Change log for request-tracker3.8 package in Ubuntu
| 1 → 21 of 21 results | First • Previous • Next • Last |
| Obsolete in oneiric-updates |
| Obsolete in oneiric-security |
| Deleted in oneiric-proposed (Reason: moved to -updates) |
request-tracker3.8 (3.8.10-1ubuntu0.1) oneiric-security; urgency=low * SECURITY UPDATE: Multiple security fixes (LP: #1004834): - Email header injection attack (CVE-2012-4730) - CSRF protection allows attack on bookmarks (CVE-2012-4732) - Confused deputy attack for non-logged-in users (CVE-2012-4734) - Multiple message signing/encryption attacks related to GnuPG (CVE-2012-4735) - Arbitrary command-line argument injection to GnuPG (CVE-2012-4884) - XSS vulnerabilities (CVE-2011-2083) - information disclosure vulnerabilities including password hash exposure and correspondence disclosure to privileged users (CVE-2011-2084) - CSRF vulnerabilities allowing information disclosure, privilege escalation, and arbitrary code execution. Original behaviour may be restored by setting $RestrictReferrer to 0 for installations which rely on it (CVE-2011-2085) - remote code execution vulnerabilities including in VERP functionality (CVE-2011-4458) * Fix the vulnerable-passwords script to also upgrade password hashes for disabled users, and rerun the script in postinst (CVE-2011-2082) * Include clean-user-txns script to accompany the above fixes, and run in postinst * Provide specific instructions for restarting a mod_perl based Apache server * debian/patches/60_misc_sec_regressions.dpatch: fix regression in rt-email-dashboards, and whitelist search results and calendar helper from CSRF protection -- Marc Deslauriers <email address hidden> Fri, 09 Nov 2012 15:08:36 -0500
Available diffs
| Published in precise-updates |
| Published in precise-security |
| Deleted in precise-proposed (Reason: moved to -updates) |
request-tracker3.8 (3.8.11-1ubuntu0.1) precise-security; urgency=low
[ Dominic Hargreaves ]
* Multiple security fixes for:
- XSS vulnerabilities (CVE-2011-2083)
- information disclosure vulnerabilities including password hash
exposure and correspondence disclosure to privileged users
(CVE-2011-2084)
- CSRF vulnerabilities allowing information disclosure,
privilege escalation, and arbitrary code execution. Original
behaviour may be restored by setting $RestrictReferrer to 0 for
installations which rely on it (CVE-2011-2085)
- remote code execution vulnerabilities including in VERP
functionality (CVE-2011-4458)
* Fix the vulnerable-passwords script to also upgrade password hashes
for disabled users, and rerun the script in postinst (CVE-2011-2082)
* Include clean-user-txns script to accompany the above fixes, and
run in postinst
* Provide specific instructions for restarting a mod_perl based
Apache server
[ Marc Deslauriers ]
* debian/patches/60_misc_sec_regressions.dpatch: fix regression in
rt-email-dashboards, and whitelist search results and calendar helper
from CSRF protection
* SECURITY UPDATE: Multiple security fixes (LP: #1004834):
- Email header injection attack (CVE-2012-4730)
- CSRF protection allows attack on bookmarks (CVE-2012-4732)
- Confused deputy attack for non-logged-in users (CVE-2012-4734)
- Multiple message signing/encryption attacks related to GnuPG
(CVE-2012-4735)
- Arbitrary command-line argument injection to GnuPG (CVE-2012-4884)
-- Marc Deslauriers <email address hidden> Fri, 09 Nov 2012 15:08:36 -0500
Available diffs
| Obsolete in lucid-updates |
| Obsolete in lucid-security |
| Deleted in lucid-proposed (Reason: moved to -updates) |
request-tracker3.8 (3.8.7-1ubuntu2.3) lucid-security; urgency=low
[ Dominic Hargreaves ]
* Multiple security fixes for:
- XSS vulnerabilities (CVE-2011-2083)
- information disclosure vulnerabilities including password hash
exposure and correspondence disclosure to privileged users
(CVE-2011-2084)
- CSRF vulnerabilities allowing information disclosure,
privilege escalation, and arbitrary code execution. Original
behaviour may be restored by setting $RestrictReferrer to 0 for
installations which rely on it (CVE-2011-2085)
- remote code execution vulnerabilities including in VERP
functionality (CVE-2011-4458)
* Fix the vulnerable-passwords script to also upgrade password hashes
for disabled users, and rerun the script in postinst (CVE-2011-2082)
* Include clean-user-txns script to accompany the above fixes, and
run in postinst
* Provide specific instructions for restarting a mod_perl based
Apache server
[ Marc Deslauriers ]
* debian/patches/81_misc_sec_regressions.dpatch: fix regression in
rt-email-dashboards, and whitelist search results and calendar helper
from CSRF protection
* SECURITY UPDATE: Multiple security fixes (LP: #1004834):
- Email header injection attack (CVE-2012-4730)
- CSRF protection allows attack on bookmarks (CVE-2012-4732)
- Confused deputy attack for non-logged-in users (CVE-2012-4734)
- Multiple message signing/encryption attacks related to GnuPG
(CVE-2012-4735)
- Arbitrary command-line argument injection to GnuPG (CVE-2012-4884)
-- Marc Deslauriers <email address hidden> Fri, 09 Nov 2012 15:15:40 -0500
Available diffs
request-tracker3.8 (3.8.7-1ubuntu2.2) lucid-security; urgency=low
* Fix error in previous patch application which broke logins.
