Skip to content

Releases: openises/tickets

v3.44.3 — Docker version-string fix

Choose a tag to compare

@ejosterberg ejosterberg released this 09 Jun 05:11

TicketsCAD v3.44.3 Release Notes

Release Date: June 8, 2026
Priority: Low — version-display fix only; no security or behaviour changes vs. 3.44.2


Summary

Single-purpose patch release that corrects the install-time version string written by the Docker auto-installer.

Anyone running the ghcr.io/openises/ticketscad:latest container (or any release after v3.44.1 but before this one) has been seeing "3.44.1" in the Config screen even though the underlying code has been at v3.44.2 since April. The bug was that docker-autoinstall.php hardcoded the version string in its own SQL, and the string was never bumped when v3.44.2 shipped. The PHP source files in the container have been current the whole time; only the displayed version number was wrong.

You are not missing any security fixes if your container reported "3.44.1" — you already have the 88 v3.44.2 patches. This release just makes the version label honest.

Reported by Benjamin Hatfield (laconiacorp@gmail.com, 2026-06-08).

What changed

File Change
incs/versions.inc.php TICKETS_CURRENT_VERSION bumped from v3.44.1v3.44.3
docker-autoinstall.php No longer hardcodes the version string. Now reads TICKETS_CURRENT_VERSION from incs/versions.inc.php (the canonical source) and writes the bare semver (3.44.3) to the settings._version row. Prepared statements used instead of inline interpolation. Echoes the version it set so it's visible in container startup logs.
RELEASE-NOTES-3.44.3.md This file.

The structural improvement here matters more than the version bump: there's now ONE source of truth for the install version (incs/versions.inc.php). Future releases bump that one constant and the auto-installer picks it up automatically. The drift that caused this bug can't happen again.

Upgrade path

Docker users

docker compose pull
docker compose up -d

The CI workflow at .github/workflows/docker-build.yml automatically builds and pushes ghcr.io/openises/ticketscad:3.44.3, :3.44, and :latest on the v3.44.3 tag.

After upgrade, new containers will write 3.44.3 to settings._version on first boot. Existing containers keep whatever value is already in the database — to update the displayed version on an in-place container without reinitializing the DB:

UPDATE settings SET value = '3.44.3' WHERE name = '_version';

Traditional installs (non-Docker)

git pull
# Visit /install.php in your browser to run the upgrade flow

The legacy installer at install.php already reads from TICKETS_CURRENT_VERSION correctly, so it has always written the right value. This release does not change installer behaviour for non-Docker deployments.

Verification

Check the version that's actually displayed:

# From inside the container (or anywhere with shell access on the host):
docker exec ticketscad grep TICKETS_CURRENT_VERSION /var/www/html/incs/versions.inc.php
# Should print:  define('TICKETS_CURRENT_VERSION', 'v3.44.3');

# What's in the database:
docker exec ticketscad_db mariadb -u tickets -ptickets tickets \
  -e "SELECT value FROM settings WHERE name='_version'"
# Should print:  3.44.3

What did NOT change

  • No security fixes (none needed since v3.44.2 covered the audit)
  • No schema changes
  • No new features
  • No breaking changes
  • No PHP / MariaDB / Apache compatibility changes

If your container was reporting "3.44.1" before this release, it had the v3.44.2 code and patches; you don't gain anything functional by upgrading. The only reason to upgrade is to have the Config screen and settings._version table show the truthful version.


Recommendation

Optional for users who don't mind the misleading version label.

Recommended for anyone who audits their software inventory (so the displayed version matches what's actually running) and for fresh container deployments going forward.

v3.44.2 — Critical Security Update

Choose a tag to compare

@ejosterberg ejosterberg released this 02 Apr 05:35

Critical Security Update — All Users Should Upgrade Immediately

Security Fixes (88 vulnerabilities patched)

  • 69 Cross-Site Scripting (XSS) vulnerabilities fixed across 22 files
  • 19 SQL Injection vulnerabilities fixed across 11 files
  • 5 hardcoded secrets removed (API keys, database passwords)
  • 4 SSL certificate validation issues fixed (now verifies by default)
  • 13 file permission fixes (0777 → 0755)

PHP Compatibility (7.0 through 8.4+)

  • New compatibility layer polyfills utf8_encode(), each(), create_function() and other functions removed in PHP 8.0-8.4
  • Fixes 500 errors and white screens for users on PHP 8.2+
  • Deprecation warnings suppressed

Password Compatibility

  • Login now recognizes 6 legacy password hash formats (bcrypt, MD5, MySQL PASSWORD(), SHA1, plain text)
  • Passwords auto-upgrade to bcrypt on next login — no resets needed

Map Tiles

  • Fixed OSM "Access blocked" error (Referer header now sent)
  • All tile URLs upgraded to HTTPS
  • Docker deployments use server-side proxy by default

Docker Deployment (New)

curl -LO https://raw.githubusercontent.com/openises/tickets/main/docker-compose.yml
docker compose up -d
# Open http://localhost:8080 — Login: admin / admin
  • Auto-install on first run
  • Persistent volumes for database, uploads, tile cache
  • PHP 8.2 + MariaDB 10.11

