RT 6.0.2 -- 2025-10-22

We're pleased to announce the general availability of RT 6.0.2. This
release includes significant new features including a calendar view for
saved searches, enhanced history filtering and paging, and comprehensive
memory management improvements. Details on these and other updates,
bug fixes, and enhancements are below. This release also contains
security fixes noted below.

https://download.bestpractical.com/pub/rt/release/rt-6.0.2.tar.gz
https://download.bestpractical.com/pub/rt/release/rt-6.0.2.tar.gz.asc

SHA-256 sums

f3706fcfd2a6dfbdea58f3e9c64a7d17ae39bdd5928aeac61c4767f30f6b05c4 rt-6.0.2.tar.gz
8b19db97e2f33e49c75155b8827b5c6cda9ba4e379f81a80a383d4af57638e95 rt-6.0.2.tar.gz.asc

Security

The following security issues are fixed in this release.

• RT 6.0 is vulnerable to CSV injection via ticket values with special
  characters that are exported to a TSV from search results. This
  vulnerability is assigned CVE-2025-61873. Thanks to Gareth Watkin-Jones
  from 4armed for reporting this finding.

• RT 6.0 is vulnerable to XSS via calendar invitations added to
  a ticket. This vulnerability is assigned CVE-2025-9158. Thanks to
  Mateusz Szymaniec and CERT Polska for reporting this finding.

General user features

• Remove submit blocking class on back button push
• Add user config option to disable keyboard shortcuts (thanks gibus!)
• Add autocomplete feature for article search in top menu
• Add delete column for HTML CF on bulk update
• Support article autocomplete in SelfService
• Use SimpleSearch for article searches from top menu
• Show no results message for article search page
• Refactor SelfService article search to be consistent with privileged
• Style article autocomplete to fit in the top menu
• Remove hide control from article display component
• Display lifecycle name in Queue list (thanks @tbrumm!)
• Add calendar as a new display option for saved searches
• Add grid icon for selecting saved search display mode
• Add a modal that shows all assigned calendar date colors
• Support to dynamically select view mode for saved searches
• Show popup with ticket details when hovering over calendar entries
• Display popup values based on the Format
• Expand first items for multiple-day events in each week
• Display just ticket subject in calendar day entries
• Remove redundant browser tooltip from calendar events
• Show an error message when no dates for calendar are found
• Allow for ticket to move position up on calendar
• Clean up calendar styles and make it work with dark theme
• Add ticket history search to History menu
• Add a transaction type filter to history
• Save History filter settings in page layout
• Restore link style reverse history option for other history pages
• Show filtering options only for tickets and assets
• Add paging support to asset history widget
• Set paging options via the History widget in page layouts
• Add a new paging option for displaying ticket history
• Limit page layout history options for assets
• Apply page-specific history filters from page layout config for assets
• Amend paging support of asset history widget
• Make "Reverse history order" work on selfservice asset history page
• Scroll to the top of the history window on page change
• Make history options work with history search
• Make filter form work with all history display modes
• Close the history filter menu on apply
• Respect empty type list when user deselects all transaction types
• Show search history input only if fulltext search is enabled
• Enable history search in self service
• Respect history search state when refreshing history after inline edits
• Remove the border color override and use bootstrap default
• Support to quickly correspond/comment on tickets from search results
• Show TimeTrackingDisplayCF on the user time worked report
• In articles autocomplete, page until we get max results
• Pause auto-refresh on saved searches in preview mode
• Notify the user that the display mode change is a preview
• Keep the saved search refresh button on the left
• Initialize TomSelect objects for new cloned modals in page layouts
• Determine custom role visibility based on page layout
• Hide Visibility page for asset custom roles
• Add page layout history link for queue history
• Reduce modal width for ticket/asset filters
• Use default bootstrap table styles and remove custom CSS
• Avoid the blue outline for svgs on focus
• Align tom-select input focus borders with RT inputs
• Standardize menus in titlebox headers
• Update AddWatchers for the new @HiddenRoles argument

Documentation

• Don't reference specific versions in headings
• Provide guidance on starting a test server (thanks andrew!)
• Document the ModifySuggestions callback change
• Improve formatting for @EmailDashboardLanguageOrder docs
• Add docs for the new calendar display mode
• Document the new custom role visibility location

