request-tracker5 (5.0.5+dfsg-2) unstable; urgency=medium

  * Correct CVE numbers for CVE-2023-41259 and CVE-2023-41260 in previous
    entry (Closes: #1055128).
  * Remove alternative for rt-clean-attributes in prerm (Closes: #1057684).
  * Remove alternative for rt-serializer in prerm.

 -- Andrew Ruthven <andrew@etc.gen.nz>  Sun, 10 Dec 2023 01:49:01 +1300

request-tracker5 (5.0.5+dfsg-1) unstable; urgency=high

  * New upstream release (Closes: #1054517).
    - [CVE-2023-41259] Vulnerablility to unvalidated email headers in
      incoming email and the mail-gateway REST interface.
    - [CVE-2023-41260] Information leakage via response messages returned
      from requests sent via the mail-gateway REST interface.
    - [CVE-2023-45024] Information leakage via transaction searches made by
      authenticated users in the transaction query builder.
    - Reveal information about data on various RT objects in errors and other
      response messages to REST 2 requests.
  * Drop patches no longer needed:
    - Update-expired-certificates.diff
    - Update-legacy-timezones.diff
    - install_rt-clean-shorteners.diff
  * Drop patches merged upstream:
    - fcgi_client_sigpipe.diff
    - fix_pod_rt_munge_attachments.diff
  * Add autopkgtests.

 -- Andrew Ruthven <andrew@etc.gen.nz>  Sun, 29 Oct 2023 13:42:33 +1300

request-tracker5 (5.0.4+dfsg-2) unstable; urgency=medium

  * Add patches from upstream:
    - debian/patches/Update-expired-certificates.diff
    - debian/patches/Update-legacy-timezones.diff
  * Drop Build-Depend on tzdata-legacy as Update-legacy-timezones.diff patch
    negates the need for it.

 -- Andrew Ruthven <andrew@etc.gen.nz>  Mon, 04 Sep 2023 23:56:23 +1200

request-tracker5 (5.0.4+dfsg-1) unstable; urgency=medium

  [ Andrew Ruthven ]
  * New upstream release.
  * Drop patch no longer needed:
    - Update-tests-for-EN-datetime-locale-change-to-space.diff
  * Drop patch merged upstream:
    - libdatetime-format-natural-perl-v0.14.diff
  * Refresh d/copyright
  * Bump debhelper from old 10 to 13.
  * Recommend libcss-inliner-perl and enable $EmailDashboardInlineCSS if
    it is installed.
  * Ensure we can build source after successful build.
  * Add disable_dirmngr_in_tests.diff which should make this package able
    to pass the reproducible build tests.
  * Depend on fonts-noto-core instead of the obsolete fonts-noto-hinted
    (Closes: #1050048)
  * Build-Depend on tzdata-legacy as a number of the tests use timezone names
    that have been moved from tzdata to tzdata-legacy.

  [ Ángel Gonzále ]
  * Fetch timezone from /etc/localtime symlink (Closes: #1038847)

 -- Andrew Ruthven <andrew@etc.gen.nz>  Sat, 19 Aug 2023 14:31:11 +1200

request-tracker5 (5.0.3+dfsg-3) unstable; urgency=medium

  * Strip Debian version suffix from generated hyperlinks to upstream docs
    (Closes: #1033304).
  * Fix the changelog date entry for the 5.0.3+dfsg-2 release.

 -- Andrew Ruthven <andrew@etc.gen.nz>  Sun, 11 Jun 2023 14:19:13 +1200

request-tracker5 (5.0.3+dfsg-2) unstable; urgency=medium

  * Add more fields to d/upstream/metadata 
  * Update the ckeditor licenses in d/copyright.
  * Use java instead of jexec to build ckeditor (Closes: #1026669).
  * Update Standards-Version to 4.6.2 (no changes)
  * Set rt5-doc-html to be Multi-Arch: foreign as suggested by the Multiarch
    hinter.
  * Add Update-tests-for-EN-datetime-locale-change-to-space.diff from upstream
    which handles libdatetime-perl >= 2:1.59-1.
  * Add libdatetime-format-natural-perl-v0.14.diff which handles
    libdatetime-format-natural-perl >= 0.14.
  * Remove dependency on lsb-base as it is an obsolete package.
  * Refresh d/copyright

 -- Andrew Ruthven <andrew@etc.gen.nz>  Sat, 04 Feb 2023 12:30:17 +1300

request-tracker5 (5.0.3+dfsg-1.1) unstable; urgency=medium

  * Non-maintainer upload.
  * No source change upload to rebuild with debhelper 13.10.

