request-tracker5 (5.0.1+dfsg-1ubuntu1+esm1) jammy-security; urgency=medium

  * SECURITY UPDATE: Several security fixes
    - d/p/CVE-2025-2545_CVE-2025-30087_CVE-2025-31500_CVE-2025-
      31501.patch: Fix four security issues in RT.
    - debian/patches/CVE-2025-30087-regression.patch: Improve fix to
      CVE-2025-30087  
    - CVE-2025-2545
    - CVE-2025-30087
    - CVE-2025-31500
    - CVE-2025-31501
  * SECURITY UPDATE: Information leakage despite session termination 
    - debian/patches/CVE-2024-3262-1.patch: Add $WebStrictBrowserCache
      option to disable browser cache
    - debian/patches/CVE-2024-3262-2.patch: Convert other Mason
      templates to new headers template
    - CVE-2024-3262
  * SECURITY UPDATE: Several security fixes
    - d/p/CVE-2023-41259_CVE-2023-41260-CVE-2023-45024.patch: [PATCH
      01/21] Clear all RT crypt headers from incoming email before
      processing
    - CVE-2023-41259
    - CVE-2023-41260
    - CVE-2023-45024
  * SECURITY UPDATE: Open Redirect via ticket search
    - debian/patches/CVE-2022-25803.patch: [PATCH 1/2] Drop unused
      redirect support from /Articles/Article/Edit.html
    - CVE-2022-25803
  * SECURITY UPDATE: XSS via crafted content type for an attachement
    - debian/patches/CVE-2022-25802.patch: Set X-Content-Type-Options to
      nosniff to tell browser not to change content-type
    - CVE-2022-25802
  * SECURITY UPDATE: Information leakage via timing attack
    - debian/patches/CVE-2021-38562.patch: Always check password to
      avoid timing side channel attacks in REST2 basic auth
    - CVE-2021-38562
  * debian/patches/update-certs.patch: Replace expired certs

 -- John Breton <john.breton@canonical.com>  Tue, 12 Aug 2025 09:12:07 -0400

request-tracker5 (5.0.1+dfsg-1ubuntu1) impish; urgency=medium

  * d/p/rt_test_gnupg_disable_wkd.diff: Backport patch from Debian to disable
    using WKD on GnuPG tests that might attempt to use the network (LP: #1932076). 

 -- Lucas Kanashiro <kanashiro@ubuntu.com>  Thu, 19 Aug 2021 16:05:48 -0300

request-tracker5 (5.0.1+dfsg-1) unstable; urgency=medium

  [ Dominic Hargreaves ]
  * Depend on perl-doc so that script usage is printed correctly
    (Closes: #666123)
  * Downgrade Depends on rsyslog | system-log-daemon to Recommends
    to support installations which prefer to use only systemd for
    logging (see #981942)
  * Remove obsolete alternative depends on dual-lived modules

  [ Andrew Ruthven ]
  * New upstream release.
  * Update debian/copyright.
  * Skip check for Mozilla::CA module to allow make testdeps to succeed.
  * Add third-party-source tarball to d/watch.
  * Add GPG signature verification of upstream tarballs.
  * Fix path to /bin/true in request-tracker5.service (Closes: #983752).
  * Resolve reportbug script issue where it'll exit with error code 255 if
    no files are present under /usr/local/share/request-tracker5 .

  [ Dominic Hargreaves ]
  * Don't ignore the exit status of make testdeps any more
  * Drop patches no_testdeps and no_test_web_installer
  * Add Build-Depends on starlet

 -- Andrew Ruthven <andrew@etc.gen.nz>  Mon, 03 Mar 2021 23:05:11 +1300

request-tracker5 (5.0.0+dfsg-1) unstable; urgency=medium

  [ Andrew Ruthven ]
  * Branch request-tracker5 packaging from request-tracker4
  * New upstream release (Closes: #981077)
  * Drop patches which are no longer required as GnuPG::Interface supports
    gpg2:
    - runtime_gpg1.diff
    - test_gnupg-interface_gpg1.diff
    - test_gpg1.diff
  * Drop patch fix_privacy_breach_generic.diff as images are now local
    not loaded from Best Practical's website.
  * Add fix_test_ldap_ipv4.diff to fix LDAP test.
  * Add use-webpath-for-relateddata-links.diff so that RelatedData links
    for the default Debian path of "rt" work.
  * Add rt-crypt-gnupg-combine-call.diff to ensure that GnuPG::Interface
    instantiates with the gpg binary to use
  * Add myself to copyright file and as an uploader.

  [ Dominic Hargreaves ]
  * Import new dfsg version of third-party sources
  * Add scripts to add additional sources to third-party directory
  * Further updates to Lintian overrides for sources supplied in
    third-party
  * Remove conflicting Recommends on libhtml-formatexternal-perl which we
    also depend on
  * Refresh debian/copyright
  * Update README.Debian to reflect the current status of migration
    support.

 -- Dominic Hargreaves <dom@earth.li>  Tue, 26 Jan 2021 01:21:36 +0000