Administration

• Process Configurations before other RT objects in initialdata
• Do not exclude ___Approvals queue in dumped json file
• Support changing the name of a page layout
• Support custom roles in CreateTickets templates (thanks @bdragon300!)
• Allow From to be passed as an argument to Forward (thanks @MarkHofstetter!)
• Add support to set default value(s) at CustomField creation (thanks elacour!)
• Update deprecation warning messages
• Skip the whole dormant period for old tickets when calculating SLA Due
• Decode arguments parsed from URI for htmx internal redirects
• Update page layout config when queue name changed
• Fix syntax error in ticket search filter
• Make REST2 optional and load only for the web server
• Add Watcher transactions to the short filter list
• Add Link transactions to the short filter list
• Support AfterCustomFieldValue callback after code refactor
• Add callbacks for link editing and display (thanks zach.kelly!)
• Add EndOfPage callback on article display page (thanks zach.kelly!)
• Deprecate old HiddenForURLs methods for custom roles
• Defer loading DateTime to reduce memory at startup
• Document memory saving tips for CLI
• Provide a way to override any RT config option in CLI tools
• Ensure SQL batches stay under 256MB
• Skip CSS::Inliner for content over 1MB in size
• Log unresolved ticket failures at warning log level
• Log forwarded IP address when running behind a reverse proxy (thanks
  @wheldom01!)

Internals

• Update importer SQL to correctly interpolate groups table names
• Do not trigger any other htmx requests on parents for reload events
• Use Time::HiRes to ensure we can find Time::HiRes::time (thanks andrew!)
• Ensure changes are committed when adding CGM records without auto-commit
• Add dashboards to menu by id instead of name
• Count imported objects from cloned serialized data
• The path argument should not use loc() (thanks @mkosmach!)
• Align Articles autocomplete helper callback with other callbacks
• Don't export removed CleanEnv (thanks buehler!)
• delay is no longer the default for ShowHistory
• Dispose datepicker (tempusDominus) objects for elements to be swapped out
• Clean up obsolete hasDatepicker class that was from old jQueryUI
• Destroy TomSelect and Dropzone objects for elements to be swapped out
• Destroy CKEditor objects for elements to be swapped out
• Dispose bootstrap orphan tooltip/popover/dropdown/modal objects
• Update page layout config when queue name changed
• Eliminate redundant transaction detail click event listeners
• Migrate event listeners for menu dropdown to delegation
• Tweak js event listeners to not reference to themselves
• Avoid creating unnecessary global variables to prevent memory leaks
• Clean up js code for obsolete IE
• Drop obsolete style tweak for dropdowns in page menu
• Hide tooltips for dropdown elements in history widget header
• Use optional chaining for existing tom-select destroy
• Register dynamic modal handlers only once
• Batch updates to reduce the number of forced layouts in the browser
• Restrict day evaluation to the visible calendar month
• Reduce the blank padding around each day
• Calculate last day border width
• Ensure left and right side borders show correctly
• Ensure date selection form has correct hx-target
• Add dropup direction for TomSelect dropdowns
• Remove noisy debug log messages no longer needed
• Update tom-select build instructions to include overrides
• Refactor GetCalendarTickets to return a single data structure
• Refactor handling for multiple day calendar events
• Run a PreCheck to check for linked Assets
• Run a PreCheck for configured ProcessArticles
• Run a PreCheck for configured LinkedQueues
• Run a PreCheck step for widgets that may not display
• Apply page-specific history filters from page layout config
• Limit the asset type list to relevant types
• Adapt history changes to work with assets
• Convert history actions to htmx and retain search options
• Use TicketList for History filter
• Add a TicketList mode for abbreviated transaction list
• Create GetTransactionTypes to provide a list of valid types
• Switch to vanilla tooltip initialization method
• Remove unnecessary blessed object arguments from paged history URL

Testing

• Add selenium test for include article feature on ticket update page
• Update dashboard tests to use id instead of name
• Test article menu searches
• Test SLA Due date for long-dormant tickets
• Add a groups test to the rights inspector test
• Use different attribute search examples (thanks zach.kelly!)
• Add github actions config for rt-server tests with Oracle
• Run github actions with updated 6.0.2 docker image
• Test UTF-8 data for ticket simple search
• Test adding custom field DefaultValues on create
• Add tests for the upcoming custom role support in CreateTickets
• Add tests for running Update-Tickets via CreateTickets template
• Add tests for SetStatus action used with rt-crontool
• Run tests against postgresql 16.10
• Add tests for calendar functions
• Demonstrate missing results from article autocomplete
• Pass necessary widget arguments for mechanize tests
• Update tests for custom role visibility changes

