Debian Patches
Status for request-tracker4/4.4.6+dfsg-1.1+deb12u2
| Patch | Description | Author | Forwarded | Bugs | Origin | Last update |
|---|---|---|---|---|---|---|
| layout.diff | Add Debian layout (FHS-compatible) | Stephen Quinney <sjq@debian.org> | not-needed | 2013-03-24 | ||
| sitemodules.diff | Use RT_SiteModules.pm in lib/RT/Interface/Web/Handler.pm | Stephen Quinney <sjq@debian.org> | not-needed | 2013-03-24 | ||
| rt_setup_database_upgrade_basedir.diff | Fix relative references to config path | Dominic Hargreaves <dom@earth.li> | not-needed | debian upstream | 2013-03-24 | |
| no_testdeps.diff | Don't run the testdeps portion of configuration | <gerardo@anneke.gerardo.com.ve> | not-needed | 2013-03-24 | ||
| debianize_backup_docs.diff | Customise backup docs for Debian | Dominic Hargreaves <dom@earth.li> | not-needed | 2013-03-27 | ||
| debianize_docs_local.diff | Reference correct local directory for Debian | Dominic Hargreaves <dom@earth.li> | not-needed | 2013-03-27 | ||
| no_test_web_installer.diff | Don't test the web installer The following undiagnosed test failure in the Debian minimal build environment occurs: # Failed test 'no warnings' # at lib/RT/Test.pm line 1611. # There were 2 warning(s) # Previous test 22 'set admin email' # There is no form with the requested fields at t/web/installer.t line 80 # at /usr/share/perl5/WWW/Mechanize.pm line 2745 # WWW::Mechanize::_warn('There is no form with the requested fields') called at /usr/share/perl5/WWW/Mechanize.pm line 2723 # WWW::Mechanize::warn('RT::Test::Web=HASH(0x586d0f0)', 'There is no form with the requested fields') called at /usr/share/perl5/WWW/Mechanize.pm line 1371 However the web installer is not used in the Debian package, so don't run the test. |
Dominic Hargreaves <dom@earth.li> | no | 2013-06-02 | ||
| fix_lintian_privacy_break_logo_error.diff | Don't include remote image references or redirects in broken install page This fixes the lintian error privacy-breach-logo |
Dominic Hargreaves <dom@earth.li> | no | 2014-02-16 | ||
| debianize_UPGRADING-4.2.diff | Debianize UPGRADING-4.2 | Dominic Hargreaves <dom@earth.li> | not-needed | 2014-02-23 | ||
| assettracker-sysgroups.diff | Fix upgrade problems caused by an RTx::AssetTracker installation bug The setup of the wheezy rt4-extension-assettracker package (RTx::AssetTracker 2.0.0b2) accidentally inserted two pairs of system role accounts, causing upgrade failures on SQLite backends due to uniqueness constraint violations. |
Niko Tyni <ntyni@debian.org> | no | debian | 2014-12-27 | |
| load_rt_generated.diff | Load RT::Generated directly from @INC This allows for the possibility of overriding RT::Generated in test scenarios. |
Dominic Hargreaves <dom@earth.li> | no | 2015-05-06 | ||
| rt_test_db_type.diff | Allow overriding DatabaseType from the environment in RT::Test | Dominic Hargreaves <dom@earth.li> | no | 2015-05-07 | ||
| debianize_version.diff | Extract the correct (Debian) version number in configure.ac Also make clear in the web interface that this version number is from Debian. |
Dominic Hargreaves <dom@earth.li> | no | 2015-12-31 | ||
| fonts_use_noto_sans.diff | Use Noto Sans instead of Droid Sans Droid Sans is deprecated in Debian, and we are using the fonts from Debian rather than bundled with RT. |
Dominic Hargreaves <dom@earth.li> | no | debian | 2016-01-01 | |
| test_locale.diff | set LC_ALL to C LANG overrides only not set LC_variables, so if LC_CTYPE is set in the environment, it persists and tons of tests fail. |
gregor herrmann <gregoa@debian.org> | no | vendor | 2016-10-11 | |
| use_cpanel_json_xs.diff | Force the use of Cpanel::JSON::XS JSON::XS breaks RT due to the removed from_json/to_json methods and JSON.pm prefers JSON::XS to our preferred implementation Cpanel::JSON::XS by default. |
Dominic Hargreaves <dom@earth.li> | no | debian | 2018-09-09 | |
| fix_pod_rt_munge_attachments.diff | Fix POD for rt-munge-attachments | Dominic Hargreaves <dom@earth.li> | no | 2020-03-29 | ||
| fix_shebang_upgrade_mysql_schema.diff | Fix shebang for Debian policy | Dominic Hargreaves <dom@earth.li> | no | 2020-03-29 | ||
| fix_test_ldap_ipv4.diff | Force use of IPv4 for LDAP test. Net::LDAP::Server::Test binds to IPv6 by default, but Net::LDAP uses 'localhost' which resolves to an IPv4 address. Even when I switched the call to Net::LDAP->new() to use ip6-localhost it failed elsewhere due to RT using 127.0.0.1. |
Andrew Ruthven <andrew@etc.gen.nz> | no | 2020-07-06 | ||
| fcgi_client_sigpipe.diff | A client terminating a connection shouldn't kill a FCGI process When a client disconnects before processing is complete than a SIGPIPE is sent to the FCGI process. Previously this would cause the process to exit. Discussed on the forum here: * https://forum.bestpractical.com/t/rt-4-4-fastcgi-processes-frequently-dying/34812 * https://forum.bestpractical.com/t/why-does-rts-fcgi-server-not-handle-sigpipe/35902 |
Andrew Ruthven <andrew@etc.gen.nz> | no | 2021-12-01 | ||
| 0021-Debian-provides-the-Mozilla-CAs-in-the-ca-certificat.patch | Debian provides the Mozilla CAs in the ca-certificates package. | Andrew Ruthven <andrew@etc.gen.nz> | not-needed | 2021-02-13 | ||
