Log message:
Update of rt3 to version 3.8.9

Changelog:

SECURITY

* Move to a SHA-256 based password hashing scheme
* Redirect users to their desired pages after login.
  This prevents possible back button attacks after a user logs out.
* Clone Scrip's TicketObj since we change the CurrentUser and it can
  leak information (Custom field values, etc)

INSTALLATION

* Fixes to the RH Layout in config.layout

ACCESS CONTROL

* New AdminCustomFieldValues right that allows user to add/remove
  CF values, but not edit the CF

CONFIGURATION

* Add ResolveDefaultUpdateType to choose between Comment or Correspond
  on Resolve
* When using Set($MailCommand, 'testfile') log all mail to the
  same tmpfile
* Add a callback to allow extensions to redirect a user to an external
  auth logout URL using RT's logout button. This ensures that the user's
  RT session is cleared
* Add SuppressAutoOpenOnUpdate preference

DOCUMENTATION

* Clean up README
* Update UPGRADING.mysql documentation for users of older mysql
* Flag that "Let this user be granted rights" means "Privileged"
* Fix rt-crontool examples to use a real Condition
* Undocument SenderMustExistInExternalDatabase since the code was
  never merged
* Better document SetOutgoingMailFrom
* Better document shrink_cgm_table.pl

DATABASE

* Add support for Postgres 9
* No longer record transactions for ACL Equivalence Groups
* Don't delete all RT MySQL ACLs before invoke GRANT
* Quote database name for GRANT on MySQL
* Insert extensions' schema and acl files as the DBA
* Fix searches for empty Attachments on Oracle

EMAIL

* Better handling of mail generated by Outlook
* When RT's SendmailCommand fails, record it in ticket history
* New GPG tests and bugfixes for corner cases
* use EmailOutputEncoding for Content-Type.charset
* Handle failures in MIME Encoding better
* Small bugfixes for text/html templates
* Fix MIME decoding on ticket subjects
* Remove stray colons and whitespace in the default Admin Comment
  template

USER INTERFACE

* Fix an infinite loop when using the 3.4-compat theme
* Fixes to CollectionList sorting
* css positioning tweaks for page menus
* Fixes for Bulk Update when users click 'Add More Files'
* Skip all watchers when offering to add CCs as Watchers
* Fix ahah.js to handle more than one CF 'Include page' link
* Ensure that Nobody is always at the front of the Select Owner list
* Link Basics in SelfService to the Update page
* Fix toggling js to only run once
* Ensure signatures are included in Jumbo edits
* Better identify (in the UI) a misconfigured GPG setup
* GPG key management UI updates
* Add classes/ids to the Custom Field Editing pages
* CSS Fixes for preferences widgets
* Fix truncated top values on Charts
* Wording and layout changes for the 'update password' widget
* Ensure that we keep Anchor tags on redirects
* Fix loading a new search on the Chart/Graph pages
* Change Attachment size label from Bytes to Megabytes
* Respect timezones in timestamps in /Approvals/
* Charset fixes for Ticket Attachment downloads
* Bar graph fixes for large numbers of bars
* Allow a callback on QuickCreate to pass a default Status
* Fix Approvals to make one search for approval tickets that distincts
  and orders them
* Link from Group Membership lists to User admin pages
* New callbacks (autohandler, default queue, aborting ticket updates,
  after requestor on create)
* Fix non-local local links and add t: syntax
* Editing Transaction custom fields now shows errors inline
* Use the ShowUser element more consistently across the UI

TOOLS

* Improvements to extract-message-catalog (translation tool)
* Let shrink_cgm_table and shrink_transactions display "percent complete"
* Added a simple script to naively generate a RTAddressRegexp
* Install rt-attributes-viewer originally shipped with 3.8.8
* bin/rt now searches for global configs in LOCAL_ETC_PATH also

OTHER BUG FIXES

* No longer refuse to start if you upgraded from a version of RT that
  allowed you to have invalid Scrips
* Handle broken Reminders links when users change their Organization
* Trim whitespace from CustomFieldValues consistently
* RFC2616 dates are always in UTC
* Scrips can no longer have an empty Condition, Action or Template
* make multi-value REST fields separated with commas ignore spaces
* Localize ENV changes under mod_perl
* Don't page group memberships for a User
* Skip disabled Queues when a Simple Search term matches a Queue Name
* Add TransactionObj to CreateTickets templates to match the docs
* Fix the use of Tickets_Local.pm in rt-email-dashboards and rt-crontool
* Escape more characters in graphviz output
* Fix message when you fail to delete a saved search to tell you
  Permission Denied
* Include Rules with Scrips when previewing recipients
* Ensure that distribution upgrades that break Scalar::Util show up in
  apache logs
* Fix warnings on empty Collection List headers
* Log errors from safe_run_child
* Refuse to run if webmux.pl and RT.pm are mismatched
* Actually log the error that caused "Can't load a principal for id #"
* Switch to using $Approver->Name in templates since an AdminCc can
  approve
* Allow fastcgi_server to specify a port
* Guard against SavedSearches with no content
* Ensure our output is always flagged as utf-8
* Allow queries like "Priority > -2"
* Fixes to Private/Public key methods
* Return 'set private key' from SetPrivateKey, not 'unset private key'
* Protect STDOUT under mod_perl - among other things, this fixes
  Scrips that use system()
* Fix forwarding of messages without a top level textual part

