Zammad 3.5 is available

MrGeneration · September 22, 2020, 1:46pm

Dear Community,

we’re thrilled to announce the immediate release of Zammad 3.5.
This release solves security issues and brings long awaited features (see below).
We strongly encourage all users to update their installations as soon as possible.

A note before hand:
With the last release post on this community we were also asking you guys how you feel about redundant release information. The feedback within a month was that it’s better to have one fully featured news post instead of several places to look in. You can find the poll here.

Long story short?
This is the last release post I’ll be posting on this community board.

From now on, please stay tuned to our release notes on our website:
https://zammad.com/news/category:release

1. Security advisories

For your overview we’re listing all advisories here, click on the links to get a full description to learn about the scope.

CVEs currently are pending and will be updated as soon as available.

2. Changes

You can find the full changelog including bug fixes (3.4 to 3.5) here.

2.1 Data Privacy

You’ll now find a new menu entry within the admin settings “Data Privacy”.
This allows you to remove users (yes users, so agents too!) together with the tickets their customer of.
If you remove an agent, this will reset the owner to “nobody” and not delete the ticket in question.

After removal, you’ll receive a full overview of what has been removed.

You can find a pre-QA version of the relevant documentation here:

github.com

zammad/zammad-admin-documentation/blob/mh-introduce-dataprivacy/system/data-privacy.rst

Data Privacy
************

Zammad allows you to delete any user and its associated customer tickets. 
This is an easy and great addition to our `console way <https://docs.zammad.org/en/latest/admin/console/dangerzone-for-experts.html#deleting-customers>`_.

.. figure:: /images/system/data-privacy/creating-a-new-deletion-task.png
   :alt: Screenshot of Zammads Data Privacy function
   :align: center

.. note:: **🤔 Huh? I don’t see a Data Privacy option...**
   
   This functionality was introduced with Zammad 3.5. 
   Also, you'll need at least ``admin.data_privacy`` permissions.

Limitations
-----------

   * You can't delete your own account
   * You can't remove the last administrator of your Zammad installation

This file has been truncated. show original

As soon as we finished the QA, you’ll also find this in the documentation.

2.2 Agents now can be customers (sponsored)

Over the past many Zammad users had the problem that they couldn’t see the tickets they’re customer of, if the ticket was in a group that the agent account had no permission to.

With Zammad 3.5 you can now provide the “customer” role to your agent as well.
This will allow your agents to view their customer tickets no matter of the group they’re in.

If the ticket is in a group the agent has no access to the ticket view will feel exactly like it does for customers. Agents can’t change fields a customer has no access to.

Amazing, right?!

Our sponsors
This feature was sponsored by the following amazing companies, make sure to also drop them a “thank you”!

Thank you very much, City of Dornbirn Hospital and EKHN (The Protestant Church in Hesse and Nassau)!

3. Technical notes

3.1 Ruby version

Please note that with Zammad 3.5 Ruby 2.6.6 is required. If you’re installing from docker or package, you can safely ignore this hint. Source code installations require ruby 2.6.6 to be available before upgrading.

3.2 Debian 8 EOL

As already mentioned on our last release post, we’ll be dropping support for Debian 8.0.
If you’re still using Debian 8, consider upgrading asap!

3.3 Changed API endpoints

Heads up for API users:
The endpoints for Tags and Ticket linking have changed!
Our Tag documentation for the API is already up to date:
https://docs.zammad.org/en/latest/api/tags.html

Please keep in mind that some API libaries may not yet be ready for this change.
Upgrading Zammad may break the compatibility to them.

3.4 SSO changes

Note: This only affects the endpoint /auth/sso and mostly affects users that want to use e.g. kerberos like authentication.

Zammad now allows you to enable a SSO button.
It will redirect you to /auth/sso - you no longer have to “hack workaround” with cookies or sketchy redirects to that endpoint.

But: This also does something else…
Enabling “SSO” will enable the use of sso authentication. If the option is disabled within security, you can no longer use above mentioned endpoint!

If you’re interested in kerberos like SSO, you can find a pre QA version of the documentation here:

github.com

zammad/zammad-documentation/blob/mh-provide-sso/appendix/single-sign-on.rst

Single Sign On
**************

Zammad provides many ways for authentication. Most of these options don't require any 
further configuration on your host. However, if you want to use Kerberos based SSO, this 
guide will help you through!

.. figure:: /images/appendix/single-sign-on/using-sso-for-logging-into-zammad.gif
   :alt: Login screen showing SSO buttons and automatic login upon press.
   :align: center
   :width: 80%

.. warning:: 🤓 **Please note the following limitations**

   **Kerberos Single Sign On is limited to self hosted setups only - Hosted Users can't use this option!**
   The support scope of this topic is application level (header & environmental variables) only. 
   We can't provide Windows level support.
   
   This guide expects a Windows Active Directory environment which supports AES 256bit encryption. 
   As on most things in these environments, you may need to adjust some commands and configurations to

This file has been truncated. show original

To enable SSO, go to “Security” and enable “Authentication via SSO”

3.5 Changes to your vHost

Because of advisory ZAA-2020-18 we strongly suggest adding a further line to your vHost configuration files as noted below (this is also noted in the advisory).

3.5.1 nginx users

Within the location / directive add

proxy_set_header X-Forwarded-User "";

to ensure your webserver no longer allows usage of above mentioned Header.

( see: https://github.com/zammad/zammad/blob/stable/contrib/nginx/zammad.conf#L50-L51 )

3.5.2 apache2 users

Within Zammads virtualhost conf add

RequestHeader unset X-Forwarded-User

to ensure your webserver no longer allows usage of above mentioned Header.

( see: https://github.com/zammad/zammad/blob/stable/contrib/apache2/zammad_ssl.conf#L57-L58 )

That’s it!

Happy hacking, folks!