--- - branch: MAIN date: Thu Nov 2 19:15:11 UTC 2023 files: - new: '1.2' old: '1.1' path: pkgsrc/devel/rt5/Makefile pathrev: pkgsrc/devel/rt5/Makefile@1.2 type: modified - new: '1.2' old: '1.1' path: pkgsrc/devel/rt5/PLIST pathrev: pkgsrc/devel/rt5/PLIST@1.2 type: modified - new: '1.2' old: '1.1' path: pkgsrc/devel/rt5/distinfo pathrev: pkgsrc/devel/rt5/distinfo@1.2 type: modified id: 20231102T191511Z.5d5ef943bcefd53a0ef7fa6ca408b133ac29743a log: | rt5: update to 5.0.5 RT 5.0.4 -- 2023-05-04 ====================== Security * jQuery UI is updated to version 1.13.2, which addresses a security issue in earlier jQuery UI (CVE-2022-31160). This issue does not impact RT directly as RT does not currently use the impacted code. General user features * Split the select of watcher criteria in query builder; with a single select, this list would grow too long * Display entry hint in people section of ticket display page * Add missing css rules to buttons to improve UI consistency * Increase search field column width, mainly for role fields * Include custom roles in the core watcher search criteria * Hide asset menu search if simple search is disabled * Fix multiple mt-* classes that are applied at the same time to fix display bugs * Retain Class and ObjectType when query parsing contains errors; prevents query parsing actions in transaction search from reverting to ticket search * Clear floating elements from correspondence * Show custom field diffs in transaction history * Fix bug that caused HTML custom fields to show 'text/html' as value * Move user custom fields on "Settings > About me"" page to make better use of space * Fix the menu drift when clicking on repositioned submenus caused by screen width overflow * Fix issue where a submenu could flash out when clicking a submenu option (specifically, in Chrome-based browsers) * Fix runtime error in SelfService Asset Display (I#37377) * Improve Reports/Update This Menu CSS styling * Improve 'Error: public key' template to avoid confusion for new installs (I#37360) * Show RT support email address in the RemoteAuth error page * Show RT support email address on PSGI/database error page * Block ticket creation/update when there's invalid recipients * Disable browser spell check for custom code box (thanks Christian Mehlmauer!) * Make Actions page menu scrollable in case it's too long to fit on screen * Allow CKEditor (rich text) boxes to vary in height based on context/usage * Fix bug preventing the toggling/display of initially rolled-up widgets * Allow unchecking of "Suppress if empty" checkbox for dashboard subscriptions * Load more history for unread messages with on scroll setting so new messages can be accessed via the "Jump to Unread" button * Exclude favion.png from generated dashboard email * Add extra css to dashboard emails to improve display for some email web clients (such as Gmail and Outlook) * Fix Ticket/Create.html's display of Links block * Refactor Edit Links to fix bug in page display * Exclude asset custom roles from ticket search * Fix custom role's name in the result message when adding members * Add support for custom roles in asset searches * Improve performance of one-time email lookup * Improve page layout by dropping an extra form-row wrapper (LabeledValue already has one) * Fix layout of ticket graph page * Add back missing current-value span to fix alignment of rows in asset widget of ticket page * Re-add the missing Creator row for article display * Revert LabeledValue changes to role inputs * Make article autocomplete case insensitive * Force EmailAddress to be the default return value for EmailInput * Prettify "Show ticket history" by making it look like a button * Add multiple order by and order indicators in search results header * Make autocomplete work in dynamically created modal popup * Support to pass user name as default value for owner input autocomplete * Allow to show empty option even when default value is present; allows current Priority filter to show while allowing user to unset it * Allow users to filter ticket search results via headers * Allow text but not icons to wrap in search header (in Firefox) * Provide default 'select all' for some search terms; prevents erroneous "error parsing your search query" messages (I#36902) * Reset queue-level default values on queue change on ticket create page; previously, defaults didn't change even if another queue was selected (I#37242) * Show end users a message if a SQL error occurs * Update search results to use Bootstrap/modern pagination styles * Add box to jump to search results page * Add UI for custom field validation hints * Improve color and spacing for custom field FriendlyPattern UI * Target keyboard shortcuts accurately for search result modal popups * Fix combobox controls to not clear user inputs on dropdown click * Format auth token list with a title box * Removed extra space between Cc and Bcc in the ticket update cc Element * Handle implicit form submissions in search filter modals (i.e., act as if the "Apply" button was clicked) * Fix broken search input formatting on "Manage GnuPG Keys" page * Always show a Logout link in the menu * Make number of search results per-page configurable * Add information about search preferences * Remove extra space from titleboxes in query builder's Sort and Display Columns boxes * Prevent main navigation from overlapping with custom logo * Make pie/bar in js charts clickable again for saved searches * Automatically enable live search for selects that have 10 or more options * Force to use light theme for dashboard emails; prevents broken display of dashboard emails in email clients that try to automatically apply your system's dark/light theme to emails * In query builder, show a solid funnel next to header column if that column is a filter in the search * Add "unknown" default priority