned CVE-2015-9251.
RT does not use this jQuery feature so it is not directly vulnerable.
jQuery version 1.12 no longer receives official updates, however a
fix was posted with recommendations for applications to patch locally,
so RT will follow this recommendation and ship with a patched version.
EU General Data Protection Regulation (GDPR)
Several new features were added to support GDPR compliance and are summarized here.
Dirk Stoecker (dstoecker)
committed
(revision 60)
Dirk Stoecker (dstoecker)
committed
(revision 59)
Dirk Stoecker (dstoecker)
committed
(revision 58)
Dirk Stoecker (dstoecker)
committed
(revision 57)
Dirk Stoecker (dstoecker)
committed
(revision 56)
Dirk Stoecker (dstoecker)
committed
(revision 55)
Displaying revisions 1 - 20 of 74
