RT 6.0.2 -- 2025-10-22

We're pleased to announce the general availability of RT 6.0.2. This
release includes significant new features including a calendar view for
saved searches, enhanced history filtering and paging, and comprehensive
memory management improvements. Details on these and other updates,
bug fixes, and enhancements are below. This release also contains
security fixes noted below.

https://download.bestpractical.com/pub/rt/release/rt-6.0.2.tar.gz
https://download.bestpractical.com/pub/rt/release/rt-6.0.2.tar.gz.asc

SHA-256 sums

f3706fcfd2a6dfbdea58f3e9c64a7d17ae39bdd5928aeac61c4767f30f6b05c4 rt-6.0.2.tar.gz
8b19db97e2f33e49c75155b8827b5c6cda9ba4e379f81a80a383d4af57638e95 rt-6.0.2.tar.gz.asc

Security

The following security issues are fixed in this release.

• RT 6.0 is vulnerable to CSV injection via ticket values with special
  characters that are exported to a TSV from search results. This
  vulnerability is assigned CVE-2025-61873. Thanks to Gareth Watkin-Jones
  from 4armed for reporting this finding.

• RT 6.0 is vulnerable to XSS via calendar invitations added to
  a ticket. This vulnerability is assigned CVE-2025-9158. Thanks to
  Mateusz Szymaniec and CERT Polska for reporting this finding.

General user features

• Remove submit blocking class on back button push
• Add user config option to disable keyboard shortcuts (thanks gibus!)
• Add autocomplete feature for article search in top menu
• Add delete column for HTML CF on bulk update
• Support article autocomplete in SelfService
• Use SimpleSearch for article searches from top menu
• Show no results message for article search page
• Refactor SelfService article search to be consistent with privileged
• Style article autocomplete to fit in the top menu
• Remove hide control from article display component
• Display lifecycle name in Queue list (thanks @tbrumm!)
• Add calendar as a new display option for saved searches
• Add grid icon for selecting saved search display mode
• Add a modal that shows all assigned calendar date colors
• Support to dynamically select view mode for saved searches
• Show popup with ticket details when hovering over calendar entries
• Display popup values based on the Format
• Expand first items for multiple-day events in each week
• Display just ticket subject in calendar day entries
• Remove redundant browser tooltip from calendar events
• Show an error message when no dates for calendar are found
• Allow for ticket to move position up on calendar
• Clean up calendar styles and make it work with dark theme
• Add ticket history search to History menu
• Add a transaction type filter to history
• Save History filter settings in page layout
• Restore link style reverse history option for other history pages
• Show filtering options only for tickets and assets
• Add paging support to asset history widget
• Set paging options via the History widget in page layouts
• Add a new paging option for displaying ticket history
• Limit page layout history options for assets
• Apply page-specific history filters from page layout config for assets
• Amend paging support of asset history widget
• Make "Reverse history order" work on selfservice asset history page
• Scroll to the top of the history window on page change
• Make history options work with history search
• Make filter form work with all history display modes
• Close the history filter menu on apply
• Respect empty type list when user deselects all transaction types
• Show search history input only if fulltext search is enabled
• Enable history search in self service
• Respect history search state when refreshing history after inline edits
• Remove the border color override and use bootstrap default
• Support to quickly correspond/comment on tickets from search results
• Show TimeTrackingDisplayCF on the user time worked report
• In articles autocomplete, page until we get max results
• Pause auto-refresh on saved searches in preview mode
• Notify the user that the display mode change is a preview
• Keep the saved search refresh button on the left
• Initialize TomSelect objects for new cloned modals in page layouts
• Determine custom role visibility based on page layout
• Hide Visibility page for asset custom roles
• Add page layout history link for queue history
• Reduce modal width for ticket/asset filters
• Use default bootstrap table styles and remove custom CSS
• Avoid the blue outline for svgs on focus
• Align tom-select input focus borders with RT inputs
• Standardize menus in titlebox headers
• Update AddWatchers for the new @HiddenRoles argument

Documentation

• Don't reference specific versions in headings
• Provide guidance on starting a test server (thanks andrew!)
• Document the ModifySuggestions callback change
• Improve formatting for @EmailDashboardLanguageOrder docs
• Add docs for the new calendar display mode
• Document the new custom role visibility location

