request-tracker5 (5.0.10+dfsg-1)
[PTS] [DDPO]
COMMITS: VCS has seen 35 commits since the debian/5.0.9+dfsg-4 tag
- Git: https://salsa.debian.org/request-tracker-team/request-tracker5.git
-
- Branch: master
- Path: debian/changelog
- Repo size: 6197248
- Browser: https://salsa.debian.org/request-tracker-team/request-tracker5
- Last scan: 2026-06-02 03:38:02+00
- Next scan: 2026-06-08 10:54:00+00
- Debian changelog in Git:
request-tracker5 (5.0.10+dfsg-1) unstable; urgency=medium
* New upstream release.
- [CVE-2026-41075] Fix SQL injection via the entry_aggregator parameter in
JSON search. An authenticated user can craft input that is incorporated
into database queries without proper validation, potentially allowing
them to read or modify data in the RT database.
- [CVE-2026-41076] Fix an LDAP authentication bypass when RT is configured
to authenticate users against an LDAP or Active Directory server. Under
certain LDAP server configurations, an attacker may be able to
authenticate as any LDAP-backed RT user without supplying valid
credentials.
- [CVE-2026-6841] Fix a reflected cross-site scripting via the search "Page"
URL parameter.
- [CVE-2026-44227] Fix a reflected cross-site scripting via additional URL
parameters on search pages.
- [CVE-2026-44230] Fix a reflected cross-site scripting on search-results
chart pages.
- [CVE-2026-44229] Fix a cross-site scripting via uploaded content that is
served inline rather than as an attachment.
- [CVE-2026-41073] Fix a spreadsheet (CSV/formula) injection via ticket
values that are exported to a spreadsheet from search results.
User-controlled data is not sanitized before being written to the output
file, which can cause spreadsheet applications such as Microsoft Excel to
interpret crafted values as formulas or macros when the file is opened.
* Drop patches no longer needed:
- fix-WWW::Mechanize_v2.20_in_tests.diff
- add-missing-rt-base-require.diff
- fix-gnupg-2.4.9.diff
* Drop redundant lintian overrides for rt5-doc-html.
* Add missing ".service" to ordering lines in request-tracker5.service
(Closes: #1109102).
-- Andrew Ruthven <andrew@etc.gen.nz> Thu, 21 May 2026 20:44:52 +1200
- This branch is 35 commits ahead of tag debian/5.0.9+dfsg-4
- Git log:
commit 8d365d00caac2ad9385a5ac64bbb219837c9a16e
Author: Andrew Ruthven <andrew@etc.gen.nz>
Date: Thu May 21 22:19:44 2026 +1200
Add missing .service suffix to services
commit 5df911789df79dab1219a7c9fd4c739378538827
Author: Andrew Ruthven <andrew@etc.gen.nz>
Date: Thu May 21 21:23:28 2026 +1200
Drop redundant lintian overrides
commit 45a6d049ac2fae2028b1c637905abf6d45423b77
Author: Andrew Ruthven <andrew@etc.gen.nz>
Date: Thu May 21 20:13:12 2026 +1200
Update for new upstream release
commit 299e46ab8bd53c04eaf855bf5d5a840a6f83253a
Merge: 6fbd488 2da0e3d
Author: Andrew Ruthven <andrew@etc.gen.nz>
Date: Thu May 21 19:46:45 2026 +1200
merge patched into master
commit 2da0e3d29644df41fca830178a2d4e3b0da63c4f
Author: Andrew Ruthven <andrew@etc.gen.nz>
Date: Mon Oct 27 17:26:04 2025 +1300
Downgrade dependency on CSS::Inliner to >= 4024
In Debian, we already have the fix that disables the test that requires
Internet. This is the only significant change in 4024.
I'm keeping this patch to simplify backports to Trixie.
Forwarded: not-needed
Patch-Name: downgrade_CSS::Inliner.diff
commit c7889ddd9fb418ff854f3d18174e7aa77445278c
Author: Andrew Ruthven <andrew@etc.gen.nz>
Date: Wed May 21 20:29:22 2025 +1200
Debianize UPGRADING-5.0
Forwarded: not-needed
Patch-Name: debianize_UPGRADING-5.0.diff
commit 14cb9af2385502d16b33d93983e00b9721ec87db
Author: Andrew Ruthven <andrew@etc.gen.nz>
Date: Wed May 21 20:38:16 2025 +1200
Debianize UPGRADING-4.4
Forwarded: not-needed
Patch-Name: debianize_UPGRADING-4.4.diff
commit a9c267da650b7e94de829eef4c2fe33f9e3aaa46
Author: Andrew Ruthven <andrew@etc.gen.nz>
Date: Tue Jul 16 21:41:44 2024 +1200
Don't include remote images in README
This fixes a lintian privacy-breach-logo issue.
Patch-Name: fix_lintian_privacy_README.diff
Forwarded: not-needed
commit c6b422986a2e361abedc0a074f404008bf17358e
Author: Andrew Ruthven <andrew@etc.gen.nz>
Date: Wed May 15 22:21:35 2024 +1200
Fix spelling in documentation
Patch-Name: fix_spelling.diff
commit c02bd08259e6da3ba46d9be02e9d278504808ae2
Author: Andrew Ruthven <andrew@etc.gen.nz>
Date: Wed Aug 16 23:47:30 2023 +1200
Don't run dirmngr during tests runs
This process is left running after the tests finish and prevents this
package from passing the reproducible builds.