Installer Improvements

  • Fixed upgrade path from any previous version
  • Better error messages
  • Version mismatch detection

Tested Against

  • PHP 8.2 + MariaDB 10.11 (primary)
  • PHP 8.2 + MariaDB 10.6
  • PHP 8.2 + MySQL 8.0
  • PHP 8.2 + MariaDB 11.7
  • PHP 8.2 + MySQL 5.7

Full release notes: RELEASE-NOTES-3.44.2.md

Upgrade Instructions

Docker: docker compose pull && docker compose up -d
Traditional: Download zip, extract over existing install, run installer in Upgrade mode
From old versions: Your existing passwords will work automatically

v3.44.1

Choose a tag to compare

@ejosterberg ejosterberg released this 23 Mar 02:40

What's Changed

Installer Improvements

  • Fixed installer timeout on large schema upgrades — Rewrote upgrade logic to use staged table comparisons, temp tables for complex migrations, and in-place ALTER for simple changes (PR #7 by @dwalenczak)
  • Standardized database engine and charset — All tables migrated to InnoDB/utf8mb4. Legacy MyISAM, latin1, and swedish collations converted automatically during upgrade
  • Safe data migration — Complex schema changes use temp tables with data migration. Unmigrated data preserved in _unmigrated backup tables with CSV download link
  • Version mismatch detection — Users now see a clear upgrade page when application files are newer than the database, with embedded admin login
  • Latest release check — Installer now shows the latest GitHub release version for comparison (with 1-hour API cache)

Bug Fixes

  • Fixed missing menu bar after login — Top navigation frame now refreshes automatically on first login via session flag (PR #8 by @dwalenczak)
  • Fixed favicon not loading — Added explicit <link rel="icon"> tags to index.php and top.php for subdirectory installations
  • Fixed undefined key warnings during upgradeadmin_user, admin_pass, admin_name POST keys now use null-coalescing in upgrade mode
  • Fixed coordinate sanitization — Consolidated sanitize_coordinate() into shared incs/security.inc.php with lat/lng range validation

Security

  • Restricted CSV download endpoint to _unmigrated tables only (prevents arbitrary table export)
  • Added regex whitelist on table name parameter
  • Fixed innerHTML XSS vector in installer log rendering
  • Removed duplicate JS function definitions

Testing

  • Added 10 unit tests for coordinate sanitizer
  • Added 7 installer safety tests
  • All 96 tests pass

Contributors

  • @dwalenczak — Installer timeout fix, schema modernization, menu fix, release version check

v3.44.0 Major Updates focused on Security

Choose a tag to compare

@ejosterberg ejosterberg released this 15 Mar 02:27

What's in this update:

Security hardening

SQL injection vulnerabilities have been fixed across 500+ files using prepared statements. This is the single largest change in this release and addresses a critical weakness in the codebase.

PHP 8.x compatibility

Numerous fixes for deprecation warnings, NULL handling, and function changes so Tickets CAD runs cleanly on PHP 8.2+.

Tile caching proxy

New tile source options on the Set Default Map page. You can now choose between Online Direct, Proxy Cache, or Offline Local tile modes. Proxy Cache is recommended for most installations as it reduces load on tile servers and improves performance.

Personnel/Member improvements

Click-to-set-location on member add/edit maps, photo upload fixes, and better form validation.

CSV report downloads

Reports can now be exported to CSV format.

Various bug fixes

Map position saving, search crashes, NULL value handling, mobile map popup errors, and more.

Updated, now with support for Geocoding API changes and PHP8.2

Choose a tag to compare

@ejosterberg ejosterberg released this 13 Feb 21:45

This release contains all the changes since the last official release.
Some of those changes have been available for some time in the "HEAD" of the GITHUB site.
One change in particular relates to the API changes made at OpenStreetMaps. Questions come up again and again about this fix, so it's time to make sure the version number/identifier is clear.
Dozens of other patches relate to support for PHP version 8.2

Numerous improvements to support php version updates

Choose a tag to compare

@ejosterberg ejosterberg released this 25 Nov 15:45

The existing code base has been around for many many years. PHP has deprecated the very basic foundations of this code base. While there is still more clean up to do, there are a great number of bug fixes and improvement. Previous releases are completely unable to operation on anything newer than php 7.4. (See php version support dates: https://www.php.net/supported-versions.php)

Please update your tickets installation to the latest version before reporting bugs.
Fixes and bug reports gladly accepted. See: https://groups.google.com/g/open-source-cad/

TicketsCAD-v3.40.3

Choose a tag to compare

@ejosterberg ejosterberg released this 21 Jun 04:30
Rol up version number

TicketsCAD-v3.40.2

Choose a tag to compare

@ejosterberg ejosterberg released this 07 Jun 04:19

This release fixes the ability to manually set a unit location by clicking on a map.
Thank you to Andy Harvey and Arnie Shore for the work to update this release.

TicketsCAD-v3.4.1

Choose a tag to compare

@ejosterberg ejosterberg released this 16 May 23:48
v3.40.1 release

Signed-off-by: openises (l) <openises@users.noreply.github.com>