Thanks to Best Practical for the testing and fix. (LP: #750339)
-- Dominic Hargreaves <email address hidden> Thu, 24 Nov 2011 14:37:00 +0000
Available diffs
| Deleted in quantal-release (Reason: (From Debian) ROM; Obsoleted by request-tracker4; securit...) |
| Published in precise-release |
request-tracker3.8 (3.8.11-1) unstable; urgency=low * New upstream release * Add Danish debconf translation (Closes: #631304) -- Ubuntu Archive Auto-Sync <email address hidden> Mon, 21 Nov 2011 12:43:31 +0000
Available diffs
- diff from 3.8.10-1 to 3.8.11-1 (31.7 KiB)
| Deleted in lucid-proposed (Reason: moved to -updates) |
request-tracker3.8 (3.8.7-1ubuntu2.1) lucid-security; urgency=low
* SECURITY UPDATE: support salted passwords in database and upgrade
unsalted passwords (CVE-2011-0009)
- LP: #750339
* Security fix: fix information leakage in scrips (CVE-2011-1008)
* Multiple security fixes for:
- Remote code execution in external custom fields (CVE-2011-1685)
- Information disclosure via SQL injection (CVE-2011-1686)
- Information disclosure via search interface (CVE-2011-1687)
- Information disclosure via directory traversal (CVE-2011-1688)
- User javascript execution via XSS vulnerability (CVE-2011-1689)
- Authentication credentials theft (CVE-2011-1690)
-- Dominic Hargreaves <email address hidden> Sun, 29 May 2011 13:50:51 +0100
Available diffs
request-tracker3.8 (3.8.8-4ubuntu0.1) maverick-security; urgency=low
* Security fix: support salted passwords in database and upgrade
unsalted passwords (CVE-2011-0009)
* Security fix: fix information leakage in scrips (Closes: 614576;
CVE-2011-1008)
* Multiple security fixes for:
- Remote code execution in external custom fields (CVE-2011-1685)
- Information disclosure via SQL injection (CVE-2011-1686)
- Information disclosure via search interface (CVE-2011-1687)
- Information disclosure via directory traversal (CVE-2011-1688)
- User javascript execution via XSS vulnerability (CVE-2011-1689)
- Authentication credentials theft (CVE-2011-1690)
-- Dominic Hargreaves <email address hidden> Tue, 19 Apr 2011 23:20:25 +0100
Available diffs
request-tracker3.8 (3.8.10-1) unstable; urgency=high
* New upstream release; includes multiple security fixes
(Closes: #622774):
- Remote code execution in external custom fields (CVE-2011-1685)
- Information disclosure via SQL injection (CVE-2011-1686)
- Information disclosure via search interface (CVE-2011-1687)
- Information disclosure via directory traversal (CVE-2011-1688)
- User javascript execution via XSS vulnerability (CVE-2011-1689)
- Authentication credentials theft (CVE-2011-1690)
* Update Standards-Version (no changes)
Available diffs
- diff from 3.8.8-7 to 3.8.10-1 (1.5 MiB)
request-tracker3.8 (3.8.8-7) unstable; urgency=high
* Correct name of file in cron.d to one which will be run by cron
(Closes: #607209)
