request-tracker4 (4.2.8-3+deb8u3) jessie; urgency=medium * Fix regression in previous security release where incorrect SHA256 passwords could trigger an error -- Dominic Hargreaves Tue, 29 Aug 2017 20:01:00 +0100 request-tracker4 (4.2.8-3+deb8u2) jessie-security; urgency=high * Fix FTBFS due to changes (Closes: #864302) * Fix multiple security issues: - [CVE-2017-5943] CSRF verification token information leak - [CVE-2016-6127] XSS in file uploads - [CVE-2017-5361] Timing side-channel vulnerability in password verification - [CVE-2017-5944] Remote code execution in dashboard interface - Add check for incorrect RestrictLoginReferrer configuration setting * Work around a DoS vulnerability in Email::Address (CVE-2015-7686) -- Dominic Hargreaves Sat, 10 Jun 2017 23:25:11 +0100 request-tracker4 (4.2.8-3+deb8u1) jessie-security; urgency=high * Non-maintainer upload by the Security Team. * Add CVE-2015-5475.patch patch. CVE-2015-5475: Cross-site scripting attack via the user and group rights managment pages. * Add XSS-cryptography-interface.patch patch. Fixes cross-site scripting attack via the cryptography interface. -- Salvatore Bonaccorso Wed, 12 Aug 2015 21:15:45 +0200 request-tracker4 (4.2.8-3) unstable; urgency=high * Fix remote DoS via email gateway (CVE-2014-9472) * Fix information discloure revealing RSS feed URLs (CVE-2015-1165) * Fix privilege escalation via RSS feed URLs (CVE-2015-1464) -- Dominic Hargreaves Thu, 26 Feb 2015 10:05:25 +0000 request-tracker4 (4.2.8-2) unstable; urgency=medium [ Niko Tyni ] * Fix upgrade problems caused by a bug in the wheezy rt4-extension-assettracker installation procedure. (Closes: #773343) * Break all versions of rt4-extension-assettracker: its upstream says RT 4.2 isn't supported anymore and recommends RT-Extension-Assets instead. (See #748737) -- Dominic Hargreaves Thu, 01 Jan 2015 16:47:30 +0000 request-tracker4 (4.2.8-1) unstable; urgency=medium * New upstream release - This release mitigates against the Shellshock bash vulnerability. The RT specific reference for this is CVE-2014-7227. This should already be fixed by updates to bash, so this is not itself treated as a security issue in RT. - Minor bugfixes are also included. * Revert to logging to Syslog by default; file-based logging is more fragile and was missing logrotate configuration (Closes: #747076) * Update Standards-Version (no changes) -- Dominic Hargreaves Mon, 20 Oct 2014 21:35:57 +0100 request-tracker4 (4.2.7-1) unstable; urgency=high * Add a missed lintian override for missing sources * New upstream release (Closes: #757879) - update versioned dependency on libdbix-searchbuilder-perl - include database upgrade script and NEWS entry -- Dominic Hargreaves Sat, 13 Sep 2014 01:43:15 +0100 request-tracker4 (4.2.6-1) unstable; urgency=medium * Depend unconditionally on libcgi-pm-perl to fix FTBFS with perl 5.20 (Closes: #759975) * New upstream release (Closes: #760500) * Apply patch from Daniel Kahn Gillmor to allow changing the status during commenting in the rt command line tool (Closes: #760292) * Add lintian override for missing sources shipped in third-party-source * Use install -d rather than mkdir in a few places to avoid umask issues (thanks, Lintian) -- Dominic Hargreaves Sat, 06 Sep 2014 22:17:37 +0100 request-tracker4 (4.2.4-1) unstable; urgency=medium * Add missing Depends on libcss-squish-perl (Closes: #747298) * New upstream release - include database upgrade script and NEWS entry - add Build-Depends on libtest-pod-perl -- Dominic Hargreaves Sun, 18 May 2014 22:40:33 +0100 request-tracker4 (4.2.3-2) unstable; urgency=low * Correct path in lintian override * Add missing Build-Depends on liblog-dispatch-perl-perl * Apply patch from upstream fixing the reference to the font path (Closes: #746150) * Upload to unstable -- Dominic Hargreaves Sun, 04 May 2014 12:49:03 +0100 request-tracker4 (4.2.3-1) experimental; urgency=medium * New upstream release (Closes: #733516) - update (Build)-Depends - update Apache config to match upstream docs - improve PostgreSQL indices (Closes: #512759) - don't enable GPG (or SMIME) by default (Closes: #654697) - include database upgrade script and NEWS entry - update debian/copyright - include NEWS item alerting of incompatible changes - update Lintian overrides for new file paths * Add rt4-standalone package (Closes: #644187) (thanks, Bastian Blank) * Log to a file rather than syslog by default (Closes: #712147) * Update Standards-Version (no changes) * Add a note about how to configure RT from the root URL (Closes: #735490) -- Dominic Hargreaves Sun, 02 Mar 2014 16:04:58 +0000 request-tracker4 (4.0.19-1) unstable; urgency=medium * Pass "-s /bin/sh" to "su www-data" to cope with the change of www-data's shell in base-passwd 3.5.30. Thanks to Colin Watson for the bug report and patch (Closes: #734728) * New upstream release * Include database upgrade scripts/NEWS * Don't fetch logo from from 'broken install' page (fixes Lintian privacy error) -- Dominic Hargreaves Sun, 16 Feb 2014 16:15:23 +0000 request-tracker4 (4.0.18-1) unstable; urgency=low * New upstream release (Closes: #732013) - Add Build-Depends on liblocale-po-perl * Remove Depends/Suggests on version-specific PostgreSQL packages (Closes: #732497) -- Dominic Hargreaves Wed, 01 Jan 2014 13:58:39 +0000 request-tracker4 (4.0.17-2) unstable; urgency=low * Fix double-encoding bug with newer versions of Encode (Closes: #724795) * Add alternative build-depends on perl for Pod::Simple (thanks, Lintian) -- Dominic Hargreaves Sat, 28 Sep 2013 23:08:49 +0100 request-tracker4 (4.0.17-1) unstable; urgency=medium * Remove Dmitry Smirnov from Uploaders, on request * Add Brazilian Portuguese debconf templates translation (Closes: #719150) * New upstream release - Fixes perl 5.18 compatibility issues (Closes: #720498) -- Dominic Hargreaves Sat, 24 Aug 2013 11:24:26 +0100 request-tracker4 (4.0.13-1) unstable; urgency=low * New upstream release * Depend on fonts-droid instead of the transitional ttf-droid (Closes: #708940) * Update configuration files to Apache 2.4 host ACL style (Closes: #669774) * Run make testdeps, ignoring errors for now as some dependencies aren't needed for the Debian package and aren't packaged * Add Build-Depends on libterm-readkey-perl, and don't run t/web/installer.t (tests functionality not used in the Debian package (Closes: #708950) * Add Build-Depends on libfcgi-perl * Update Standards-Version (no changes) * Remove rt-validate-aliases alternative in prerm (Closes: #708101) -- Dominic Hargreaves Sun, 02 Jun 2013 14:16:34 +0100 request-tracker4 (4.0.12-2) unstable; urgency=high * Multiple security fixes for: - Privileged user escalation (CVE-2012-4733) - Semi-predictable temporary file names (CVE-2013-3368) - Arbitrary Mason component execution (CVE-2013-3369) - Direct execution of private callback components (CVE-2013-3370) - XSS via attachment filenames and URLs in messages (CVE-2013-3371) - XSS via Content-Disposition header (CVE-2013-3372) - MIME header injection (CVE-2013-3373) - Limited session reuse when using Apache::Session::File (CVE-2013-3374) * Include database upgrade (dbconfig-common and NEWS) -- Dominic Hargreaves Wed, 22 May 2013 18:53:16 +0100 request-tracker4 (4.0.12-1) unstable; urgency=low * New upstream release - include database update for consistently lower-case ticket types -- Dominic Hargreaves Sat, 11 May 2013 15:06:11 +0100 request-tracker4 (4.0.11-1) experimental; urgency=low * Set the Section of rt-doc-html to doc, matching the current Debian archive * Run test suite during package build (Closes: #688976) * The above change adds a Build-Depends on liblist-moreutils-perl which also fixes a FTBFS with 4.0.10-1 (Closes: #705002) * New upstream release - Update versioned build-dependency on libpod-simple-perl * Don't depend on a -1 revision libhtml-mason-perl, to assist with backporting (thanks, Lintian) -- Dominic Hargreaves Tue, 16 Apr 2013 21:50:07 +0100 request-tracker4 (4.0.10-1) experimental; urgency=low * Switch to git-dpm for patch management * Remove no_syslogd_running patch as the bug worked around has