request-tracker3.8 (3.8.7-1ubuntu2.2) lucid-security; urgency=low * Fix error in previous patch application which broke logins. Thanks to Best Practical for the testing and fix. (LP: #750339) -- Dominic Hargreaves Thu, 24 Nov 2011 14:37:00 +0000 request-tracker3.8 (3.8.7-1ubuntu2.1) lucid-security; urgency=low * SECURITY UPDATE: support salted passwords in database and upgrade unsalted passwords (CVE-2011-0009) - LP: #750339 * Security fix: fix information leakage in scrips (CVE-2011-1008) * Multiple security fixes for: - Remote code execution in external custom fields (CVE-2011-1685) - Information disclosure via SQL injection (CVE-2011-1686) - Information disclosure via search interface (CVE-2011-1687) - Information disclosure via directory traversal (CVE-2011-1688) - User javascript execution via XSS vulnerability (CVE-2011-1689) - Authentication credentials theft (CVE-2011-1690) -- Dominic Hargreaves Sun, 29 May 2011 13:50:51 +0100 request-tracker3.8 (3.8.7-1ubuntu2) lucid; urgency=low * debian/control: Dont depend on mysql-client-5.0. -- Chuck Short Wed, 14 Apr 2010 10:49:41 -0400 request-tracker3.8 (3.8.7-1ubuntu1) lucid; urgency=low * debian/control: Suggest mysql-server-5.1. -- Chuck Short Wed, 07 Apr 2010 11:53:58 -0400 request-tracker3.8 (3.8.7-1) unstable; urgency=low * New upstream release; includes: - Documentation fix for MySQL schema upgrades (Closes: #550278) * Remove plugin packaging patch (included upstream) * Add NEWS item about a missing index for MySQL for which upstream have not included an upgrade schema * In debian/postinst, clarify that any persistent perl process setup needs to be restarted, not just mod_perl -- Dominic Hargreaves Sun, 13 Dec 2009 14:35:55 +0000 request-tracker3.8 (3.8.6-2) unstable; urgency=low * Adjust debian/watch file to only pick up 3.8 versions * Remove Gerardo from Uploaders due to MIA status (Closes: #553100) * Depend on packages providing Encode >= 2.21 to fix attachment handling problems (missed dependency change in 3.8.6) -- Dominic Hargreaves Mon, 02 Nov 2009 22:44:34 +0000 request-tracker3.8 (3.8.6-1) unstable; urgency=low * New upstream release * Update Vietnamese debconf translation (Closes: #548140) * Include patch from to support plugin packaging * Update Debian layout to include new plugin dir from the above patch * Remove wrapping patch which has been included upstream * Recommend libdatetime-locale-perl and libdatetime-perl as they will be optionally used by RT, but also Conflict on older versions which break RT. -- Dominic Hargreaves Wed, 21 Oct 2009 22:21:20 +0100 request-tracker3.8 (3.8.5-1) unstable; urgency=low * New upstream release - Fix XSS security problem in custom field display (Closes: #546829) * Bump Standards-Version (no changes) * Add debian/README.source * Fix wrapping in standard editor (Closes: #536525) -- Dominic Hargreaves Wed, 16 Sep 2009 20:53:12 +0100 request-tracker3.8 (3.8.4-1) unstable; urgency=low [ Dominic Hargreaves ] * Add missing comma in Depends (fixes FTBFS on etch) * Update debconf translations: pt.po, ja.po, sv.po, it.po, cs.po, ru.po (Closes: #519885, #519922, #520603, #520759, #521199, #521926) * Document preference for not using SQLite in production (Closes: #512750) [ Christian Perrier ] * Debconf templates and debian/control reviewed by the debian-l10n- english team as part of the Smith review project. (Closes: #522367, #520959) * [Debconf translation updates] - Japanese. Closes: #522896 - German. Closes: #520958 - Portuguese. Closes: #523481 - Galician. Closes: #524256 - Galician. Closes: #524256 - Spanish. Closes: #524449 - Italian. Closes: #524715 - Russian. Closes: #524894 - Swedish. Closes: #525171 - French. Closes: #525281 [ Dominic Hargreaves ] * Don't tell dbconfig to comment out unused variables, since this breaks MySQL and Postgres database configuration (Closes: #523090) * Update Standards-Version (no changes) * Switch dependency on sysklogd to rsyslog (Closes: #526914) * New upstream release; includes - Minor security fix (Closes: #533069) - Add missing Postgres index (Closes: #512653) * Patch webmux.pl to provide a better error message when the wrong major version of RT is in @INC (for example in a mod_perl context). (Closes: #518692) * Add some more example Exim 4 configuration (Closes: #238345) * Don't apply database ACLs in databases managed by dbconfig-common. * Remove unused ACL patch -- Dominic Hargreaves Tue, 16 Jun 2009 21:46:59 +0100 request-tracker3.8 (3.8.2-1) unstable; urgency=low [ Niko Tyni ] * Clean a 3.6 leftover in debian/rules * Remove automatically generated files in the 'build' target so that building twice in a row doesn't change the .diff.gz. * Install the default configuration (everything except RT_Site*) into /usr/share/request-tracker3.8/etc instead of /etc/request-tracker3.8. These files were never meant to be modified and can be overridden