A complete changelog is available from git by running:
git log rt-6.0.1..rt-6.0.2
or visiting
https://github.com/bestpractical/rt/compare/rt-6.0.1...rt-6.0.2

RT 5.0.9 -- 2025-10-22

RT 5.0.9 is now available for general use. The list of changes
included with this release is below. In addition to a batch of
updates, new features, and fixes, several security issues are
addressed. See below for details.

https://download.bestpractical.com/pub/rt/release/rt-5.0.9.tar.gz
https://download.bestpractical.com/pub/rt/release/rt-5.0.9.tar.gz.asc

SHA-256 sums

913e9403ad422e0064ac9378baf2b13ba2b4c0119c891fe2cb4f2b51f3a5aeb8 rt-5.0.9.tar.gz
e357206ebcd9d1615fb6dba668963502ad1a920b3c66ac6cbcbba47fb59621d1 rt-5.0.9.tar.gz.asc

Security

The following security issues are fixed in this release.

• RT 5.0 is vulnerable to CSV injection via ticket values with special
  characters that are exported to a TSV from search results. This
  vulnerability is assigned CVE-2025-61873. Thanks to Gareth Watkin-Jones
  from 4armed for reporting this finding.

• RT 5.0.4 - 5.0.8 are vulnerable to XSS via calendar invitations added to
  a ticket. This vulnerability is assigned CVE-2025-9158. Thanks to
  Mateusz Szymaniec and CERT Polska for reporting this finding.

General user features

• Remove submit blocking class on back button click
• Remove duplicate Asset entry in the shredder objects list
• Add missing WebPath for modify scheduled process (thanks zach.kelly!)
• Default to the current class for existing articles
• Add user config option to disable keyboard shortcuts (thanks gibus!)

Documentation

• Fix typo after rt-clean-sessions link in README
• Provide guidance on starting a test server (thanks andrew!)
• Document the ModifySuggestions callback change
• Improve formatting for @EmailDashboardLanguageOrder docs

Administration

• Support to update extension configs via web UI
• Check meta IsJSON to determine if config is JSON
• Make doc_url optional for plugin config options
• Add NoReset config meta option
• Do not allow to change $SendmailPath from web UI for security
• Merge extension config meta with existing meta
• Refactor stringify code to simplify logic for config edit page
• Fix current value of DefaultQueue on config edit page when it's queue name
• Show default queue's name on configuration page and config updated messages
• Support import/export of @Configuration for JSON serializer
• Process Configurations before other RT objects in initialdata
• Do not exclude ___Approvals queue in dumped json file
• Support custom roles in CreateTickets templates (thanks @bdragon300!)

Internals

• Update importer SQL to correctly interpolate groups table names
• Convert blocks to inline before scrubbing the HTML
• Enable encode_entities and ignore_style_type_attr options for CSS::Inliner
• Bypass ACL cache for owner validation on ticket queue change
• Ensure changes are committed when adding CGM records without auto-commit
• Add dashboards to menu by id instead of name
• Count imported objects from cloned serialized data
• The path argument should not use loc() (thanks @mkosmach!)
• Align Articles autocomplete helper callback with other similar callbacks
• Don't export removed CleanEnv (thanks buehler!)
• Add support to set default value(s) at CustomField creation (thanks elacour!)
• Skip CSS::Inliner for content over 1MB in size
• Log unresolved ticket failures at warning log level
• In the importer, ensure SQL batches stay under 256MB

Testing

• Update docker image for tests
• Update GitHub actions/checkout to v4
• Update GitHub actions/cache to v4
• Update simple-slack-notify GitHub action
• Confirm that all of the shredder plugin pages load correctly
• Test owner updates on queue change
• Test showing incorrect class for new article
• Add tests for Configurations export/import
• Update dashboard tests to use id instead of name
• Add a groups test to the rights inspector test
• Add github actions config for rt-server tests with Oracle
• Run github actions with updated 6.0.2 docker image
• Test adding custom field DefaultValues on create
• Add tests for custom role support in CreateTickets
• Add tests for running Update-Tickets via CreateTickets template
• Add tests for SetStatus action used with rt-crontool
• Run tests against postgresql 16.10

A complete changelog is available from git by running:
git log rt-5.0.8..rt-5.0.9
or visiting
https://github.com/bestpractical/rt/compare/rt-5.0.8...rt-5.0.9

RT 4.4.9 -- 2025-10-22

RT 4.4.9 is now available for general use. This release contains just
one security update.