been fixed * New upstream release (Closes: #703345) - Update copyright years in debian/copyright - Update versioned dependency on libhtml-rewriteattributes-perl - Add dbconfig upgrade script and associated NEWS item - customize some documentation to refer to Debian paths - add POD for rt-validate-aliases * Add rt4-doc-html package containing HTML documentation for RT * Reorder and trim the long package descriptions to reduce duplication * Rework copyright file to meet the Version 1.0 spec -- Dominic Hargreaves Fri, 29 Mar 2013 17:33:17 +0000 request-tracker4 (4.0.7-5) unstable; urgency=medium * Change localstatedir from /var/cache/request-tracker4 to /var/lib/request-tracker4 as it contains things which aren't caches * Update other references to /var/cache/request-tracker4 where appropriate * Move /var/cache/request-tracker4/data/gpg to /var/lib/request-tracker4/data/gpg in postinst * Add NEWS item about moves from /var/cache/request-tracker4 * Closes: #704107 -- Dominic Hargreaves Fri, 29 Mar 2013 13:15:32 +0000 request-tracker4 (4.0.7-4) unstable; urgency=low * Add extra robustness to hostname handling (Closes: 685502) -- Dominic Hargreaves Sun, 16 Dec 2012 14:08:31 +0000 request-tracker4 (4.0.7-3) unstable; urgency=low * Cherry-pick fix from 4.0.8 fixing duplicate transaction creation bug (Closes: #691701) * Remove unused code which uses Digest::SHA1 which in turn has been removed from Debian (Closes: #694484) -- Dominic Hargreaves Mon, 10 Dec 2012 14:13:24 +0000 request-tracker4 (4.0.7-2) unstable; urgency=high * Multiple security fixes for: - Email header injection attack (CVE-2012-4730) - Missing rights checking for Articles (CVE-2012-4731) - CSRF protection allows attack on bookmarks (CVE-2012-4732) - Confused deputy attack for non-logged-in users (CVE-2012-4734) - Multiple message signing/encryption attacks related to GnuPG (CVE-2012-4735) - Arbitrary command-line argument injection to GnuPG (CVE-2012-4884) -- Dominic Hargreaves Tue, 23 Oct 2012 10:58:58 +0100 request-tracker4 (4.0.7-1) unstable; urgency=low * In debian/config, fall back to using plain 'hostname' if 'hostname -f' does not work. Thanks to Daniel Baumann (Closes: #685502) * New upstream release * Add missing dependency on libipc-run-perl (versioned to 0.90 following upstream dependencies) -- Dominic Hargreaves Mon, 15 Oct 2012 18:23:39 +0100 request-tracker4 (4.0.6-4) unstable; urgency=low * Remove recommendation of libapache2-mod-fastcgi since this is non-free (Closes: #682133) * Remove cron job during package purge (Closes: #682186) -- Dominic Hargreaves Fri, 17 Aug 2012 19:54:42 +0100 request-tracker4 (4.0.6-3) unstable; urgency=high * Fix broken regex character range that results in failed installs; thanks to Carl Fürstenber (Closes: #678239) * Urgency high due to RC bug fix -- Dominic Hargreaves Thu, 21 Jun 2012 22:28:11 +0100 request-tracker4 (4.0.6-2) unstable; urgency=low * update-rt-siteconfig: Allow inclusion of files with capital letters and underscores in their name (Closes: #674409) -- Dominic Hargreaves Sun, 03 Jun 2012 17:50:50 +0100 request-tracker4 (4.0.6-1) unstable; urgency=low * Provide specific instructions for restarting a mod_perl based Apache server * New upstream release - update dependencies - add NEWS items - apply database upgrades * Update mod_fcgid config to allow large attachments * Fix debian/copyright syntax (thanks, Lintian) -- Dominic Hargreaves Sun, 27 May 2012 18:24:26 +0100 request-tracker4 (4.0.5-3) unstable; urgency=high [ Dmitry Smirnov ] * debian/copyright update * added missing 'libfcgi-perl' dependency to 'rt4-fcgi' * debian/rt4-fcgi.init: fixed 'status' function [ Dominic Hargreaves ] * Multiple security fixes for: - XSS vulnerabilities (CVE-2011-2083) - information disclosure vulnerabilities including password hash exposure and correspondence disclosure to privileged users (CVE-2011-2084) - CSRF vulnerabilities allowing information disclosure, privilege escalation, and arbitrary code execution. Original behaviour may be restored by setting $RestrictReferrer