lp:ubuntu/lucid-security/request-tracker3.8
- Get this branch:
- bzr branch lp:ubuntu/lucid-security/request-tracker3.8
Branch merges
Related source package recipes
Branch information
Recent revisions
- 11. By Marc Deslauriers
-
[ Dominic Hargreaves ]
* Multiple security fixes for:
- XSS vulnerabilities (CVE-2011-2083)
- information disclosure vulnerabilities including password hash
exposure and correspondence disclosure to privileged users
(CVE-2011-2084)
- CSRF vulnerabilities allowing information disclosure,
privilege escalation, and arbitrary code execution. Original
behaviour may be restored by setting $RestrictReferrer to 0 for
installations which rely on it (CVE-2011-2085)
- remote code execution vulnerabilities including in VERP
functionality (CVE-2011-4458)
* Fix the vulnerable-passwords script to also upgrade password hashes
for disabled users, and rerun the script in postinst (CVE-2011-2082)
* Include clean-user-txns script to accompany the above fixes, and
run in postinst
* Provide specific instructions for restarting a mod_perl based
Apache server[ Marc Deslauriers ]
* debian/patches/ 81_misc_ sec_regressions .dpatch: fix regression in
rt-email-dashboards, and whitelist search results and calendar helper
from CSRF protection
* SECURITY UPDATE: Multiple security fixes (LP: #1004834):
- Email header injection attack (CVE-2012-4730)
- CSRF protection allows attack on bookmarks (CVE-2012-4732)
- Confused deputy attack for non-logged-in users (CVE-2012-4734)
- Multiple message signing/encryption attacks related to GnuPG
(CVE-2012-4735)
- Arbitrary command-line argument injection to GnuPG (CVE-2012-4884) - 10. By Dominic Hargreaves
-
* SECURITY UPDATE: support salted passwords in database and upgrade
unsalted passwords (CVE-2011-0009)
- LP: #750339
* Security fix: fix information leakage in scrips (CVE-2011-1008)
* Multiple security fixes for:
- Remote code execution in external custom fields (CVE-2011-1685)
- Information disclosure via SQL injection (CVE-2011-1686)
- Information disclosure via search interface (CVE-2011-1687)
- Information disclosure via directory traversal (CVE-2011-1688)
- User javascript execution via XSS vulnerability (CVE-2011-1689)
- Authentication credentials theft (CVE-2011-1690) - 7. By Dominic Hargreaves
-
* New upstream release; includes:
- Documentation fix for MySQL schema upgrades (Closes: #550278)
* Remove plugin packaging patch (included upstream)
* Add NEWS item about a missing index for MySQL for which upstream have
not included an upgrade schema
* In debian/postinst, clarify that any persistent perl process
setup needs to be restarted, not just mod_perl - 6. By Dominic Hargreaves
-
* Adjust debian/watch file to only pick up 3.8 versions
* Remove Gerardo from Uploaders due to MIA status (Closes: #553100)
* Depend on packages providing Encode >= 2.21 to fix attachment
handling problems (missed dependency change in 3.8.6) - 5. By Dominic Hargreaves
-
* New upstream release
* Update Vietnamese debconf translation (Closes: #548140)
* Include patch from <http://rt3.fsck. com/Ticket/ Display. html?id= 13975>
to support plugin packaging
* Update Debian layout to include new plugin dir from the above patch
* Remove wrapping patch which has been included upstream
* Recommend libdatetime-locale- perl and libdatetime-perl as they will
be optionally used by RT, but also Conflict on older versions which
break RT. - 4. By Dominic Hargreaves
-
* New upstream release
- Fix XSS security problem in custom field display (Closes: #546829)
* Bump Standards-Version (no changes)
* Add debian/README. source
* Fix wrapping in standard editor (Closes: #536525) - 3. By Dominic Hargreaves
-
[ Dominic Hargreaves ]
* Add missing comma in Depends (fixes FTBFS on etch)
* Update debconf translations: pt.po, ja.po, sv.po, it.po, cs.po, ru.po
(Closes: #519885, #519922, #520603, #520759, #521199, #521926)
* Document preference for not using SQLite in production
(Closes: #512750)[ Christian Perrier ]
* Debconf templates and debian/control reviewed by the debian-l10n-
english team as part of the Smith review project.
(Closes: #522367, #520959)
* [Debconf translation updates]
- Japanese. Closes: #522896
- German. Closes: #520958
- Portuguese. Closes: #523481
- Galician. Closes: #524256
- Galician. Closes: #524256
- Spanish. Closes: #524449
- Italian. Closes: #524715
- Russian. Closes: #524894
- Swedish. Closes: #525171
- French. Closes: #525281[ Dominic Hargreaves ]
* Don't tell dbconfig to comment out unused variables, since this
breaks MySQL and Postgres database configuration (Closes: #523090)
* Update Standards-Version (no changes)
* Switch dependency on sysklogd to rsyslog (Closes: #526914)
* New upstream release; includes
- Minor security fix (Closes: #533069)
- Add missing Postgres index (Closes: #512653)
* Patch webmux.pl to provide a better error message when the wrong
major version of RT is in @INC (for example in a mod_perl context).
(Closes: #518692)
* Add some more example Exim 4 configuration (Closes: #238345)
* Don't apply database ACLs in databases managed by dbconfig-common.
* Remove unused ACL patch - 2. By Dominic Hargreaves
-
[ Niko Tyni ]
* Clean a 3.6 leftover in debian/rules
* Remove automatically generated files in the 'build' target so that
building twice in a row doesn't change the .diff.gz.
* Install the default configuration (everything except RT_Site*) into
/usr/share/request- tracker3. 8/etc instead of /etc/request- tracker3. 8.
These files were never meant to be modified and can be overridden
through /etc. (Closes: #511254)
* Remove the obsolete 41-disable-gnupg configuration snippet.[ Dominic Hargreaves ]
* In postinst, remove unmodified obsolete config files for tidiness
* Japanese debconf translation, thanks to Hideki Yamane (Closes: #512855)
* Depend on libipc-run-safehandles -perl (Closes: #512646)
* Fix rt-setup-database to use correct path for upgrade data
(Closes: #518556)
Branch metadata
- Branch format:
- Branch format 7
- Repository format:
- Bazaar repository format 2a (needs bzr 1.16 or later)
- Stacked on:
- lp:ubuntu/precise/request-tracker3.8
