request-tracker5 (5.0.7+dfsg-1) unstable; urgency=medium There is an information exposure vulnerability due to browser cache usage. If you have sensitive information, you may wish to enable the new $WebStrictBrowserCache option. This version of RT includes a database index upgrade. If you are using a dbconfig-managed database, you will be offered the choice of applying this automatically; if not, please apply this change separately using something like: rt-setup-database-5 --action upgrade --upgrade-from 5.0.5 --upgrade-to 5.0.6 -- Andrew Ruthven Wed, 15 May 2024 23:32:32 +1200 request-tracker5 (5.0.5+dfsg-1) unstable; urgency=high This version of RT includes a database content upgrade. If you are using a dbconfig-managed database, you will be offered the choice of applying this automatically; if not, please apply them separately using something like: rt-setup-database-5 --action upgrade --upgrade-from 5.0.4 --upgrade-to 5.0.5 It is strongly recommended that you ensure that .../REST/1.0/NoAuth is only accessible for host(s) that run rt-mailgate for submitting email to RT. This is often the system which has request-tracker4 installed. The sample configurations supplied by these packages for Apache2 and Nginx restrict access to localhost only. -- Andrew Ruthven Tue, 24 Oct 2023 00:07:21 +1300 request-tracker5 (5.0.4+dfsg-1) unstable; urgency=medium Below are specific notes on an important change in default setting in this release of RT and two changes that may break customisations, but please also review in full the notes in /usr/share/doc/request-tracker5/UPGRADING-5.0.gz and /usr/share/doc/request-tracker5/README.Debian.gz as there are some new features that you may want to enable. * Updated defaults for $WebSecureCookies The previous default value for the configuration option $WebSecureCookies was '0', meaning that RT did not, by default, set the Secure option on session cookies. The default for this option has been changed to '1', which will require all users to connect to the RT instance over SSL and will trigger other changes in browser behavior, such as cookie caching. If you are running RT over http without SSL, this will cause problems and you can set your local value back to '0'. RT previously did not set a SameSite policy for session cookies. How this is handled by browsers varies. RT 5.0.4 introduces the configuration option $WebSameSiteCookies with a default value of 'Lax', which provides additional defense against CSRF attacks in some browsers. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite for more details on valid values, their meaning, and browser support. * ModifyLoginRedirect callback in Logout.html moved Best Practical try hard not to modify callbacks since they are made for external code to reference, but in this case the logic of the page changed and they had to move the callback location so it could correctly modify the URL value, if needed. If you were using this callback to modify the redirect URL on logout, your code will continue to work as intended. However, if you were using this callback for other reasons, you may need to update your code to use the BeforeSessionDelete callback instead. * Custom role keys in REST2 ticket endpoints changed Best Practical updated custom role keys from "GroupType" syntax like "RT::CustomRole-1" to "Name" in REST2 ticket endpoints, to be consistent with core roles. They also added a "CustomRoles" entry to cover all custom roles, making it consistent with similar results for "CustomFields". This version of RT includes a database content upgrade. If you are using a dbconfig-managed database, you will be offered the choice of applying this automatically; if not, please apply them separately using something like: rt-setup-database-5 --action upgrade --upgrade-from 5.0.3 --upgrade-to 5.0.4 -- Andrew Ruthven Sat, 27 May 2023 15:52:14 +1200 request-tracker5 (5.0.3+dfsg-1) unstable; urgency=medium Below are some specific notes about changes in this major new release of RT, but please also review in full the notes in /usr/share/doc/request-tracker5/UPGRADING-5.0.gz and /usr/share/doc/request-tracker5/README.Debian.gz. This version of RT incorporates several new plugins, which should be removed from the system if installed locally to prevent conflicts: * RT::Extension::QuoteSelection * RT::Extension::RightsInspector * RT::Extension::ConfigInDatabase * RT::Extension::CustomRole::Visibility * RT::Extension::PriorityAsString * RT::Extension::AssetSQL * RT::Extension::LifecycleUI * RT::Extension::REST2 * RT::Authen::Token A bug with the Mason cache introduced in 4.4.5 is fixed. This mostly impacted RTIR users, but could show up with broken links in other cases also. This version of RT includes a database content upgrade. If you are using a dbconfig-managed database, you will be offered the choice of applying this automatically; if not, please apply them separately using something like: rt-setup-database-5 --action upgrade --upgrade-from 4.4.6 --upgrade-to 5.0.3 -- Andrew Ruthven Thu, 21 Jul 2022 17:06:28 +1200