Log message:
update to version 3.8.8, partially by sno@

Upstream Changelog:

NEW FEATURES AND MAJOR CHANGES

* Aaron Sigel performed a security audit of RT and pointed out
  a number of potential improvements which have been addressed

* Charts improvements

    * Time-based charts can now show "hourly" goupings.
    * ChartFont option is now hash with font per language.
    * Two default fonts are shipped with RT to cover most
      supported languages.
    * The table of chart results now contains links to tickets
      matching a given row.
    * Timezones support, but protected with config option.
    * Better scaling of Y axis.
    * X axis labels are now vertical if there is not enough
      space to display them horizontally.

* RTAddressRegexp option improvements

    * No default value anymore.
    * If no value is set then RT will attempt to calculate the right value
      from the user-defined queue addresses.
    * On create/update/people pages RT now checks addresses
      users enter and stop users from entering known
      addresses for RT queues.

* Admin UI improvements

    * Improved display of the "About this RT" page.
    * More pages in the Admin UI have been switched to generic
      code to list objects (like tickets in search results)
    * Display formats for these objects are now configurable
      in the config file (%AdminSearchResultFormat)
    * More columns in column maps for objects other than
      tickets.

* Custom fields ordering and application improvements

    * Queue specific custom fields now can be placed above
      global, below or even in the middle. Order of global
      custom fields stays the same in all queues, but a custom
      field that is applied to particular queues can be placed
      differently in each queue.
    * Make it possible to apply a CF globally from 'Applies To'
      page.
    * RT no longer allows you to apply a CF globally and to queues
      at the same time. When CF is applied globally it is
      un-applied from specific queues first.

* Refactored simple (googleish) search

    * new options in the config to control defaults
    * new keywords to search for particular things

* RSS feeds now contain embedded single-query authentication strings
* We've Introduced a config option to prevent adding the
  RT-Originator header in outgoing mails.
* New MessageBoxIncludeSignature* options
* LogoutRefresh config option to control how long to wait
  before going back to login
* New config option for AttachmentUnits
* New config option for AlwaysDownloadAttachments
* RT now requires your current password to change any password
* Improved LinkValueTo and returned back functionality

    * if LinkValueTo starts with __CustomField__ then don't
      escape it, but make sure it's not a JS link
    * escape links using HTML escaping
    * don't wrap into <a> with empty href if link is empty

* Added DefaultMailPrecedence and DefaultErrorMailPrecedence
  config options
* Squelch watchers on update. This makes doing silent
  Updates possible
* New web handler: bin/fastcgi_server
* Refactored Elements/ShowUser so it's easy to add custom
  formats. Several performance improvements in this code.
* MERGE_CACHE to cache information about merged tickets and
  lower logs and DB impact on re-checks
* Made NotifyActor into a User Preference
* If the MIME entity has header X-RT-Squelch, do not send
  the message
* Improved print layouts
* Serve images in js and css dirs as static files,
  so browsers cache them more agressively
* Added HasAttribute and HasNoAttribute to TicketSQL
* New faster and less memory hungry TicketsMaps - First, Prev,
  Next and Last links when you view tickets from the current
  search. Size is now limited by a new config option. Floating
  window is used to build the links.

CLEANUPS AND SMALL IMPROVEMENTS

* Updated doc/Security with more modern security tips
* Made the plaintext mono feature work in IE.
* Better timezone handling in Tools/Reports/ResolvedByDates.html
* Make sure we don't serve files outside RT's paths
* Additional checks to make sure that credentials
  are sent to RT on Login
* Moved CustomField column map from tickets' to generic
* Make height, width, href and alt of the logo configurable
* Load as much as possible when a web-handler with forks
  is used, this increase memory sharing across processes
* A link provided for approvals templates to whoever worked
  the approval
* Global __WebRequestPath__ and __WebRequestPathDir__
  column map entries
* Process custom fields in ModifyDates.html
* Handle Ccs and AdminCcs of the queue in SkipNotification
  feature
* Sort callbacks within a root only, respect plugins
  order
* Add some wording to the check boxes on the reply pages
* Reduce whitespace on bottom of boxes as was earlier
* Use smaller margin for reminders display to save space
* Use a reasonable length for scrip descriptions
* Removed a lie about RT CLI still being "unsupported"
* User friendlier errors handling thrown by Calendar::Simple
* Split some CSS from themes into base/xxx.css
* Googleish search was making incorrect assumptions
  about RT::User and RT::Group's Load function
  returning a boolean not a list. This was throwing
  (harmless, but ugly) errors.
* Don't apply order on collections if sorting is not
  allowed
* Removed the "URL" parameter to 'Logout' as it had no
  legitimate use.
* make instal and testdeps tests to avoid some versions
  of modules that are known to be buggy or incompatible,
  for example DBD::Oracle 1.23