through /etc. (Closes: #511254) * Remove the obsolete 41-disable-gnupg configuration snippet. [ Dominic Hargreaves ] * In postinst, remove unmodified obsolete config files for tidiness * Japanese debconf translation, thanks to Hideki Yamane (Closes: #512855) * Depend on libipc-run-safehandles-perl (Closes: #512646) * Fix rt-setup-database to use correct path for upgrade data (Closes: #518556) -- Dominic Hargreaves Mon, 09 Mar 2009 22:31:20 +0000 request-tracker3.8 (3.8.2-1~experimental1) experimental; urgency=low * New upstream release * Remove debian/patches/60_uri_self_reference.dpatch (now in upstream) * Add ${misc:Depends} to packages that were missing it (thanks, lintian) * Remove note about speedy/GPG breakage, as a workaround has been applied * debian/scripts/update-rt-siteconfig: - only look for files directly in /etc/request-tracker3.8/RT_SiteConfig.d/ matching '^[a-z0-9][a-z0-9-]+$' (closes: #506446) - general tidying * Add some more lintian overrides for upstream changes * Add Swedish debconf translation from #511246 * debian/rules: Add missing call to debconf-updatepo in clean target and update translations * Get dbconfig-common to update the database with content supplied with new upstream release * Really fix sqlite RT_SiteConfig.pm generation and flag this before installing new version (will require intervention on the part of the administrator) -- Dominic Hargreaves Tue, 13 Jan 2009 12:19:28 +0000 request-tracker3.8 (3.8.1-1~experimental2) experimental; urgency=low * Bump version dependency of libhtml-mason-perl to 1:1.36-1 as RT depends on this. * debian/scripts/dbconfig.template: compress special casing for database name with sqlite onto one line, so the automatic comment addition doesn't break the syntax when dbconfig-common isn't being used to configure the database. * debian/README.Debian: - update some external URLs - correct upgrading documentation (rt-setup-database now has a built-in upgrade function) (closes: #505679) * debian/control: add alternative depends on libmime-perl to aid backporting * Re-enabled GnuPG by default but add warnings to NOTES.Debian and speedycgi handler Apache config referring to the breakage. * Include upstream documentation on upgrading from earlier instances. -- Dominic Hargreaves Wed, 19 Nov 2008 20:01:32 +0000 request-tracker3.8 (3.8.1-1~experimental1) experimental; urgency=low [ Gerardo Curiel ] * Initial release. (Closes: #492939) * Packaging structure taken from the request-tracker3.6 package version 3.6.7-2 with the important bits altered where needed. * Added new dependencies: - libfile-sharedir-perl - libemail-address-perl - libperlio-eol-perl - libmime-types-perl - libdata-ical-perl - libtext-quoted-perl (moved from 'Recommended') * Added new recommended dependencies: - libgnupg-interface-perl * Dropped patches: - patches/13_webmux_path.dpatch - patches/08_postgres_acls.dpatch - patches/50_pod.dpatch * Rebased patches: - patches/01_layout.dpatch * New patches - patches/40_skip_testdeps.dpatch [ Andrew Ruthven ] * Rebased patches - patches/20_rt_setup_database_debian - patches/30_no_syslogd_running [ Dominic Hargreaves ] * postinst: lower the update-alternatives priority to not break existing installs of RT 3.6 during upgrades * {config,postinst}: remove use of dbc_first_version since this package is using dbconfig-common from the outset. * control: add missing dependency on libhtml-rewriteattributes-perl now it's available in Debian * add myself to Uploaders * Don't use debconf as a registry for installed database backend packages: ignore the debconf settings if the packages are already installed. (Closes: #503667) * Fix timezone handling in the default configuration. (Closes: #498124) * rules: in clean target, don't delete files which are now appearing in upstream tarball * Use the correct server name for self referencing URIs. (Closes: #503329) * New upstream release (3.8.1) * copyright: update copyright years, add more copyright statements for third-party code * scripts/dbconfig.template: only Set once in the sqlite3 case; behaviour of Set when called multiple times has changed * rules: create /var/cache/request-tracker3.8/data directory to hold misc data (including GnuPG data) * control: - add missing Depends on libgraphviz-perl - make libgnupg-interface-perl Depends rather than Recommends; it needs it. * Disable GnuPG in default configuration as it breaks speedy CGI * Don't install scriptaculous or prototype but instead depend on libjs-scriptaculous and libjs-prototype and install a symlink so that scriptaculous is where RT expects it * Lintian cleanups: - add descriptions to all patches - FCKeditor in RT is customised, so add an override for the relevant embedded-javascript-library warning - fix POD errors * Generate manpages for new command-line programs -- Dominic Hargreaves Wed, 5 Nov 2008 17:20:40 +0000