Administration

• Process Configurations before other RT objects in initialdata
• Do not exclude ___Approvals queue in dumped json file
• Support changing the name of a page layout
• Support custom roles in CreateTickets templates (thanks @bdragon300!)
• Allow From to be passed as an argument to Forward (thanks @MarkHofstetter!)
• Add support to set default value(s) at CustomField creation (thanks elacour!)
• Update deprecation warning messages
• Skip the whole dormant period for old tickets when calculating SLA Due
• Decode arguments parsed from URI for htmx internal redirects
• Update page layout config when queue name changed
• Fix syntax error in ticket search filter
• Make REST2 optional and load only for the web server
• Add Watcher transactions to the short filter list
• Add Link transactions to the short filter list
• Support AfterCustomFieldValue callback after code refactor
• Add callbacks for link editing and display (thanks zach.kelly!)
• Add EndOfPage callback on article display page (thanks zach.kelly!)
• Deprecate old HiddenForURLs methods for custom roles
• Defer loading DateTime to reduce memory at startup
• Document memory saving tips for CLI
• Provide a way to override any RT config option in CLI tools
• Ensure SQL batches stay under 256MB
• Skip CSS::Inliner for content over 1MB in size
• Log unresolved ticket failures at warning log level
• Log forwarded IP address when running behind a reverse proxy (thanks
  @wheldom01!)

Internals

• Update importer SQL to correctly interpolate groups table names
• Do not trigger any other htmx requests on parents for reload events
• Use Time::HiRes to ensure we can find Time::HiRes::time (thanks andrew!)
• Ensure changes are committed when adding CGM records without auto-commit
• Add dashboards to menu by id instead of name
• Count imported objects from cloned serialized data
• The path argument should not use loc() (thanks @mkosmach!)
• Align Articles autocomplete helper callback with other callbacks
• Don't export removed CleanEnv (thanks buehler!)
• delay is no longer the default for ShowHistory
• Dispose datepicker (tempusDominus) objects for elements to be swapped out
• Clean up obsolete hasDatepicker class that was from old jQueryUI
• Destroy TomSelect and Dropzone objects for elements to be swapped out
• Destroy CKEditor objects for elements to be swapped out
• Dispose bootstrap orphan tooltip/popover/dropdown/modal objects
• Update page layout config when queue name changed
• Eliminate redundant transaction detail click event listeners
• Migrate event listeners for menu dropdown to delegation
• Tweak js event listeners to not reference to themselves
• Avoid creating unnecessary global variables to prevent memory leaks
• Clean up js code for obsolete IE
• Drop obsolete style tweak for dropdowns in page menu
• Hide tooltips for dropdown elements in history widget header
• Use optional chaining for existing tom-select destroy
• Register dynamic modal handlers only once
• Batch updates to reduce the number of forced layouts in the browser
• Restrict day evaluation to the visible calendar month
• Reduce the blank padding around each day
• Calculate last day border width
• Ensure left and right side borders show correctly
• Ensure date selection form has correct hx-target
• Add dropup direction for TomSelect dropdowns
• Remove noisy debug log messages no longer needed
• Update tom-select build instructions to include overrides
• Refactor GetCalendarTickets to return a single data structure
• Refactor handling for multiple day calendar events
• Run a PreCheck to check for linked Assets
• Run a PreCheck for configured ProcessArticles
• Run a PreCheck for configured LinkedQueues
• Run a PreCheck step for widgets that may not display
• Apply page-specific history filters from page layout config
• Limit the asset type list to relevant types
• Adapt history changes to work with assets
• Convert history actions to htmx and retain search options
• Use TicketList for History filter
• Add a TicketList mode for abbreviated transaction list
• Create GetTransactionTypes to provide a list of valid types
• Switch to vanilla tooltip initialization method
• Remove unnecessary blessed object arguments from paged history URL

Testing

• Add selenium test for include article feature on ticket update page
• Update dashboard tests to use id instead of name
• Test article menu searches
• Test SLA Due date for long-dormant tickets
• Add a groups test to the rights inspector test
• Use different attribute search examples (thanks zach.kelly!)
• Add github actions config for rt-server tests with Oracle
• Run github actions with updated 6.0.2 docker image
• Test UTF-8 data for ticket simple search
• Test adding custom field DefaultValues on create
• Add tests for the upcoming custom role support in CreateTickets
• Add tests for running Update-Tickets via CreateTickets template
• Add tests for SetStatus action used with rt-crontool
• Run tests against postgresql 16.10
• Add tests for calendar functions
• Demonstrate missing results from article autocomplete
• Pass necessary widget arguments for mechanize tests
• Update tests for custom role visibility changes

A complete changelog is available from git by running:
git log rt-6.0.1..rt-6.0.2
or visiting
https://github.com/bestpractical/rt/compare/rt-6.0.1...rt-6.0.2

RT 5.0.9 -- 2025-10-22

RT 5.0.9 is now available for general use. The list of changes
included with this release is below. In addition to a batch of
updates, new features, and fixes, several security issues are
addressed. See below for details.

https://download.bestpractical.com/pub/rt/release/rt-5.0.9.tar.gz
https://download.bestpractical.com/pub/rt/release/rt-5.0.9.tar.gz.asc

SHA-256 sums

913e9403ad422e0064ac9378baf2b13ba2b4c0119c891fe2cb4f2b51f3a5aeb8 rt-5.0.9.tar.gz
e357206ebcd9d1615fb6dba668963502ad1a920b3c66ac6cbcbba47fb59621d1 rt-5.0.9.tar.gz.asc

Security

The following security issues are fixed in this release.