to 0 for installations which rely on it (CVE-2011-2085) - remote code execution vulnerabilities including in VERP functionality (CVE-2011-4458) * Add vulnerable-password and clean-user-txns scripts to accompany above fixes, and run in postinst -- Dominic Hargreaves Sat, 19 May 2012 22:30:27 +0100 request-tracker4 (4.0.5-2) unstable; urgency=low * Improve rt4-fcgi description to clarify that it's only required where an external FCGI process is needed, and that it's not nginx specific * Add Dutch debconf translation (Closes: #661101) * Create cron job world-readable during new installations (Closes: #660867) * Correctly remove all conffiles during purge (Closes: #668451) * Remove references to obsolete /etc/apache2/conf.d (see #669774) * Update Standards-Version (no changes) -- Dominic Hargreaves Sun, 22 Apr 2012 14:58:39 +0100 request-tracker4 (4.0.5-1) unstable; urgency=low * New upstream release * Remove no longer needed libhtml-parser-perl dependency * Remove patch 67_restore_database_disconnection_state, integrated upstream -- Dominic Hargreaves Sun, 05 Feb 2012 22:48:38 +0000 request-tracker4 (4.0.4-3) unstable; urgency=low [ Dmitry Smirnov ] * debian/copyright + updated to DEP-5 + corrected source URL + added copyrights of debian contributors - removed Perl copyright paragraph * debian/watch is updated * new rt4-fcgi package and sample nginx configuration * debian/control: + request-tracker4 depend either on rt4-apache2 or on rt4-fcgi -- Dominic Hargreaves Thu, 26 Jan 2012 19:59:23 +0000 request-tracker4 (4.0.4-2) unstable; urgency=low * Add Recommends on all Apache-related modules; although any one can be used to produce a working configuration, installing them all will result in less confusion (LP: #769765) * Restore database disconnection state after successful safe_run_child; fixes problems with mod_perl + PostgreSQL + mod_ssl. Thanks to Alex Vandiver (Closes: #632129) -- Dominic Hargreaves Mon, 02 Jan 2012 15:05:48 +0000 request-tracker4 (4.0.4-1) unstable; urgency=low * New upstream release * Don't hard-code the DBA user in rt-setup-fulltext-index (Closes: #644093) -- Dominic Hargreaves Thu, 10 Nov 2011 23:02:28 +0000 request-tracker4 (4.0.2-1) unstable; urgency=low * Include Homepage in debian/control (Closes: #631668) * Don't hard-code the DBA user in rt-setup-database (Closes: #637215) * Improve reference to upstream documentation * New upstream release * Remove dependency on libjavascript-minifier-perl, no longer used -- Dominic Hargreaves Wed, 17 Aug 2011 22:53:39 +0100 request-tracker4 (4.0.1-1) unstable; urgency=low * New upstream release * Tidy up obsolete strings from Debconf translations * Add Danish debconf translation (from: #631304) * Add build-arch and build-indep targets to debian/rules (thanks, Lintian) * Move po-debconf from Build-Depends-Indep to Build-Depends (thanks, Lintian) * Correct name of cron.d file from request-tracker40 to request-tracker4 -- Dominic Hargreaves Fri, 24 Jun 2011 19:48:24 +0100 request-tracker4 (4.0.1~rc2-1) experimental; urgency=low * New upstream release candidate -- Dominic Hargreaves Tue, 14 Jun 2011 20:51:13 +0100 request-tracker4 (4.0.1~rc1-2) experimental; urgency=low * Ignore quilt .pc files when backing up generated files; fixes FTBFS under some circumstances (Closes: #628901) -- Dominic Hargreaves Sun, 05 Jun 2011 15:41:32 +0100 request-tracker4 (4.0.1~rc1-1) experimental; urgency=low * Initial release with packaging taken from request-tracker3.8 3.8.8-6 (Closes: #605103) - rebase/drop various patches - install new scripts - update documentation - remove support for SpeedyCGI - update example Apache configurations - update dependencies - remove some old upgrade utility scripts * Correct name of file in cron.d to one which will be run by cron * Remove completely misleading documentation from NOTES.Debian relating to migrating between SQLite and other databases * Bump Standards-Version (no changes) * Include BSD license text in debian/copyright (thanks, Lintian) -- Dominic Hargreaves Sun, 29 May 2011 13:01:30 +0100