Mailing List Archive

Request Tracker New Releases and Training in Rome, Italy
As mentioned in our last announcement, we are in the process of changing our list management solution for our RT-Announce mailinglist.

We want to use this opportunity to ask you to verify that you'd still like to receive our updates for new product releases and training announcements. If so, please opt-in by visiting

Thanks for your continued support!


RT 4.4.4 and RT 4.2.16 Released

We are happy to announce the general availability of RT 4.4.4. This release contains important security updates, mostly in modules RT depends on. It also introduces several new features to help organizations comply with the EU’s new General Data Protection Regulation (GDPR) and a number of general updates and fixes.

RT 4.2.16 is a maintenance release for the RT 4.2 series and contains security updates, but does not include the new GDPR features. Upgrade to RT 4.4.4 to get access to the new features and many other features introduced in the RT 4.4 series.

GDPR Features

The EU’s new GDPR introduces new guidelines and legal requirements for the storage and handling of user information. Depending on how you use RT, it can contain contact information for end users like email address and potentially additional data. Several new features were added to RT to help administrators work with potential requests from end users.

* New ways to download user data to format-neutral tsv files.
* Options to anonymize or remove users.
* A tool to remove PII from transaction history.
* Allow self service users to optionally view and edit their personal data.

Security Updates

The following security updates apply to both RT 4.4.4 and RT 4.2.16. Note that most are in dependencies of RT and not RT directly, so new versions of the noted modules need to be updated in addition to updating RT.

* One of RT’s dependencies, the Perl module Email::Address, has a denial of service vulnerability which could induce a denial of service of RT itself. We recommend updating to Email::Address version 1.912 or later. The Email::Address vulnerabilities are assigned CVE-2015-7686 and CVE-2015-12558. CVE-2015-7686 was addressed in RT with a previous update. Email::Address version 1.912 addresses both of these CVEs with updates directly in the source module. Thanks to Ricardo Signes for helping us with these updates.

* One of RT’s dependencies, the Perl module Email::Address::List, relies on and operates similarly to Email::Address and therefore also has potential denial of service vulnerabilities. These vulnerabilities are assigned CVE-2018-18898. We recommend administrators install Email::Address::List version 0.06 or later. Thanks to Lukas Kramer for reporting the issue and Alex Vandiver for contributing fixes.

* An optional RT dependency, HTML::Gumbo, incorrectly escaped HTML in some cases. Since RT relies on this module to escape HTML content, it’s possible this issue could allow malicious HTML to be displayed in RT. For RT’s using this optional module, we recommend administrators install HTML::Gumbo version 0.18 or later. Thanks to Ruslan Zakirov for updating this module.

* The version of jQuery used in RT 4.2 and 4.4 has a Cross-site Scripting (XSS) vulnerability when using cross-domain Ajax requests. This vulnerability is assigned CVE-2015-9251. RT does not use this jQuery feature so it is not directly vulnerable. jQuery version 1.12 no longer receives official updates, however a fix was posted with recommendations for applications to patch locally, so RT will follow this recommendation and ship with a patched version.

Additional details about the new releases can be found by visiting


RT Training, Rome, Italy - May 29-31, 2019

Join us in Rome for the first RT training session of 2019. Our 3-day session covers everything you need to know, from day-to-day use, to administration, and custom development. Please visit for additional details and to reserve a spot.

- The Team at Best Practical
rt-announce mailing list