Debian Patches
Status for request-tracker5/5.0.3+dfsg-3~deb12u3
| Patch | Description | Author | Forwarded | Bugs | Origin | Last update |
|---|---|---|---|---|---|---|
| layout.diff | Add Debian layout (FHS-compatible) | Stephen Quinney <sjq@debian.org> | not-needed | 2013-03-24 | ||
| sitemodules.diff | Use RT_SiteModules.pm in lib/RT/Interface/Web/Handler.pm | Stephen Quinney <sjq@debian.org> | not-needed | 2013-03-24 | ||
| rt_setup_database_upgrade_basedir.diff | Fix relative references to config path | Dominic Hargreaves <dom@earth.li> | not-needed | debian upstream | 2013-03-24 | |
| debianize_backup_docs.diff | Customise backup docs for Debian | Dominic Hargreaves <dom@earth.li> | not-needed | 2013-03-27 | ||
| debianize_docs_local.diff | Reference correct local directory for Debian | Dominic Hargreaves <dom@earth.li> | not-needed | 2013-03-27 | ||
| fix_lintian_privacy_break_logo_error.diff | Don't include remote image references or redirects in broken install page This fixes the lintian error privacy-breach-logo |
Dominic Hargreaves <dom@earth.li> | no | 2014-02-16 | ||
| debianize_UPGRADING-4.2.diff | Debianize UPGRADING-4.2 | Dominic Hargreaves <dom@earth.li> | not-needed | 2014-02-23 | ||
| assettracker-sysgroups.diff | Fix upgrade problems caused by an RTx::AssetTracker installation bug The setup of the wheezy rt4-extension-assettracker package (RTx::AssetTracker 2.0.0b2) accidentally inserted two pairs of system role accounts, causing upgrade failures on SQLite backends due to uniqueness constraint violations. |
Niko Tyni <ntyni@debian.org> | no | debian | 2014-12-27 | |
| load_rt_generated.diff | Load RT::Generated directly from @INC This allows for the possibility of overriding RT::Generated in test scenarios. |
Dominic Hargreaves <dom@earth.li> | no | 2015-05-06 | ||
| rt_test_db_type.diff | Allow overriding DatabaseType from the environment in RT::Test | Dominic Hargreaves <dom@earth.li> | no | 2015-05-07 | ||
| debianize_version.diff | Extract the correct (Debian) version number in configure.ac Also make clear in the web interface that this version number is from Debian. |
Dominic Hargreaves <dom@earth.li> | no | 2015-12-31 | ||
| fonts_use_noto_sans.diff | Use Noto Sans instead of Droid Sans Droid Sans is deprecated in Debian, and we are using the fonts from Debian rather than bundled with RT. |
Dominic Hargreaves <dom@earth.li> | no | debian | 2016-01-01 | |
| test_locale.diff | set LC_ALL to C LANG overrides only not set LC_variables, so if LC_CTYPE is set in the environment, it persists and tons of tests fail. |
gregor herrmann <gregoa@debian.org> | no | vendor | 2016-10-11 | |
| use_cpanel_json_xs.diff | Force the use of Cpanel::JSON::XS JSON::XS breaks RT due to the removed from_json/to_json methods and JSON.pm prefers JSON::XS to our preferred implementation Cpanel::JSON::XS by default. |
Dominic Hargreaves <dom@earth.li> | no | debian | 2018-09-09 | |
| fix_pod_rt_munge_attachments.diff | Fix POD for rt-munge-attachments | Dominic Hargreaves <dom@earth.li> | no | 2020-03-29 | ||
| fix_shebang_upgrade_mysql_schema.diff | Fix shebang for Debian policy | Dominic Hargreaves <dom@earth.li> | no | 2020-03-29 | ||
| fix_test_ldap_ipv4.diff | Force use of IPv4 for LDAP test. Net::LDAP::Server::Test binds to IPv6 by default, but Net::LDAP uses 'localhost' which resolves to an IPv4 address. Even when I switched the call to Net::LDAP->new() to use ip6-localhost it failed elsewhere due to RT using 127.0.0.1. |
Andrew Ruthven <andrew@etc.gen.nz> | no | 2020-07-06 | ||
| debianize_extensions.diff | Point to Debian locaton of mason_data. | Andrew Ruthven <andrew@etc.gen.nz> | not-needed | 2020-07-09 | ||
| debianize_commands.diff | Use Debian location of commands and data | Andrew Ruthven <andrew@etc.gen.nz> | not-needed | 2020-07-09 | ||
| debianize_charts.diff | On Debian there is no need to install the GD modules if GD is desired. | Andrew Ruthven <andrew@etc.gen.nz> | not-needed | 2020-07-09 | ||
| ignore_Mozilla::CA.diff | Debian provides the Mozilla CAs in the ca-certificates package. | Andrew Ruthven <andrew@etc.gen.nz> | not-needed | 2021-02-13 | ||
| fcgi_client_sigpipe.diff | A client terminating a connection shouldn't kill a FCGI process When a client disconnects before processing is complete than a SIGPIPE is sent to the FCGI process. Previously this would cause the process to exit. Discussed on the forum here: * https://forum.bestpractical.com/t/rt-4-4-fastcgi-processes-frequently-dying/34812 * https://forum.bestpractical.com/t/why-does-rts-fcgi-server-not-handle-sigpipe/35902 |
