request-tracker5 (5.0.3+dfsg-1)
[PTS] [DDPO]
OK: VCS matches the version in the archive
- Git: https://salsa.debian.org/request-tracker-team/request-tracker5.git
-
- Branch: master
- Path: debian/changelog
- Browser: https://salsa.debian.org/request-tracker-team/request-tracker5
- Last scan: 2022-08-11 10:14:14+00
- Next scan: 2022-08-19 00:59:00+00
- Debian changelog in Git:
request-tracker5 (5.0.3+dfsg-1) unstable; urgency=medium
* New upstream release (Closes: #988905).
* Drop patches merged upstream:
- use_webpath_for_relateddata_links.diff
- rt-crypt-gnupg-combine-call.diff
* Ensure package descriptions consistently refer to version 5
(Closes: #984676).
* Ensure a sane database admin user is specified for both PostgreSQL
and MySQL.
* Only create symlinks for the DB upgrade scripts we ship (Closes: #985704).
* Fixes a security vulnerability that involves a login timing side-channel
attack. This resolves CVE-2021-38562 (Closes: #995167)
* Update fix_test_ldap_ipv4.diff for new test
t/externalauth/ldap_email_login.t
* Add missing dependencies on dbconfig-{mysql,postgresql,sqlite3}.
* Refresh debian/copyright
* Fix multiple security issues:
- [CVE-2022-25803] RT 5.0 is vulnerable to unvalidated, or open,
redirects in ticket searches.
- [CVE-2022-25802] A cross-site scripting (XSS) issue when displaying
attachment content with fraudulent content types. This vulnerability
is assigned
- Not performing full rights checks on access to file or image type
custom fields, possibly allowing access to these custom fields by
users without rights to access to the associated objects (like the
ticket it is associated with).
* RT is incompatible with Test::WWW::Mechanize 1.58, exclude that version.
* Update upstream signing key.
* Update Standards-Version to 4.6.1 (no changes)
-- Andrew Ruthven <andrew@etc.gen.nz> Thu, 21 Jul 2022 17:06:28 +1200
- This branch is even with tag debian/5.0.3+dfsg-1