| disable-test-smime-realmail.diff | Skip t/mail/smime/realmail.t for now. Broken by OpenSSL 3.0 as the test emails use DES which is now disabled. |
Andrew Ruthven <andrew@etc.gen.nz> | yes | debian | 2022-06-26 | |
| Switch-to-Test-MockTime-HiRes-in-date-api-test.diff | Switch to Test::MockTime::HiRes in date api test Version 1.14 of DateTime::Format::Natural added support for milliseconds, which involved changing DateTime calls to DateTime::HiRes. DateTime::HiRes uses Time::HiRes::time(), and Test::MockTime doesn't overload that time function. This resulted in test times being returned as "now" rather than the mocked time. Switch to Test::MockTime::HiRes, which does overload the HiRes time functions. This module also overloads the same time functions as Test::MockTime, so this change should be compatible with earlier versions of DateTime::Format::Natural. |
Jim Brandt <jbrandt@bestpractical.com> | yes | 2023-01-09 | ||
| Update-tests-for-EN-datetime-locale-change-to-space.diff | Update tests for EN datetime locale change to space DateTime::Locale version 1.58 published CLDR 42.0.0 which changed the space character in times before the AM and PM to be U+202F NARROW NO-BREAK SPACE (aka NNBSP) from the previous space (U+0020). This broke tests looking for a space character for localized datetimes with an AM/PM. Update to a like test to work for older versions of DateTime::Locale and for new ones from 1.58 forward. |
Jim Brandt <jbrandt@bestpractical.com> | not-needed | 2022-11-07 | ||
| fix_expired_certs.dif | Update expired certificates and related tests | sunnavy <sunnavy@bestpractical.com> | not-needed | 2023-08-29 | ||
| upstream_4.4.6_cve:_patchset_2023-09-26.diff | Fix two security issues in RT. * RT is vulnerable to unvalidated email headers in incoming email and the mail-gateway REST interface. This vulnerability is assigned CVE-2023-41259. * RT is vulnerable to information leakage via response messages returned from requests sent via the mail-gateway REST interface. This vulnerability is assigned CVE-2023-41260. |
Best Practical <support@bestpractical.com> | not-needed | 2023-10-08 | ||
| upstream_4.4.6_cve:_patchset_2023-09-26-tests.diff | Patches to tests for Security patches for CVE-2023-41259 and CVE-2023-41260 | sunnavy <sunnavy@bestpractical.com> | not-needed | 2023-10-12 | ||
| upstream_4.4.6_cve:_patchset_2025-04-08.diff | Fix two security issues in RT. * RT is vulnerable to Cross Site Scripting via injection of malicious parameters in a search URL. This vulnerability is assigned CVE-2025-30087. * RT uses the default OpenSSL cipher, 3DES (des3), for encrypting SMIME email. This is an outdated cipher algorithm, so the default is changed to aes-128-cbc. In addition, we have made this option configurable so you can pick an alternate cipher now or in the future, or revert to des3 if needed for compatibility. This vulnerability is assigned CVE-2025-2545. |
Best Practical <support@bestpractical.com> | not-needed | 2025-04-12 | ||
| upstream_4.4.6_cve:_patchset_2025-04-11.diff | Improve fix to CVE-2025-30087 After releasing the fix for CVE-2025-30087, Best Practical became aware that the new linking restrictions were too strict in some cases, causing legitimate links to stop working. This is most pronounced for users running RTIR, where many links stop working. This patch should resolve that. |
Best Practical <support@bestpractical.com> | not-needed | 2025-04-12 | ||
| fix_CVE-2024-3262.diff | Add $WebStrictBrowserCache option to disable browser cache Cherry-picked from 5.0-trunk RT systems that store sensitive data may want to disable all browser cache and back button behavior. This option enables that and moves these headers to a separate Mason template for easy override. |
Andrew Ruthven <andrew@etc.gen.nz> | not-needed | debian | vendor | 2024-08-11 |
| fix_CVE-2024-3262_2.diff | Convert other Mason templates to new headers template Cherry-picked from 5.0-trunk as a continuation of the fix for CVE-2024-3262. 27bd738eaf created a single method in Web.pm, CacheControlExpiresHeaders to generate HTTP response headers, specifically those related to caching instructions for browsers. That was applied to Helpers, but wasn't used for regular RT pages. Later, 915eb4b7d0 sought to fix a regression that resulted in cache headers not being sent for static files returned via Plack::Middleware::Static. That fix went to great lengths to try to re-use functionality from CacheControlExpiresHeaders, including moving all of the code to GetStaticHeaders. This probably wasn't really needed since it's reasonable to allow the special case static handler to send it's own one or two headers. It also made the code confusing since dynamic pages in Mason called CacheControlExpiresHeaders, which then called GetStaticHeaders to get headers for responses that were not static. This update gets all of the Mason web pages using the same code for these headers. It leaves the current methods in place to continue handling static files. That can likely be simplified and cleaned up in a future commit. |
Andrew Ruthven <andrew@etc.gen.nz> | not-needed | debian | vendor | 2024-08-11 |
All known versions for source package 'request-tracker4'
- 4.4.7+dfsg-4 (sid)
- 4.4.6+dfsg-1.1+deb12u2 (bookworm, bookworm-security)