• RT 5.0 is vulnerable to CSV injection via ticket values with special
  characters that are exported to a TSV from search results. This
  vulnerability is assigned CVE-2025-61873. Thanks to Gareth Watkin-Jones
  from 4armed for reporting this finding.

• RT 5.0.4 - 5.0.8 are vulnerable to XSS via calendar invitations added to
  a ticket. This vulnerability is assigned CVE-2025-9158. Thanks to
  Mateusz Szymaniec and CERT Polska for reporting this finding.

General user features

• Remove submit blocking class on back button click
• Remove duplicate Asset entry in the shredder objects list
• Add missing WebPath for modify scheduled process (thanks zach.kelly!)
• Default to the current class for existing articles
• Add user config option to disable keyboard shortcuts (thanks gibus!)

Documentation

• Fix typo after rt-clean-sessions link in README
• Provide guidance on starting a test server (thanks andrew!)
• Document the ModifySuggestions callback change
• Improve formatting for @EmailDashboardLanguageOrder docs

Administration

• Support to update extension configs via web UI
• Check meta IsJSON to determine if config is JSON
• Make doc_url optional for plugin config options
• Add NoReset config meta option
• Do not allow to change $SendmailPath from web UI for security
• Merge extension config meta with existing meta
• Refactor stringify code to simplify logic for config edit page
• Fix current value of DefaultQueue on config edit page when it's queue name
• Show default queue's name on configuration page and config updated messages
• Support import/export of @Configuration for JSON serializer
• Process Configurations before other RT objects in initialdata
• Do not exclude ___Approvals queue in dumped json file
• Support custom roles in CreateTickets templates (thanks @bdragon300!)

Internals

• Update importer SQL to correctly interpolate groups table names
• Convert blocks to inline before scrubbing the HTML
• Enable encode_entities and ignore_style_type_attr options for CSS::Inliner
• Bypass ACL cache for owner validation on ticket queue change
• Ensure changes are committed when adding CGM records without auto-commit
• Add dashboards to menu by id instead of name
• Count imported objects from cloned serialized data
• The path argument should not use loc() (thanks @mkosmach!)
• Align Articles autocomplete helper callback with other similar callbacks
• Don't export removed CleanEnv (thanks buehler!)
• Add support to set default value(s) at CustomField creation (thanks elacour!)
• Skip CSS::Inliner for content over 1MB in size
• Log unresolved ticket failures at warning log level
• In the importer, ensure SQL batches stay under 256MB

Testing

• Update docker image for tests
• Update GitHub actions/checkout to v4
• Update GitHub actions/cache to v4
• Update simple-slack-notify GitHub action
• Confirm that all of the shredder plugin pages load correctly
• Test owner updates on queue change
• Test showing incorrect class for new article
• Add tests for Configurations export/import
• Update dashboard tests to use id instead of name
• Add a groups test to the rights inspector test
• Add github actions config for rt-server tests with Oracle
• Run github actions with updated 6.0.2 docker image
• Test adding custom field DefaultValues on create
• Add tests for custom role support in CreateTickets
• Add tests for running Update-Tickets via CreateTickets template
• Add tests for SetStatus action used with rt-crontool
• Run tests against postgresql 16.10

A complete changelog is available from git by running:
git log rt-5.0.8..rt-5.0.9
or visiting
https://github.com/bestpractical/rt/compare/rt-5.0.8...rt-5.0.9

RT 4.4.9 -- 2025-10-22

RT 4.4.9 is now available for general use. This release contains just
one security update.

With the release of RT 6 in May 2025, this is the last planned release
for the RT 4.4 series. Users should upgrade to RT 5 or RT 6.

https://download.bestpractical.com/pub/rt/release/rt-4.4.9.tar.gz
https://download.bestpractical.com/pub/rt/release/rt-4.4.9.tar.gz.asc

SHA-256 sums

cb7c4dffb4879e95d190e5d919bc13870926578394d3f0cd14f15b15dfedea8b rt-4.4.9.tar.gz
7c039d333e641c4a40c0dd929e24f10840a53aa89a3d698fd2e583001e191a80 rt-4.4.9.tar.gz.asc

Security

The following security issue is fixed in this release.

• RT 4.4 is vulnerable to CSV injection via ticket values with special
  characters that are exported to a TSV from search results. This
  vulnerability is assigned CVE-2025-61873. Thanks to Gareth Watkin-Jones
  from 4armed for reporting this finding.

A complete changelog is available from git by running:
git log rt-4.4.8..rt-4.4.9
or visiting
https://github.com/bestpractical/rt/compare/rt-4.4.8...rt-4.4.9