We are pleased to announce that a new stable release of SupportSuite, eSupport and LiveResponse (3.70.01) is now available from the Members’ Area. Hosted customers can use their one-click upgrade facility in the same place.
Features, notes and highlights:
- Resolves 52 issues, fixes 45 bugs.
- Resolves 12 security issues.
- Enhanced cross-site request forgery protection.
- Enhanced cookie security.
- Resolves minor Google Chrome compatibility issues.
For a detailed change-log, see the forum thread for the release.
It is important that you keep your support desk up to date
We strongly recommend that all customers upgrade to 3.70.01, the latest stable version of SupportSuite, eSupport and LiveResponse as the new version contains some important security updates.
Thank you to early upgraders
We would like to give a special thanks to all of the customers who applied for the early upgrade incentive to publicly test this build. We received an overwhelming response.
A recent discovery of a potentially exploitable XSS (cross-site scripting) vulnerability inside of the staff control panel means that we have had to release an out-of-cycle patch to our customers.
Who needs to apply the patch
All customers running SupportSuite or eSupport 3.60.04 or earlier need to apply this patch as soon as possible.
About the flaw
The flaw can only be exploited by fully authenticated staff users. However, with cross-site scripting, an attacker could trick your staff users into clicking a legitimate looking link which triggers the exploit and could leak information such as your staff user’s session data and cookie data.
How to apply the patch
You just need to replace on file in your support desk installation.
- Visit the members’ area, click on the Patches tab.
- Download the patch file under the “30th September 2009 advisory” that corresponds to your SupportSuite or eSupport version
- If you are running a version earlier than 3.11, you will need to perform a full upgrade to 3.60.04 and then apply the patch
- Extract the ZIP file contents, which contains “functions_ticketsui.php”
- Upload this file to your support desk installation, replacing the existing file: ./modules/tickets/functions_ticketsui.php
It is important that all of our customers apply this patch as soon as possible.
If you need assistance applying the patch
Please do not hesitate to get in touch with us – we’ll be happy to help you apply the patch. Visit the members’ area, click on the Get Support tab to submit a support ticket.
Security housekeeping
Control panel IP restrictions
In 3.40.00, we added a feature which allows administrators to restrict which IP addresses can access the staff and administrator control panels. You can specify these IP addresses in the ./config/config.php file, as shown below.
/**
* ENABLE IP RESTRICTION: This option allows you to restrict the admin,staff,winapp,mobile,pda interfaces to a certain IP range
* 202.1.192.0-202.1.192.255: a range of IPs
* 200.36.161.0/24: a range of IP by using net masking
* 200.36.161/24: a shorten syntax similar to the above.
* Example: $_SWIFT['iprestrict'] = array('202.1.192.0-202.1.192.255', '200.36.161.0/24');
*/
$_SWIFT['iprestrict'] = array();If you are able to isolate logins by IP addresses, we highly recommend you do so, as this means that if one of your staff user’s login details is ever compromised, an attacker will still not be able to login to your control panels from IP addresses other than those you specify.
An important update to our flagship products – eSupport, SupportSuite and LiveResponse is now available from the Kayako Members’ Area.
** We are recommending that all customers upgrade to 3.60.02 at this point in time. **
This is a maintenance release that contains security fixes as well as other notables:
- Support for multibyte ticket searching.
- Dropping use of PHP’s short tags in anticipation of PHP 6.
- Ticket autoclose warning and final notification e-mails now optional (Settings -> Tickets).
- Option in config.php to switch between mbstring and iconv processing of e-mails.
- Support for third-party Blackberry Kayako application.
- Option added to set a secure cookie flag (Settings -> Security) when (and only when) SSL is in use.
- Improved end-user error messages in the support centre; no more permission related fatal errors.
- Support for Microsoft’s MHT format.
- Recursive attachment parsing of .EML attachments.
- Improved Google Chrome support.
The list of bugs fixed in this release is quite extensive; nearly 70 bugfixes are included. See the announcement on our forums for a complete list of the bugs that are fixed as well as a template diff list to see what changes have been made to the default templates so you can merge them.
A big thanks to everyone who participated in the early adoption / Release Candidate testing program. We really appreciate it!
We’re pleased to announce that 3.60.00 Release Candidate 1 is now available for download from the Members’ Area (https://members.kayako.net). The correct file to download is the one marked ‘3.60.00 UNSTABLE.’
The build resolves more than 70 bugs, important security issues and introduces several new features, including:
- Multibyte ticket searching.
- iconv/mbstring switch for e-mail processing.
- Support for Microsoft’s MHT format.
- Recursive attachment parsing of .EML attachments.
- .. and much more.
We are offering a free month’s support and upgrades or a free InstaAlert Pro license to early adopters of our Release Candidate build.
For more information, please see the release thread: 3.60.00 Release Candidate 1 available now
We are looking forward to your feedback!
Kayako is proud to announce the immediate availability of SupportSuite, eSupport and LiveResponse 3.40.00 Release Candidate 1. This release repairs more than 20 defects. This release candidate stage is intended to test the waters for the next upgrade. If all goes well, as did with the 3.30 release, we hope for a stable release within a week or so. The 3.40 release represents significant refinement for many of our customers.
Among the refinements in this version are alterations to accommodate new long-format Outlook GUIDs, some updates to international language support, fixes several defects in the RFC822 parser we were using and improved it to allow better error handling for broken email addresses, and resolved several lingering time-related defects. There are also a number of under the hood changes which enhance privacy, and a number of small cosmetic changes. We’ve also laid some new security groundwork, including a patch for the bundled HTML Tidy plugin’s register_globals defect.
In order to get the ball rolling, we are offering a free one-month extension to the support and upgrades of the first sixteen customers who request an upgrade to the RC1 package. This offer is available to any owned license customer with current support and upgrade service. To request, please post in this forum page, then mail a link to the upgraded desk to jamie.edwards at kayako dot com, so that we can verify. The first sixteen requests in the forum thread will be accepted. (Hosted customers have permanent upgrade and support, and so giving them a free month isn’t particularly meaningful.)
Customer Login
Forums
Support