With the release of RT 6 in May 2025, this is the last planned release
for the RT 4.4 series. Users should upgrade to RT 5 or RT 6.

https://download.bestpractical.com/pub/rt/release/rt-4.4.9.tar.gz
https://download.bestpractical.com/pub/rt/release/rt-4.4.9.tar.gz.asc

SHA-256 sums

cb7c4dffb4879e95d190e5d919bc13870926578394d3f0cd14f15b15dfedea8b rt-4.4.9.tar.gz
7c039d333e641c4a40c0dd929e24f10840a53aa89a3d698fd2e583001e191a80 rt-4.4.9.tar.gz.asc

Security

The following security issue is fixed in this release.

• RT 4.4 is vulnerable to CSV injection via ticket values with special
  characters that are exported to a TSV from search results. This
  vulnerability is assigned CVE-2025-61873. Thanks to Gareth Watkin-Jones
  from 4armed for reporting this finding.

A complete changelog is available from git by running:
git log rt-4.4.8..rt-4.4.9
or visiting
https://github.com/bestpractical/rt/compare/rt-4.4.8...rt-4.4.9

RT 6.0.1 -- 2025-08-05

We're pleased to announce the general availability RT 6.0.1.
This release primarily supports running the newly released RTIR 6.0.1.
Some new features and bug fixes are also included. A detailed list of
changes is provided below.

The new version is available here:

https://download.bestpractical.com/pub/rt/release/rt-6.0.1.tar.gz

SHA-256 sums

716650ddcb5fc5e87a6422bd341c70e56f28b276e9df0d2402ff1aa24b6dd260 rt-6.0.1.tar.gz
c9be232e8b8ffc7b3ad3f0edae018a07c69ab04315c8dc8f72c9b1c97a49d621 rt-6.0.1.tar.gz.asc

General User UI

• Move inactive loading spinners to bottom of DOM to prevent blocking
  clickable elements
• Fix multiple value handling in TomSelect inputs when splitting on delimiters
• Improve visual consistency by applying Bootstrap styling to radio button
  columns
• Fix "Reset" radio button functionality for select configurations on the
  config edit page
• Convert CKEditor toolbar configuration to extended format for easier
  customization
• Default to the current class for existing articles instead of system default
• Exclude 'id' field from NOT NULL validation checks in user autocomplete
  on PostgreSQL to prevent invalid integer syntax errors
• Exclude 'id' field from NOT NULL validation checks in group autocomplete
  on PostgreSQL to prevent invalid integer syntax errors
• Preserve Description field content when changing queues on ticket
  create/update pages
• Remove duplicate div.row.mt-2 wrapper for Sign/Encrypt inputs
• Fix duplicated mt-2 CSS class for radio inputs in Boolean widget
• Improve visual consistency in dark mode by fixing prefix/suffix border
  colors for input groups
• Fix default reference links on ticket clone by using proper double-space
  delimiter
• Render all default values in TomSelect user autocomplete inputs instead of
  only the first value
• Automatically reveal history widget before jumping to anchor elements
  within it to support unread messages
• Fix "Jump to Unread" functionality in ShowHistory "click" mode
• Add clickable links from pending dependency status text to search results
• Migrate GnuPG key select inputs to use RT 6 styling
• Add support for Dates widget on ticket update page
• Update copy button for conditions and actions to use boosted links
• Remove duplicated saved search widgets on dashboard content page
• Fix visual styling of inline edit links by removing trailing spaces
• Support updating Description field on ticket Jumbo page
• Replace deprecated ShowSummary widget in SelfService Asset Display
• Add "g r" keyboard shortcut to reload main container
• Avoid using

   tags when quoting text content

• Preserve multiple spaces when rendering plain content instead of collapsing
• Remove extra newline when quoting content with CKEditor 5
• Support reverting in-use page layouts to their config file version