BUG FIXES

* properly use AND/OR when content is searched and
  DontSearchFileAttachments option is enabled
* Make sure Merge only possible when user has Modify
  right on both tickets
* Fixes for UseSQLForACLChecks option, it was possible
  to construct a query and see tickets an user has no
  right to see. Lots of tests have been added to make
  sure it wouldn't happen again.
* SQL used for ACL checks has been refactored to get
  more effective queries. Especially when list of
  potential owners is built for the query builder.
* Unified API for tables with disabled column and
  fixes when ->Count could return bigger value
  when some CFs are disabled.
* I18N was transcoding attachments to UTF-8 one line
  at a time. This doesn't work at all for UTF-16 and
  probably other encodings.
* Fixed encoding problem when loading a dump file
  produced by rt-dump-database.
* A closing </li> was missing in PreviewScrips comp
* Fixed config loading when Fcntl module or other exporting
  symbols is loaded. Load was failing with "Not a SCALAR
  reference" error.
* Returned back effective SQL when searching by CFs with
  = or != operator
* Fixed error on login when user make mistake in password
  and he entered character out of ASCII range.
* Honor a user's MessageBoxRichTextHeight setting
* Fixed query builder behaviour with NULLs and '' (empty values)
* Fixed potential information loose on incorrect GnuPG mails
* Fixed display-all-rows in Dashboards
* Fixed JS escaping issues
* Set context object in OCFV::CustomFieldObj
* Sessions ended up in /tmp/ in some cases
* Fixed safe_run_child when code dies between fork and exec,
  deals with "mysql server has gone away" error
* fix Jumbo reloading and losing message content
* Stop infinite looping when you have global custom
  fields and no Queue restriction
* Fixed sorting of custom fields in Results.tsv
* Set of fixes for Unicode characters in emails
  and tests covering these changes
* Don't create handles we don't need, we can hit limit
* Prevent servers using GnuPG from running out of file handles

TRANSLATION

Updates merged from launchpad and two new languages: nn.po
and pt_PT.po. Thanks to all contributors.

CALLBACKS

* AboutThisUser in ShowPeople box
* Between the GnuPG and message rows
* AfterSubject
* Before and After CustomFields
* Before and After TransactionCustomFields
* AfterAddress in PreviewScrips
* At the top of ticket summary columns
* For adding links for attachment downloads
* At the bottom of the logout box
* Pass more information to the FormStart callback
  in Ticket/Update.html
* AfterMessageBox on ticket create page
* ShowTransaction/AfterAnchor
* In EditDates and ShowDates
* Pass a reference to the signature in MessageBox's callback
* For inserting text after the transaction's description
* AfterUpdateType in Jumbo.html and Update.html

Log message:
perl FCGI 0.69 onwards is more picky about the strings it gets.
Thus, if you feed it perl strings with utf-8 you get a complaint about
wide characters in the string.
The new patch-ac contains a fix.

Log message:
improve gnupg handling

Log message:
update maintainer (*brrr* :)
Update to next version (thanks to Frederic Jaeckel for the prod).
The upstream changelog is:

* Stop old DateTime or DateTime::Locales from exploding in Preferences
* Move all JS for hierarchical CFs onto derivative field; remove DerivativeCFs
  method
Fix bug on Oracle when selecting against a CLOB
* Call the method on the object, not the username string (Reported by
  Philip Shore)
Fix error when using WebExternalAuth and setting user info
* When using WebExternalAuth don't issue a new session cookie on each request
Fix lost attachments when using WebExternalAuth. WebExternalAuthContinuous
can be set back to 1
* Mention missing index that was only added to upgrade scripts
* fixes for PlainTextMono config option introduced in 3.8.6
* fixes for updating charts and dashboards
* delete links from Bulk Update

Log message:
update of rt3 to next version (without the session hijacking vulnerability)

upstream changelog:
UPGRADING FROM 3.8.5 and earlier - Changes:

You can now forward an entire Ticket history (in addition to specific
transactions) but this requires a new Template called forward ticket.
This template will be added when you run.

/opt/rt3/sbin/rt-setup-database --dba root --prompt-for-dba-password --action upgrade

Custom fields with categories can optionally be split out into
hierarchical custom fields.  If you wish to convert your old
category-based custom fields, run:

    perl etc/upgrade/split-out-cf-categories

It will prompt you for each custom field with categories that it
finds, and the name of the custom field to create to store the
categories.

If you were using the LocalizedDateTime RT::Date formatter from code
and passing a DateFormat or TimeFormat argument, you need to switch from
the strftime methods to the cldr methods (ie full_date_format becomes
date_format_full)
You may have done this from your RT_SiteConfig.pm by using
Set($DateTimeFormat, { Format => 'LocalizedDateTime', DateFormat => \ 
'medium_date_format' );

Log message:
security update (lesser impact) to version 3.8.5

Log message:
where env PATH is being set for security reasons, have it include $PREFIX/bin
pointed out by "Peter C. Lai" <peter@simons-rock.edu>
fixes PR 41571

Log message:
security update to version 3.8.4

Log message:
Convert @exec/@unexec to @pkgdir or drop it.