 -- Michael Biebl <biebl@debian.org>  Sat, 15 Oct 2022 12:42:57 +0200

request-tracker5 (5.0.3+dfsg-1) unstable; urgency=medium

  * New upstream release (Closes: #988905).
  * Drop patches merged upstream:
    - use_webpath_for_relateddata_links.diff
    - rt-crypt-gnupg-combine-call.diff
  * Ensure package descriptions consistently refer to version 5
    (Closes: #984676).
  * Ensure a sane database admin user is specified for both PostgreSQL
    and MySQL.
  * Only create symlinks for the DB upgrade scripts we ship (Closes: #985704).
  * Fixes a security vulnerability that involves a login timing side-channel
    attack. This resolves CVE-2021-38562 (Closes: #995167)
  * Update fix_test_ldap_ipv4.diff for new test
      t/externalauth/ldap_email_login.t
  * Add missing dependencies on dbconfig-{mysql,postgresql,sqlite3}.
  * Refresh debian/copyright
  * Fix multiple security issues:
    - [CVE-2022-25803] RT 5.0 is vulnerable to unvalidated, or open,
      redirects in ticket searches.
    - [CVE-2022-25802] A cross-site scripting (XSS) issue when displaying
      attachment content with fraudulent content types. This vulnerability
      is assigned
    - Not performing full rights checks on access to file or image type
      custom fields, possibly allowing access to these custom fields by
      users without rights to access to the associated objects (like the
      ticket it is associated with).
  * RT is incompatible with Test::WWW::Mechanize 1.58, exclude that version.
  * Update upstream signing key.
  * Update Standards-Version to 4.6.1 (no changes)

 -- Andrew Ruthven <andrew@etc.gen.nz>  Thu, 21 Jul 2022 17:06:28 +1200

request-tracker5 (5.0.1+dfsg-1) unstable; urgency=medium

  [ Dominic Hargreaves ]
  * Depend on perl-doc so that script usage is printed correctly
    (Closes: #666123)
  * Downgrade Depends on rsyslog | system-log-daemon to Recommends
    to support installations which prefer to use only systemd for
    logging (see #981942)
  * Remove obsolete alternative depends on dual-lived modules

  [ Andrew Ruthven ]
  * New upstream release.
  * Update debian/copyright.
  * Skip check for Mozilla::CA module to allow make testdeps to succeed.
  * Add third-party-source tarball to d/watch.
  * Add GPG signature verification of upstream tarballs.
  * Fix path to /bin/true in request-tracker5.service (Closes: #983752).
  * Resolve reportbug script issue where it'll exit with error code 255 if
    no files are present under /usr/local/share/request-tracker5 .

  [ Dominic Hargreaves ]
  * Don't ignore the exit status of make testdeps any more
  * Drop patches no_testdeps and no_test_web_installer
  * Add Build-Depends on starlet

 -- Andrew Ruthven <andrew@etc.gen.nz>  Wed, 03 Mar 2021 23:05:11 +1300

request-tracker5 (5.0.0+dfsg-1) unstable; urgency=medium

  [ Andrew Ruthven ]
  * Branch request-tracker5 packaging from request-tracker4
  * New upstream release (Closes: #981077)
  * Drop patches which are no longer required as GnuPG::Interface supports
    gpg2:
    - runtime_gpg1.diff
    - test_gnupg-interface_gpg1.diff
    - test_gpg1.diff
  * Drop patch fix_privacy_breach_generic.diff as images are now local
    not loaded from Best Practical's website.
  * Add fix_test_ldap_ipv4.diff to fix LDAP test.
  * Add use-webpath-for-relateddata-links.diff so that RelatedData links
    for the default Debian path of "rt" work.
  * Add rt-crypt-gnupg-combine-call.diff to ensure that GnuPG::Interface
    instantiates with the gpg binary to use
  * Add myself to copyright file and as an uploader.

  [ Dominic Hargreaves ]
  * Import new dfsg version of third-party sources
  * Add scripts to add additional sources to third-party directory
  * Further updates to Lintian overrides for sources supplied in
    third-party
  * Remove conflicting Recommends on libhtml-formatexternal-perl which we
    also depend on
  * Refresh debian/copyright
  * Update README.Debian to reflect the current status of migration
    support.

 -- Dominic Hargreaves <dom@earth.li>  Tue, 26 Jan 2021 01:21:36 +0000