* Apply patch from upstream reducing the severity of the
RTAddressRegexp warning message to "debug", to avoid the cron jobs
generating noise
* Remove completely misleading documentation from NOTES.Debian
relating to migrating between SQLite and other databases
(Closes: #608481)
* Correct name of libapache2-mod-fcgid in debian/conf/apache2-fcgid.conf
* Security fix: support salted passwords in database and upgrade
unsalted passwords (CVE-2011-0009)
-- Micah Gersten <email address hidden> Tue, 25 Jan 2011 18:32:02 +0000
Available diffs
- diff from 3.8.8-6 to 3.8.8-7 (4.9 KiB)
request-tracker3.8 (3.8.8-6) unstable; urgency=low
* Make sure /etc/cron.d exists in postinst before installing cronjob,
to cater for the case where cron is not installed (Closes: #602570)
* Add cron-daemon to Recommends
* Allow for an empty $WebPath config variable in debconf in
debian/config (Closes: #599333)
* Improve documentation for rt-dump-database and add pointers to
UPGRADING in NOTES.Debian (Closes: #603247)
-- Ubuntu Archive Auto-Sync <email address hidden> Mon, 15 Nov 2010 09:20:51 +0000
Available diffs
- diff from 3.8.8-5 to 3.8.8-6 (3.0 KiB)
request-tracker3.8 (3.8.8-5) unstable; urgency=low
* Add dummy init script to ensure that the database server is started
before the web server in parallel booting environments
(Closes: #595054)
* Debconf translation updates (Closes: #598497)
-- Ubuntu Archive Auto-Sync <email address hidden> Fri, 15 Oct 2010 09:58:17 +0000
Available diffs
- diff from 3.8.8-4 to 3.8.8-5 (6.2 KiB)
request-tracker3.8 (3.8.8-4) unstable; urgency=low
* Debconf translation updates (Closes: #592255, #592514, #593564,
#593687, #593989, #594079, #594935)
* Update NOTES.Debian to reflect the fact that the root password is
not normally set to the default any more
* Improve wording of Organization debconf question (Closes: #590919)
* Update uscan URL
* Document RT_SiteModules.pm in README.Debian
* Document the limitations of the rt command-line client in
rt3.8-clients.README.Debian (See: #594982)
* Revert changes in PostgreSQL and MySQL dependencies made in 3.8.8-2
as at least the PostgreSQL changes introduce upgrade difficulties
between lenny and squeeze (Closes: #596926)
-- Micah Gersten <email address hidden> Fri, 24 Sep 2010 15:50:44 +0000
Available diffs
- diff from 3.8.8-3ubuntu1 to 3.8.8-4 (11.2 KiB)
| Superseded in maverick-release |
request-tracker3.8 (3.8.8-3ubuntu1) maverick; urgency=low * Merge from debian unstable. (LP: #626588) Remaining changes: + debian/control: - Suggest mysql-server-5.1 instead of mysql-server-5.0
Available diffs
- diff from 3.8.8-1ubuntu1 to 3.8.8-3ubuntu1 (20.4 KiB)
| Superseded in maverick-release |
request-tracker3.8 (3.8.8-1ubuntu1) maverick; urgency=low * Merge from Debian unstable. (LP: #614036) Remaining changes: - debian/control: + Suggest mysql-server-5.1. - Dont depend on mysql-client-5.0.