Administration

• Fix DefaultDashboard attribute dependency handling now that Dashboards are
  in a separate table in the database
• Remove duplicate Asset entries from shredder objects list that caused
  errors using Shredder in the web UI
• Prevent modification of $ChromePath and $SendmailPath configuration options
  in the web UI for security reasons
• Display ChromePath and SendmailPath as read-only text inputs instead of
  textareas on configuration edit page
• Refactor configuration edit page stringify logic to simplify value handling
• Fix display of current DefaultQueue value when configured using queue name
  instead of ID
• Show queue names instead of IDs on configuration pages and in update
  messages for better readability
• Improve visual alignment of reset checkboxes with their labels on
  configuration edit page
• Skip unnecessary PageLayoutMapping configuration updates when creating
  queues with default layouts
• Expand TicketSQL to support additional queue fields for searching
• Fix ShowSummary template compilation errors and add deprecation test
• Migrate old saved search and dashboard rights to new standardized names
• Set LastUpdated field only when updates succeed and values actually change
• Document the LastUpdated behavior change for ticket updates
• Document the MessageBoxRichTextInitArguments configuration change for
  CKEditor toolbar customization
• Merge extension config meta with existing meta
• Show a message when a page layout tries to use a CustomFieldGrouping and it
  can't be found
• Refresh the lifecycle cache after admin page changes to show the updated
  lifecycle

Extensions and RTIR Support

• Provide a clean interface for SavedSearch options management
• Allow extensions to add custom SavedSearch options
• Make HTMX query arguments available via callback for dynamic requests
• Add support for absolute paths in dashboard components (e.g.,
  "/RTIR/Elements/QueueSummary")
• Enable email squelching for selected roles during ticket creation
• Support merging arrays in PageLayoutMapping configuration to allow
  extensions to add custom mappings
• Support merging arrays in CustomFieldGroupings configuration for
  extensions
• Add callbacks to modify cached object items for constituency-specific
  filtering
• Support hiding attachments in Message widgets for multi-ticket creation
  forms
• Add BeforeCreate callback parameter for validation failure handling
• Set dynamic form actions based on request path for extension-specific
  endpoints
• Add BeforeShowWidgets/AfterShowWidgets callbacks for ticket creation page
  customization
• Use general arguments to set default values from cloned tickets for
  better compatibility
• Use loose SubmitTicket check on ticket create page to support multiple
  submit button scenarios
• Support input name prefixes for multi-ticket creation scenarios
• Support customizing message titles, people sections, and submit labels
  on ticket creation
• Support keeping default status values that are normally excluded due to
  permissions
• Allow limiting displayed groupings in Asset CustomFieldCustomGroupings
  widget
• Add missing WebPath for modify scheduled process functionality (thanks Zack!)
• Support limiting CustomFieldGroupings on Asset and Ticket creation pages
• Expand ticket display check to cover additional display pages
• Support refreshing process articles on ticket display pages
• Add support for absolute paths in /Views/Ticket/ endpoints
• Add BeforeActionList callback on Create page for ticket locking
  functionality
• Add BeforeAbort callback for TSV export customization

Internals

• Switch code formatting to use Perl::Critic's --perl-best-practices
  configuration
• Adopt "not cuddled else" code style for improved visual distinction between
  blocks
• Bypass ACL cache when validating owner permissions during queue changes to
  ensure accurate permission checking
• Migrate body ID attribute to .main-container element with support for
  customized CSS classes
• Clean up temporary debug code from development
• Register event handlers only for newly added DOM elements to avoid multiple
  registrations
• Migrate history loading to HTMX-powered system with boosted link support
• Update quote selection mechanism to be compatible with HTMX request
  handling
• Prevent Pragma headers from being set on cached HTTP responses
• Cache /Helpers/UserInfo endpoint for improved performance
• Avoid rebuilding top menu unnecessarily on main-container changes
• Add support for import/export of @Configuration in JSON serializer
• Ensure window.RT object exists in footer to prevent JavaScript errors
• Convert more RT elements to use Labelled Value

Testing

• Confirm that all shredder plugin pages load correctly
• Update ticket_status test code for DOM changes in RT 6
• Update mechanize test content to support input name prefixes
• Add comprehensive test coverage for owner updates during queue changes
• Add test showing incorrect class selection for new articles
• Add test showing user autocomplete errors with 'id' return parameter
• Add article autocomplete test with return=id parameter to verify
  functionality
• Add test coverage for group autocomplete endpoint functionality
• Add test showing group simple search errors with 'id' return parameter
• Add test coverage for Configurations export/import functionality
• Add Selenium tests for multiple requestors on ticket creation
• Add test coverage for PageLayoutMapping updates during queue creation
• Add test coverage for quote selection functionality on ticket update
• Add Selenium test for SelfService Asset Display page
• Add test with custom fields in page layout mapping to verify functionality
• Confirm that page layout custom fields are applied before checking values

Complete Changelog

A complete changelog is available from git by running:
git log rt-6.0.0..rt-6.0.1

Or on the web at:
https://github.com/bestpractical/rt/compare/rt-6.0.0...rt-6.0.1