option to priority select list; shows if a ticket's priority is unknown or no longer valid * Make search filter modal popups scrollable (in case of long content) * In query builder, increase queue limit to 100 in search filter (as the modal is now scrollable) * Add URL shortening of search URLs * Add shortener support to saved searches * Shorten subqueries on chart page * Fix bug that adds duplicated criteria to queries generated on chart page * Reduce whitespace between the continuous descriptive paragraphs * When commenting or corresponding, only quote text from transaction areas in the ticket history * Remove unnecessary spacing in layout of user custom fields in SelfService Prefs * Fix label typo for asset description * Fix bug that could prevent live-search in select widgets (Safari and Firefox) * Improve UI consistency by wrapping textarea/attachment inputs in a form-row * Remove extra vertical space of select inputs to be consistent with other inputs * Use consistent space among input rows for ticket forms * Replace fontawesome funnel icon with bootstrap version * Drop the obsolete fontawesome filter icon * Removed extra space between Cc and Bcc in the ticket update cc Element * Update data-live-search attr for bootstrap select before initialization * Show customized operator/value inputs for cfs on admin user search page * Support to wrap textarea/attachment inputs into a form-row for space settings * Remove extra vertical space of selectized inputs to be consistent with other inputs * Use consistent space among input rows for ticket forms * Use HTML content for articles by default * Format article HTML content correctly when EscapeHTML is disabled * Add extra newlines to make boundaries of different article fields clear * Clarify usage of the $EmailSubjectTagRegex setting * Adapt formatting for mixed HTML and plain text quoting in Outlook message * Display key details for text/calendar messages (meeting invitations) * Various improvements for search filter controls * Limit dropdown size in owner search filter modal * Convert some search icons to inline svg for easier styling * Drop the duplicated div.value in EditTopics * Hide tooltips everywhere on click RT 5.0.5 -- 2023-10-19 ====================== Security The following security issues are fixed in this release. Thanks to Tom Wolters of Chapter8 and the National Cyber Security Centre in The Netherlands for reporting the the first two findings. * RT is vulnerable to accepting unvalidated RT email headers in incoming email and the mail-gateway REST interface. This vulnerability is assigned CVE-2023-41259. * RT is vulnerable to information leakage via response messages returned from requests sent via the mail-gateway REST interface. This vulnerability is assigned CVE-2023-41260. Related to the above, in addition to upgrading to this new version, access to the mail-gateway REST endpoint can, and in most cases should, be restricted to only the RT server itself (localhost). This access restriction can typically be applied in the web server running with your RT (Apache or other). This configuration is more clearly documented as part of this release and we recommend all RT admins review your web server configuration and consider restricting access to this mail-gateway REST endpoint. * RT 5.0 is vulnerable to information leakage via transaction searches made by authenticated users in the transaction query builder. This vulnerability is assigned CVE-2023-45024. Thanks to edk and bakerst of Libera Chat for reporting this finding. * RT 5.0 can reveal information about data on various RT objects in errors and other response messages to REST 2 requests. General user features * Include "Create" transactions when checking if there are unread messages * Support HasUnreadMessages and HasNoUnreadMessages criteria for ticket search * Make simple search result refresh always function * Support to download custom field attachments from SelfService * Allow additional ticket relationship graph directions * Add the missing Principals autocomplete URL for Self Service * On the People page, list current user in "All Recipients" if it's a watcher * Align existing attachment list * Show direct members for charts grouped by watchers in perl calculation * Add the same separator as ticket cfs for user cfs in Spreadsheet * Exclude owner email address from one time Cc/Bcc inputs * Require unique name for Conditions and Actions * Enable the selectpicker class for multiselect cfs * Don't highlight "RT for" as the active menu * Show that a principal is disabled while editing people inline * Fix empty updates sending emails with html signatures * Remove mobile restrictions for CKEditor * Get the Stylesheet of the called user object instead of its CurrentUser * Tweak quoted selection content and quote it with blockquote for html * Fix lifecycle new status removal * Improve Lifecycle validation messages * Allow to wrap for normal collection list headers * Make search chart tables responsive * Adjust EmailInput element to use the correct autocomplete helper * Make Principals Helper compatible with EmailInput element * Add a __SelectedUser__ search placeholder and portlet to set it * Do not disable inline edit after errors * Fix Find Group portlet input size * Fix Find Asset portlet input size * Avoid adding duplicated prefixes like "Ticket ID: " on bulk update pages * Use id prefix for core field update messages consistently * Rebalance page menu when the entire page (not just DOM) is ready * Return success when disabling a disabled record via REST 2 * On ticket update, update names in Cc/Bcc select boxes when checking/unchecking one-time "All recipients" * On dashboard edit, drop height CSS rules for each section in source selection boxes to prevent overlap module: pkgsrc subject: 'CVS commit: pkgsrc/devel/rt5' unixtime: '1698952511' user: markd