We are pleased to announce that a new stable release of SupportSuite, eSupport and LiveResponse (3.70.01) is now available from the Members’ Area. Hosted customers can use their one-click upgrade facility in the same place.
Features, notes and highlights:
- Resolves 52 issues, fixes 45 bugs.
- Resolves 12 security issues.
- Enhanced cross-site request forgery protection.
- Enhanced cookie security.
- Resolves minor Google Chrome compatibility issues.
For a detailed change-log, see the forum thread for the release.
It is important that you keep your support desk up to date
We strongly recommend that all customers upgrade to 3.70.01, the latest stable version of SupportSuite, eSupport and LiveResponse as the new version contains some important security updates.
Thank you to early upgraders
We would like to give a special thanks to all of the customers who applied for the early upgrade incentive to publicly test this build. We received an overwhelming response.
Ahoy!
We are pleased to announce that a release candidate build of our upcoming 3.70 release is now available to customers who are eager to test and tinker. For more information, see the release announcement on the forums.
Upgrade incentive offer
In return for your time trying out the preview release, we are offering a free month of support and upgrades or a free InstaAlert Pro license to the first 20 self-hosted customers to update to 3.70 RC1.
What is a ‘Release Candidate’?
Release candidates builds are made available to customers before we ship a new release as stable. We publish the build early so that customers who like to test and tinker can do so.
All release candidate builds have undergone at least two stages of testing and peer code review.
We’d say that a release candidate more reliable than a beta release, but not quite fully stable. For this reason, we recommend most customers do not update their live support desks to a release candidate build.
A recent discovery of a potentially exploitable XSS (cross-site scripting) vulnerability inside of the staff control panel means that we have had to release an out-of-cycle patch to our customers.
Who needs to apply the patch
All customers running SupportSuite or eSupport 3.60.04 or earlier need to apply this patch as soon as possible.
About the flaw
The flaw can only be exploited by fully authenticated staff users. However, with cross-site scripting, an attacker could trick your staff users into clicking a legitimate looking link which triggers the exploit and could leak information such as your staff user’s session data and cookie data.
How to apply the patch
You just need to replace on file in your support desk installation.
- Visit the members’ area, click on the Patches tab.
- Download the patch file under the “30th September 2009 advisory” that corresponds to your SupportSuite or eSupport version
- If you are running a version earlier than 3.11, you will need to perform a full upgrade to 3.60.04 and then apply the patch
- Extract the ZIP file contents, which contains “functions_ticketsui.php”
- Upload this file to your support desk installation, replacing the existing file: ./modules/tickets/functions_ticketsui.php
It is important that all of our customers apply this patch as soon as possible.
If you need assistance applying the patch
Please do not hesitate to get in touch with us – we’ll be happy to help you apply the patch. Visit the members’ area, click on the Get Support tab to submit a support ticket.
Security housekeeping
Control panel IP restrictions
In 3.40.00, we added a feature which allows administrators to restrict which IP addresses can access the staff and administrator control panels. You can specify these IP addresses in the ./config/config.php file, as shown below.
/**
* ENABLE IP RESTRICTION: This option allows you to restrict the admin,staff,winapp,mobile,pda interfaces to a certain IP range
* 202.1.192.0-202.1.192.255: a range of IPs
* 200.36.161.0/24: a range of IP by using net masking
* 200.36.161/24: a shorten syntax similar to the above.
* Example: $_SWIFT['iprestrict'] = array('202.1.192.0-202.1.192.255', '200.36.161.0/24');
*/
$_SWIFT['iprestrict'] = array();If you are able to isolate logins by IP addresses, we highly recommend you do so, as this means that if one of your staff user’s login details is ever compromised, an attacker will still not be able to login to your control panels from IP addresses other than those you specify.
An important update to our flagship products – eSupport, SupportSuite and LiveResponse is now available from the Kayako Members’ Area.
** We are recommending that all customers upgrade to 3.60.02 at this point in time. **
This is a maintenance release that contains security fixes as well as other notables:
- Support for multibyte ticket searching.
- Dropping use of PHP’s short tags in anticipation of PHP 6.
- Ticket autoclose warning and final notification e-mails now optional (Settings -> Tickets).
- Option in config.php to switch between mbstring and iconv processing of e-mails.
- Support for third-party Blackberry Kayako application.
- Option added to set a secure cookie flag (Settings -> Security) when (and only when) SSL is in use.
- Improved end-user error messages in the support centre; no more permission related fatal errors.
- Support for Microsoft’s MHT format.
- Recursive attachment parsing of .EML attachments.
- Improved Google Chrome support.
The list of bugs fixed in this release is quite extensive; nearly 70 bugfixes are included. See the announcement on our forums for a complete list of the bugs that are fixed as well as a template diff list to see what changes have been made to the default templates so you can merge them.
A big thanks to everyone who participated in the early adoption / Release Candidate testing program. We really appreciate it!
Release Candidate 2 of our latest build, 3.60.01 is now available from the Members’ Area. We have changed our incentive program for early adopters, so read this entire post!
Several bugs have been patched since RC1:
- A missing localization file for the calendar controls – Brazilian Portuguese (pt-br)
- Alert issues resolved: “Ticket Edited,” “Ticket Merged,” and “Ticket Deleted”
- Fixed default attachment chunk size (now 768KiB, was 2.0MiB, which can cause problems with MySQL’s default setting for max_allowed_packet)
- Missing language key reference in Admin CP
3.60 contains over 70 bug fixes as well as usability improvements and security enhancements.
We have also decided to make the incentive for early adopters much sweeter; instead of one month of support and upgrades, you’ll now receive a three month extension of support and upgrades and three InstaAlert Pro licenses just for upgrading your help desk to RC2.
Please see the announcement on our forums for more information.
If you do upgrade, make sure to provide active feedback in the Beta testing forum!
Customer Login
Forums
Support