Patch-Name: disable_dirmngr_in_tests.diff
Forwarded: not-needed
commit e6db38534695b24bb543dd453ffacd6472b33ad5
Author: Andrew Ruthven <andrew@etc.gen.nz>
Date: Mon May 8 22:44:11 2023 +1200
Downgrade dependency on GD::Graph to >= 1.54
In Debian, we already have the fix for the XBM failing tests, which
is the only significant change in 1.56.
I'm keeping this patch to simplify backports to Bookworm.
Forwarded: not-needed
Patch-Name: downgrade_GD::Graph.diff
commit 0d0cce0899bc703464664fc2c55b72a4491e9fb8
Author: Andrew Ruthven <andrew@etc.gen.nz>
Date: Sun Jun 26 10:54:21 2022 +1200
Skip t/mail/smime/realmail.t for now.
Broken by OpenSSL 3.0 as the test emails use DES which is now disabled.
Forwarded: https://rt.bestpractical.com/Ticket/Display.html?id=37422
Patch-Name: disable-test-smime-realmail.diff
Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1013730
commit 1f97b5066625fe814004d13183b2b0c5cdb961d6
Author: Andrew Ruthven <andrew@etc.gen.nz>
Date: Sat Feb 13 21:40:00 2021 +1300
Debian provides the Mozilla CAs in the ca-certificates package.
Forwarded: not-needed
Patch-Name: skip_Mozilla::CA_check.diff
commit 090289b6f9376253c1acf32672c61fa5dc442441
Author: Andrew Ruthven <andrew@etc.gen.nz>
Date: Thu Jul 9 23:03:35 2020 +1200
On Debian there is no need to install the GD modules if GD is desired.
Forwarded: not-needed
Patch-Name: debianize_charts.diff
commit cb6d5e6cf5445708c600f1eb787438dff09aa920
Author: Andrew Ruthven <andrew@etc.gen.nz>
Date: Thu Jul 9 22:53:09 2020 +1200
Use Debian location of commands and data
Forwarded: not-needed
Patch-Name: debianize_commands.diff
commit 6eaffa8b79f2e2f8bf6ce8da7db3e029074ccdee
Author: Andrew Ruthven <andrew@etc.gen.nz>
Date: Thu Jul 9 22:33:55 2020 +1200
Point to Debian location of mason_data.
Forwarded: not-needed
Patch-Name: debianize_extensions.diff
commit 14d9b43c00201e9a3d2112c4e49c0f20c219b81b
Author: Andrew Ruthven <andrew@etc.gen.nz>
Date: Mon Jul 6 21:30:54 2020 +1200
Force use of IPv4 for LDAP test.
Net::LDAP::Server::Test binds to IPv6 by default, but Net::LDAP uses
'localhost' which resolves to an IPv4 address. Even when I switched
the call to Net::LDAP->new() to use ip6-localhost it failed elsewhere
due to RT using 127.0.0.1.
Patch-Name: fix_test_ldap_ipv4.diff
Forwarded: https://github.com/bestpractical/rt/pull/367
commit c49b87dbd7dcd726825838af2e3d51f5b9e85737
Author: Dominic Hargreaves <dom@earth.li>
Date: Sun Mar 29 19:37:52 2020 +0100
Fix shebang for Debian policy
Patch-Name: fix_shebang_upgrade_mysql_schema.diff
Forwarded: not-needed
commit 476a7e903445c0952c8dfe5adc2a38b63cf1b9f2
Author: Dominic Hargreaves <dom@earth.li>
Date: Sun Sep 9 21:35:08 2018 +0100
Force the use of Cpanel::JSON::XS
JSON::XS breaks RT due to the removed from_json/to_json methods and JSON.pm
prefers JSON::XS to our preferred implementation Cpanel::JSON::XS by
default.
Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=848041
Patch-Name: use_cpanel_json_xs.diff
Forwarded: not-needed
commit 14c3adcf6c9098422d57b31186f34788542305a8
Author: gregor herrmann <gregoa@debian.org>
Date: Tue Oct 11 20:40:39 2016 +0200
set LC_ALL to C
LANG overrides only not set LC_variables, so if LC_CTYPE is set in the
environment, it persists and tons of tests fail.
Origin: vendor
Author: gregor herrmann <gregoa@debian.org>
Last-Update: 2016-10-11
Patch-Name: test_locale.diff
Forwarded: not-needed
commit 1a8c53a5e0c3c4d25de38db4fd406b24d9e8ec87
Author: Dominic Hargreaves <dom@earth.li>
Date: Fri Jan 1 18:23:08 2016 +0000
Use Noto Sans instead of Droid Sans
Droid Sans is deprecated in Debian, and we are using the fonts from
Debian rather than bundled with RT.
Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=804687
Patch-Name: fonts_use_noto_sans.diff
Forwarded: not-needed
commit 6e4ee9f417b644a23e98226c5ce7916a737c5867
Author: Dominic Hargreaves <dom@earth.li>
Date: Thu Dec 31 12:17:56 2015 +0000
Extract the correct (Debian) version number in configure.ac
Also make clear in the web interface that this version number is from
Debian.
Patch-Name: debianize_version.diff
Forwarded: not-needed
commit 6afd551762b57ed827f2fca533a4edd6c7a89e95
Author: Dominic Hargreaves <dom@earth.li>
Date: Thu May 7 21:37:37 2015 +0000
Allow overriding DatabaseType from the environment in RT::Test
Patch-Name: rt_test_db_type.diff
commit 2009bed3e2675ad3b1d66ea911dca73dc93a70f5
Author: Dominic Hargreaves <dom@earth.li>
Date: Wed May 6 22:29:35 2015 +0000
Load RT::Generated directly from @INC
This allows for the possibility of overriding RT::Generated in test
scenarios.
Patch-Name: load_rt_generated.diff
commit 67056523fe2759cba0d656b5862c26805e60f103
Author: Niko Tyni <ntyni@debian.org>
Date: Sat Dec 27 23:19:03 2014 +0200
Fix upgrade problems caused by an RTx::AssetTracker installation bug
The setup of the wheezy rt4-extension-assettracker package
(RTx::AssetTracker 2.0.0b2) accidentally inserted two pairs of system role
accounts, causing upgrade failures on SQLite backends due to uniqueness
constraint violations.
Bug-Debian: https://bugs.debian.org/773343
Patch-Name: assettracker-sysgroups.diff
Forwarded: not-needed
commit 18420fe41c3e95c34c407ff01a3ceffc1da24b92
Author: Dominic Hargreaves <dom@earth.li>
Date: Sun Feb 23 22:48:50 2014 +0000
Debianize UPGRADING-4.2
Forwarded: not-needed
Patch-Name: debianize_UPGRADING-4.2.diff
commit 7ad1aff0137e8804fa8c06b71f12bb3f1a99ab30
Author: Dominic Hargreaves <dom@earth.li>
Date: Sun Feb 16 16:11:43 2014 +0000
Don't include remote image references or redirects in broken install page
This fixes the lintian error privacy-breach-logo
Forwarded: not-needed
Patch-Name: fix_lintian_privacy_break_logo_error.diff
commit 225dd32dea2de69fd5e6cee033e60c620cff6884
Author: Andrew Ruthven <andrew@etc.gen.nz>
Date: Wed May 15 22:16:42 2024 +1200
Reference correct local directory for Debian
Forwarded: not-needed
Patch-Name: debianize_docs_local.diff
commit e18e1ee28fdeff34a2b832a4a7f7858e7dc0437e
Author: Dominic Hargreaves <dom@earth.li>
Date: Wed Mar 27 23:36:30 2013 +0000
Customise backup docs for Debian
Forwarded: not-needed
Patch-Name: debianize_backup_docs.diff
commit e0280932027a4fa2f4edb36c9d64e980982fce8f
Author: Dominic Hargreaves <dom@earth.li>
Date: Sun Mar 24 18:38:07 2013 +0000
Fix relative references to config path
Forwarded: not-needed
Bug: http://issues.bestpractical.com/Ticket/Display.html?id=13592
Bug-Debian: http://bugs.debian.org/518556
Patch-Name: rt_setup_database_upgrade_basedir.diff
commit f2183b3637997f5a0ee668fe30caf511e3c2a498
Author: Stephen Quinney <sjq@debian.org>
Date: Sun Mar 24 18:38:06 2013 +0000
Use RT_SiteModules.pm in lib/RT/Interface/Web/Handler.pm
Forwarded: not-needed
Patch-Name: sitemodules.diff
commit b2c105f0c83aa30aeb7905de70b5f69d70aad367
Author: Stephen Quinney <sjq@debian.org>
Date: Sun Mar 24 18:38:05 2013 +0000
Add Debian layout (FHS-compatible)
Forwarded: not-needed
Patch-Name: layout.diff
commit 6fbd48802481fb5e7c70c052dca6b32e3fd91a13
Author: Andrew Ruthven <andrew@etc.gen.nz>
Date: Thu May 21 19:42:33 2026 +1200
record new upstream branch created by importing request-tracker5_5.0.10+dfsg.orig.tar.gz, request-tracker5_5.0.10+dfsg.orig-third-party-source.tar.gz
commit d64671f5d1ddf38acdd6a36c853977b22d0e7a88
Merge: b825e28 b75025e
Author: Andrew Ruthven <andrew@etc.gen.nz>
Date: Thu May 21 19:42:32 2026 +1200
Import request-tracker5_5.0.10+dfsg.orig.tar.gz, request-tracker5_5.0.10+dfsg.orig-third-party-source.tar.gz
commit b75025e3a5806388afe070f1df6898971c9c1cbd
Author: Andrew Ruthven <andrew@etc.gen.nz>
Date: Thu May 21 19:42:02 2026 +1200
Import request-tracker5_5.0.10+dfsg.orig.tar.gz
