lp:ubuntu/precise-proposed/request-tracker3.8
- Get this branch:
- bzr branch lp:ubuntu/precise-proposed/request-tracker3.8
Branch merges
Branch information
Recent revisions
- 18. By Marc Deslauriers
-
[ Dominic Hargreaves ]
* Multiple security fixes for:
- XSS vulnerabilities (CVE-2011-2083)
- information disclosure vulnerabilities including password hash
exposure and correspondence disclosure to privileged users
(CVE-2011-2084)
- CSRF vulnerabilities allowing information disclosure,
privilege escalation, and arbitrary code execution. Original
behaviour may be restored by setting $RestrictReferrer to 0 for
installations which rely on it (CVE-2011-2085)
- remote code execution vulnerabilities including in VERP
functionality (CVE-2011-4458)
* Fix the vulnerable-passwords script to also upgrade password hashes
for disabled users, and rerun the script in postinst (CVE-2011-2082)
* Include clean-user-txns script to accompany the above fixes, and
run in postinst
* Provide specific instructions for restarting a mod_perl based
Apache server[ Marc Deslauriers ]
* debian/patches/ 60_misc_ sec_regressions .dpatch: fix regression in
rt-email-dashboards, and whitelist search results and calendar helper
from CSRF protection
* SECURITY UPDATE: Multiple security fixes (LP: #1004834):
- Email header injection attack (CVE-2012-4730)
- CSRF protection allows attack on bookmarks (CVE-2012-4732)
- Confused deputy attack for non-logged-in users (CVE-2012-4734)
- Multiple message signing/encryption attacks related to GnuPG
(CVE-2012-4735)
- Arbitrary command-line argument injection to GnuPG (CVE-2012-4884) - 16. By Dominic Hargreaves
-
* New upstream release; includes multiple security fixes
(Closes: #622774):
- Remote code execution in external custom fields (CVE-2011-1685)
- Information disclosure via SQL injection (CVE-2011-1686)
- Information disclosure via search interface (CVE-2011-1687)
- Information disclosure via directory traversal (CVE-2011-1688)
- User javascript execution via XSS vulnerability (CVE-2011-1689)
- Authentication credentials theft (CVE-2011-1690)
* Update Standards-Version (no changes) - 15. By Dominic Hargreaves
-
* Correct name of file in cron.d to one which will be run by cron
(Closes: #607209)
* Apply patch from upstream reducing the severity of the
RTAddressRegexp warning message to "debug", to avoid the cron jobs
generating noise
* Remove completely misleading documentation from NOTES.Debian
relating to migrating between SQLite and other databases
(Closes: #608481)
* Correct name of libapache2-mod-fcgid in debian/ conf/apache2- fcgid.conf
* Security fix: support salted passwords in database and upgrade
unsalted passwords (CVE-2011-0009) - 14. By Dominic Hargreaves
-
* Make sure /etc/cron.d exists in postinst before installing cronjob,
to cater for the case where cron is not installed (Closes: #602570)
* Add cron-daemon to Recommends
* Allow for an empty $WebPath config variable in debconf in
debian/config (Closes: #599333)
* Improve documentation for rt-dump-database and add pointers to
UPGRADING in NOTES.Debian (Closes: #603247) - 13. By Dominic Hargreaves
-
* Add dummy init script to ensure that the database server is started
before the web server in parallel booting environments
(Closes: #595054)
* Debconf translation updates (Closes: #598497) - 12. By Dominic Hargreaves
-
* Debconf translation updates (Closes: #592255, #592514, #593564,
#593687, #593989, #594079, #594935)
* Update NOTES.Debian to reflect the fact that the root password is
not normally set to the default any more
* Improve wording of Organization debconf question (Closes: #590919)
* Update uscan URL
* Document RT_SiteModules.pm in README.Debian
* Document the limitations of the rt command-line client in
rt3.8-clients. README. Debian (See: #594982)
* Revert changes in PostgreSQL and MySQL dependencies made in 3.8.8-2
as at least the PostgreSQL changes introduce upgrade difficulties
between lenny and squeeze (Closes: #596926) - 11. By Micah Gersten
-
* Merge from debian unstable. (LP: #626588) Remaining changes:
+ debian/control:
- Suggest mysql-server-5.1 instead of mysql-server-5.0 - 10. By Micah Gersten
-
* Merge from Debian unstable. (LP: #614036) Remaining changes:
- debian/control:
+ Suggest mysql-server-5.1.
- Dont depend on mysql-client-5.0.
Branch metadata
- Branch format:
- Branch format 7
- Repository format:
- Bazaar repository format 2a (needs bzr 1.16 or later)
- Stacked on:
- lp:ubuntu/raring/request-tracker3.8