We have discovered a security vulnerability in RT 4.2.x, detailed below.
We are releasing RT version 4.2.8 to resolve this vulnerability, as well
as patches which apply atop all released versions of 4.2.
RT 4.2.0 and above may be vulnerable to arbitrary execution of code by
way of CVE-2014-7169, CVE-2014-7186, CVE-2014-7187, CVE-2014-6277, or
CVE-2014-6271 -- collectively known as "Shellshock." This vulnerability
requires a privileged user with access to an RT instance running with
SMIME integration enabled; it applies to both mod_perl and fastcgi
deployments. If you have already taken upgrades to bash to resolve
"Shellshock," you are protected from this vulnerability in RT, and there
is no need to apply this patch. This vulnerability has been assigned
As there is no SMIME integration available for RT 4.0, it is not
vulnerable to this attack. The RT-Crypt-SMIME extension for RT 3.6.0,
while also vulnerable, is no longer supported.
The README in the tarball contains instructions for applying the
patches. If you need help resolving this issue locally, we will provide
discounted pricing for single-incident support; please contact us at
firstname.lastname@example.org for more information.
This is just a reminder that Best Practical's next Request Tracker training is taking place on November 4-5 in Los Angeles, CA. This will be our last public session of 2014! This training will introduce you to the new features in RT 4.2 as part of a comprehensive overview of RT. Whether you've been using Request Tracker for years or are a recent convert, you'll have a good understanding of all of RT's features and functionality by the end of the session.
For both days, it is USD $1,495 for one person. This includes training materials, continental style breakfast, and snacks. You can register by heading over to our shop to pay via credit card (Amex not accepted, unfortunately.) You can also drop us a note at email@example.com if you'd rather we send an invoice. Finally, if you're from an academic institution, or would like to send more than 3 people, let us know so we can give you a bit of a discount. Please feel free to write in with any questions you have!
We are pleased to announce that RT 4.0.22 and RT 4.2.7 have just been released. They are primarily a bugfix releases; most notably, they rework UTF8 data handling to work with versions of DBD::Pg 3.3.0 and above. On PostgreSQL, this requires a newer version of DBIx::SearchBuilder. A complete list of changes is available from the release notes.
Great news! Our Q4 RT training session will be held in Los Angeles, CA on November 4-5, 2014! We do have a limit on how many people we can effectively teach, so please register as soon as you can to make sure you get a seat. If you can't make LA, please feel free to suggest a future location by dropping us a line at firstname.lastname@example.org! Also, we still have a few spots in our upcoming Boston training! If you haven't registered yet but want to attend, now is the time!
This training will introduce you to the new features in RT 4.2 as part of a comprehensive overview of RT. Whether you're an old hand at RT or a recent convert, you'll have a good understanding of all of RT's features and functionality by the end of the session.
The first day starts off with a tour of RT's web interface and continues with a detailed exploration and explanation of RT's functionality, aimed at non-programmer RT administrators. We'll walk through setting up a common helpdesk configuration, from rights management, constructing workflows and notifications, and the basics of Lifecycles.
The second day of training picks up with server-side RT administration and dives into what you need to safely customize and extend RT. We'll cover upgrading and deploying RT, database tuning, advanced Lifecycle configurations, writing tools with RT's API, building an extension, and demonstrate how to extensibly alter the web UI and internal functions.
It goes without saying that you'll get the most out of training if you attend both days of the course, but we've designed the material so that you can step out after the first day with a dramatically improved understanding of how to use RT.
For both days, the cost is USD $1,495. A single day is USD $995. Each class includes training materials, a continental breakfast, and snacks (lunch is not provided).
If you'd like to pay with Visa, MasterCard or Discover, please visit Best Practical's online store. Unfortunately we are unable to accept American Express or PayPal. If you'd prefer to pay with a purchase order, please email us at email@example.com. Be sure to include: if you want to attend both days or a single day and the full names and email addresses of attendees.
Finally, please contact us at firstname.lastname@example.org for discounted pricing if you are from an academic institution or if you'd like to send more than 3 people.