lp:ubuntu/oneiric-updates/request-tracker3.8

Branch merges

Propose for merging

No branches dependent on this one.

Related source package recipes

No recipes using this branch. (?)

Create packaging recipe

Related snap packages

Related bugs

Related blueprints

17. By Marc Deslauriers on 2012-11-09

* SECURITY UPDATE: Multiple security fixes (LP: #1004834):
  - Email header injection attack (CVE-2012-4730)
  - CSRF protection allows attack on bookmarks (CVE-2012-4732)
  - Confused deputy attack for non-logged-in users (CVE-2012-4734)
  - Multiple message signing/encryption attacks related to GnuPG
    (CVE-2012-4735)
  - Arbitrary command-line argument injection to GnuPG (CVE-2012-4884)
  - XSS vulnerabilities (CVE-2011-2083)
  - information disclosure vulnerabilities including password hash
    exposure and correspondence disclosure to privileged users
    (CVE-2011-2084)
  - CSRF vulnerabilities allowing information disclosure,
    privilege escalation, and arbitrary code execution. Original
    behaviour may be restored by setting $RestrictReferrer to 0 for
    installations which rely on it (CVE-2011-2085)
  - remote code execution vulnerabilities including in VERP
    functionality (CVE-2011-4458)
* Fix the vulnerable-passwords script to also upgrade password hashes
  for disabled users, and rerun the script in postinst (CVE-2011-2082)
* Include clean-user-txns script to accompany the above fixes, and
  run in postinst
* Provide specific instructions for restarting a mod_perl based
  Apache server
* debian/patches/60_misc_sec_regressions.dpatch: fix regression in
  rt-email-dashboards, and whitelist search results and calendar helper
  from CSRF protection

16. By Dominic Hargreaves on 2011-04-14

* New upstream release; includes multiple security fixes
  (Closes: #622774):
  - Remote code execution in external custom fields (CVE-2011-1685)
  - Information disclosure via SQL injection (CVE-2011-1686)
  - Information disclosure via search interface (CVE-2011-1687)
  - Information disclosure via directory traversal (CVE-2011-1688)
  - User javascript execution via XSS vulnerability (CVE-2011-1689)
  - Authentication credentials theft (CVE-2011-1690)
* Update Standards-Version (no changes)

15. By Dominic Hargreaves on 2011-01-20

* Correct name of file in cron.d to one which will be run by cron
  (Closes: #607209)
* Apply patch from upstream reducing the severity of the
  RTAddressRegexp warning message to "debug", to avoid the cron jobs
  generating noise
* Remove completely misleading documentation from NOTES.Debian
  relating to migrating between SQLite and other databases
  (Closes: #608481)
* Correct name of libapache2-mod-fcgid in debian/conf/apache2-fcgid.conf
* Security fix: support salted passwords in database and upgrade
  unsalted passwords (CVE-2011-0009)

14. By Dominic Hargreaves on 2010-11-14

* Make sure /etc/cron.d exists in postinst before installing cronjob,
  to cater for the case where cron is not installed (Closes: #602570)
* Add cron-daemon to Recommends
* Allow for an empty $WebPath config variable in debconf in
  debian/config (Closes: #599333)
* Improve documentation for rt-dump-database and add pointers to
  UPGRADING in NOTES.Debian (Closes: #603247)

13. By Dominic Hargreaves on 2010-10-04

* Add dummy init script to ensure that the database server is started
  before the web server in parallel booting environments
  (Closes: #595054)
* Debconf translation updates (Closes: #598497)

12. By Dominic Hargreaves on 2010-09-17

* Debconf translation updates (Closes: #592255, #592514, #593564,
  #593687, #593989, #594079, #594935)
* Update NOTES.Debian to reflect the fact that the root password is
  not normally set to the default any more
* Improve wording of Organization debconf question (Closes: #590919)
* Update uscan URL
* Document RT_SiteModules.pm in README.Debian
* Document the limitations of the rt command-line client in
  rt3.8-clients.README.Debian (See: #594982)
* Revert changes in PostgreSQL and MySQL dependencies made in 3.8.8-2
  as at least the PostgreSQL changes introduce upgrade difficulties
  between lenny and squeeze (Closes: #596926)

11. By Micah Gersten on 2010-09-05

* Merge from debian unstable. (LP: #626588) Remaining changes:
  + debian/control:
    - Suggest mysql-server-5.1 instead of mysql-server-5.0

10. By Micah Gersten on 2010-08-05

* Merge from Debian unstable. (LP: #614036) Remaining changes:
  - debian/control:
    + Suggest mysql-server-5.1.
    - Dont depend on mysql-client-5.0.

9. By Chuck Short on 2010-04-14

debian/control: Dont depend on mysql-client-5.0.

8. By Chuck Short on 2010-04-07

debian/control: Suggest mysql-server-5.1.