Releases: openises/tickets
v3.44.2 — Critical Security Update
Critical Security Update — All Users Should Upgrade Immediately
Security Fixes (88 vulnerabilities patched)
- 69 Cross-Site Scripting (XSS) vulnerabilities fixed across 22 files
- 19 SQL Injection vulnerabilities fixed across 11 files
- 5 hardcoded secrets removed (API keys, database passwords)
- 4 SSL certificate validation issues fixed (now verifies by default)
- 13 file permission fixes (0777 → 0755)
PHP Compatibility (7.0 through 8.4+)
- New compatibility layer polyfills
utf8_encode(),each(),create_function()and other functions removed in PHP 8.0-8.4 - Fixes 500 errors and white screens for users on PHP 8.2+
- Deprecation warnings suppressed
Password Compatibility
- Login now recognizes 6 legacy password hash formats (bcrypt, MD5, MySQL PASSWORD(), SHA1, plain text)
- Passwords auto-upgrade to bcrypt on next login — no resets needed
Map Tiles
- Fixed OSM "Access blocked" error (Referer header now sent)
- All tile URLs upgraded to HTTPS
- Docker deployments use server-side proxy by default
Docker Deployment (New)
curl -LO https://raw.githubusercontent.com/openises/tickets/main/docker-compose.yml
docker compose up -d
# Open http://localhost:8080 — Login: admin / admin- Auto-install on first run
- Persistent volumes for database, uploads, tile cache
- PHP 8.2 + MariaDB 10.11
Installer Improvements
- Fixed upgrade path from any previous version
- Better error messages
- Version mismatch detection
Tested Against
- PHP 8.2 + MariaDB 10.11 (primary)
- PHP 8.2 + MariaDB 10.6
- PHP 8.2 + MySQL 8.0
- PHP 8.2 + MariaDB 11.7
- PHP 8.2 + MySQL 5.7
Full release notes: RELEASE-NOTES-3.44.2.md
Upgrade Instructions
Docker: docker compose pull && docker compose up -d
Traditional: Download zip, extract over existing install, run installer in Upgrade mode
From old versions: Your existing passwords will work automatically
v3.44.1
What's Changed
Installer Improvements
- Fixed installer timeout on large schema upgrades — Rewrote upgrade logic to use staged table comparisons, temp tables for complex migrations, and in-place ALTER for simple changes (PR #7 by @dwalenczak)
- Standardized database engine and charset — All tables migrated to InnoDB/utf8mb4. Legacy MyISAM, latin1, and swedish collations converted automatically during upgrade
- Safe data migration — Complex schema changes use temp tables with data migration. Unmigrated data preserved in
_unmigratedbackup tables with CSV download link - Version mismatch detection — Users now see a clear upgrade page when application files are newer than the database, with embedded admin login
- Latest release check — Installer now shows the latest GitHub release version for comparison (with 1-hour API cache)
Bug Fixes
- Fixed missing menu bar after login — Top navigation frame now refreshes automatically on first login via session flag (PR #8 by @dwalenczak)
- Fixed favicon not loading — Added explicit
<link rel="icon">tags to index.php and top.php for subdirectory installations - Fixed undefined key warnings during upgrade —
admin_user,admin_pass,admin_namePOST keys now use null-coalescing in upgrade mode - Fixed coordinate sanitization — Consolidated
sanitize_coordinate()into sharedincs/security.inc.phpwith lat/lng range validation
Security
- Restricted CSV download endpoint to
_unmigratedtables only (prevents arbitrary table export) - Added regex whitelist on table name parameter
- Fixed innerHTML XSS vector in installer log rendering
- Removed duplicate JS function definitions
Testing
- Added 10 unit tests for coordinate sanitizer
- Added 7 installer safety tests
- All 96 tests pass
Contributors
- @dwalenczak — Installer timeout fix, schema modernization, menu fix, release version check
Contributors
Assets 2
v3.44.0 Major Updates focused on Security
What's in this update:
Security hardening
SQL injection vulnerabilities have been fixed across 500+ files using prepared statements. This is the single largest change in this release and addresses a critical weakness in the codebase.
PHP 8.x compatibility
Numerous fixes for deprecation warnings, NULL handling, and function changes so Tickets CAD runs cleanly on PHP 8.2+.
Tile caching proxy
New tile source options on the Set Default Map page. You can now choose between Online Direct, Proxy Cache, or Offline Local tile modes. Proxy Cache is recommended for most installations as it reduces load on tile servers and improves performance.
Personnel/Member improvements
Click-to-set-location on member add/edit maps, photo upload fixes, and better form validation.
CSV report downloads
Reports can now be exported to CSV format.
Various bug fixes
Map position saving, search crashes, NULL value handling, mobile map popup errors, and more.
Updated, now with support for Geocoding API changes and PHP8.2
This release contains all the changes since the last official release.
Some of those changes have been available for some time in the "HEAD" of the GITHUB site.
One change in particular relates to the API changes made at OpenStreetMaps. Questions come up again and again about this fix, so it's time to make sure the version number/identifier is clear.
Dozens of other patches relate to support for PHP version 8.2
Numerous improvements to support php version updates
The existing code base has been around for many many years. PHP has deprecated the very basic foundations of this code base. While there is still more clean up to do, there are a great number of bug fixes and improvement. Previous releases are completely unable to operation on anything newer than php 7.4. (See php version support dates: https://www.php.net/supported-versions.php)
Please update your tickets installation to the latest version before reporting bugs.
Fixes and bug reports gladly accepted. See: https://groups.google.com/g/open-source-cad/
TicketsCAD-v3.40.3
Rol up version number
TicketsCAD-v3.40.2
This release fixes the ability to manually set a unit location by clicking on a map.
Thank you to Andy Harvey and Arnie Shore for the work to update this release.
TicketsCAD-v3.4.1
v3.40.1 release Signed-off-by: openises (l) <openises@users.noreply.github.com>