Available diffs
request-tracker3.8 (3.8.7-1ubuntu2) lucid; urgency=low * debian/control: Dont depend on mysql-client-5.0. -- Chuck Short <email address hidden> Wed, 14 Apr 2010 10:49:41 -0400
Available diffs
- diff from 3.8.7-1ubuntu1 to 3.8.7-1ubuntu2 (506 bytes)
| Superseded in lucid-release |
request-tracker3.8 (3.8.7-1ubuntu1) lucid; urgency=low * debian/control: Suggest mysql-server-5.1. -- Chuck Short <email address hidden> Wed, 07 Apr 2010 11:53:58 -0400
Available diffs
- diff from 3.8.7-1 to 3.8.7-1ubuntu1 (834 bytes)
request-tracker3.8 (3.8.7-1) unstable; urgency=low
* New upstream release; includes:
- Documentation fix for MySQL schema upgrades (Closes: #550278)
* Remove plugin packaging patch (included upstream)
* Add NEWS item about a missing index for MySQL for which upstream have
not included an upgrade schema
* In debian/postinst, clarify that any persistent perl process
setup needs to be restarted, not just mod_perl
-- Ubuntu Archive Auto-Sync <email address hidden> Tue, 05 Jan 2010 06:06:35 +0000
Available diffs
- diff from 3.8.6-2 to 3.8.7-1 (33.4 KiB)
request-tracker3.8 (3.8.6-2) unstable; urgency=low
* Adjust debian/watch file to only pick up 3.8 versions
* Remove Gerardo from Uploaders due to MIA status (Closes: #553100)
* Depend on packages providing Encode >= 2.21 to fix attachment
handling problems (missed dependency change in 3.8.6)
-- Ubuntu Archive Auto-Sync <email address hidden> Tue, 17 Nov 2009 17:47:08 +0000
Available diffs
- diff from 3.8.6-1 to 3.8.6-2 (967 bytes)
request-tracker3.8 (3.8.6-1) unstable; urgency=low
* New upstream release
* Update Vietnamese debconf translation (Closes: #548140)
* Include patch from <http://rt3.fsck.com/Ticket/Display.html?id=13975>
to support plugin packaging
* Update Debian layout to include new plugin dir from the above patch
* Remove wrapping patch which has been included upstream
* Recommend libdatetime-locale-perl and libdatetime-perl as they will
be optionally used by RT, but also Conflict on older versions which
break RT.
Available diffs
- diff from 3.8.4-1 to 3.8.6-1 (853.7 KiB)
request-tracker3.8 (3.8.4-1) unstable; urgency=low
[ Dominic Hargreaves ]
* Add missing comma in Depends (fixes FTBFS on etch)
* Update debconf translations: pt.po, ja.po, sv.po, it.po, cs.po, ru.po
(Closes: #519885, #519922, #520603, #520759, #521199, #521926)
* Document preference for not using SQLite in production
(Closes: #512750)
[ Christian Perrier ]
* Debconf templates and debian/control reviewed by the debian-l10n-
english team as part of the Smith review project.
(Closes: #522367, #520959)
* [Debconf translation updates]
- Japanese. Closes: #522896
- German. Closes: #520958
- Portuguese. Closes: #523481
- Galician. Closes: #524256
- Galician. Closes: #524256
- Spanish. Closes: #524449
- Italian. Closes: #524715
- Russian. Closes: #524894
- Swedish. Closes: #525171
- French. Closes: #525281
[ Dominic Hargreaves ]
* Don't tell dbconfig to comment out unused variables, since this
breaks MySQL and Postgres database configuration (Closes: #523090)
* Update Standards-Version (no changes)
* Switch dependency on sysklogd to rsyslog (Closes: #526914)
* New upstream release; includes
- Minor security fix (Closes: #533069)
- Add missing Postgres index (Closes: #512653)
* Patch webmux.pl to provide a better error message when the wrong
major version of RT is in @INC (for example in a mod_perl context).
(Closes: #518692)
* Add some more example Exim 4 configuration (Closes: #238345)
* Don't apply database ACLs in databases managed by dbconfig-common.
* Remove unused ACL patch
-- Ubuntu Archive Auto-Sync <email address hidden> Thu, 18 Jun 2009 08:33:15 +0100
Available diffs
- diff from 3.8.2-1 to 3.8.4-1 (1.2 MiB)
request-tracker3.8 (3.8.2-1) unstable; urgency=low
[ Niko Tyni ]
* Clean a 3.6 leftover in debian/rules
* Remove automatically generated files in the 'build' target so that
building twice in a row doesn't change the .diff.gz.
* Install the default configuration (everything except RT_Site*) into
/usr/share/request-tracker3.8/etc instead of /etc/request-tracker3.8.
These files were never meant to be modified and can be overridden
through /etc. (Closes: #511254)
* Remove the obsolete 41-disable-gnupg configuration snippet.
[ Dominic Hargreaves ]
* In postinst, remove unmodified obsolete config files for tidiness
* Japanese debconf translation, thanks to Hideki Yamane (Closes: #512855)
* Depend on libipc-run-safehandles-perl (Closes: #512646)
* Fix rt-setup-database to use correct path for upgrade data
(Closes: #518556)
| 1 → 21 of 21 results | First • Previous • Next • Last |