Andrew Ruthven <andrew@etc.gen.nz> | no | 2021-12-01 | ||
| disable-test-smime-realmail.diff | Skip t/mail/smime/realmail.t for now. Broken by OpenSSL 3.0 as the test emails use DES which is now disabled. |
Andrew Ruthven <andrew@etc.gen.nz> | yes | debian | 2022-06-26 | |
| remove_exclude_Test::WWW::Mechanize.diff | Remove exclude of Test::WWW::Mechanize 1.58 The Debian maintainers of libtest-www-mechanize-perl have built their version of 1.58 with the patch that fixes the issue with Text::LongString breaking the RT tests. Upstream report of issue (merged for the upcoming 1.59 release): https://github.com/petdance/test-www-mechanize/pull/79 |
Andrew Ruthven <andrew@etc.gen.nz> | not-needed | 2022-07-17 | ||
| Update-tests-for-EN-datetime-locale-change-to-space.diff | Update tests for EN datetime locale change to space This patch has been cherry-picked from upstream 5.0-trunk. It can be dropped once we import 5.0.4 (when it is released). DateTime::Locale version 1.58 published CLDR 42.0.0 which changed the space character in times before the AM and PM to be U+202F NARROW NO-BREAK SPACE (aka NNBSP) from the previous space (U+0020). This broke tests looking for a space character for localized datetimes with an AM/PM. Update to a like test to work for older versions of DateTime::Locale and for new ones from 1.58 forward. |
Jim Brandt <jbrandt@bestpractical.com> | not-needed | 2022-11-07 | ||
| libdatetime-format-natural-perl-v0.14.diff | Support DateTime::Format::Natural >= 0.13_01 Version 0.13_01 switched from using DateTime to DateTime::HiRes for setting the initial time. This means we in turn need to use Test::MockTime::HiRes. Error I was getting in Debian with libdatetime-format-natural-perl v0.14 and v0.15: t/api/date.t .. 4/? # Failed test 'April in the past' # at t/api/date.t line 650. # got: '2023-03-31 16:00:00' # expected: '2015-03-31 16:00:00' # Failed test 'Monday in the past' # at t/api/date.t line 655. # got: '2023-01-29 16:00:00' # expected: '2015-11-22 16:00:00' # Failed test 'April in the future' # at t/api/date.t line 661. # got: '2023-03-31 16:00:00' # expected: '2016-03-31 16:00:00' # Some tests failed or we bailed out, tmp directory '/home/puck/personal/RT/debian/rt/request-tracker5/t/tmp/api-date.t-qhyuAiqU' is not cleaned # Looks like you failed 3 tests of 231. |
Andrew Ruthven <andrew@etc.gen.nz> | yes | 2023-02-04 | ||
| upstream_5.0.3_cve:_patchset_2023-09-26.diff | Fix a number of security issues in RT. * RT is vulnerable to unvalidated email headers in incoming email and the mail-gateway REST interface. This vulnerability is assigned CVE-2023-41259. * RT is vulnerable to information leakage via response messages returned from requests sent via the mail-gateway REST interface. This vulnerability is assigned CVE-2023-41260. * RT 5.0 is vulnerable to information leakage via transaction searches made by authenticated users in the transaction query builder. This vulnerability is assigned CVE-2023-45024. * RT 5.0 can reveal information about data on various RT objects in errors and other response messages to REST 2 requests. |
Best Practical <support@bestpractical.com> | not-needed | 2023-10-08 | ||
| Update-expired-certificates.diff | Update expired certificates and related tests S/MIME certs in tests expired in August 2023. This is the upstream fix that'll be in release 5.0.5 of RT. |
sunnavy <sunnavy@bestpractical.com> | yes | upstream | https://github.com/bestpractical/rt/commit/bf956a7a67d3c81daa43ae3cdf14cf92a411e773 | 2023-09-04 |
| upstream_5.0.x_cve:_patchset_2023-09-26-tests.diff | Patches to tests for CVE-2023-41259, CVE-2023-41260, and CVE-45024 | sunnavy <sunnavy@bestpractical.com> | not-needed | 2023-10-12 | ||
| fix_browser_cache.diff | Add $WebStrictBrowserCache option to disable browser cache RT systems that store sensitive data may want to disable all browser cache and back button behavior. This option enables that and moves these headers to a separate Mason template for easy override. |
Jim Brandt <jbrandt@bestpractical.com> | not-needed | vendor | 2023-12-18 | |
| fix_browser_cache2.diff | Convert other Mason templates to new headers template 27bd738eaf created a single method in Web.pm, CacheControlExpiresHeaders to generate HTTP response headers, specifically those related to caching instructions for browsers. That was applied to Helpers, but wasn't used for regular RT pages. Later, 915eb4b7d0 sought to fix a regression that resulted in cache headers not being sent for static files returned via Plack::Middleware::Static. That fix went to great lengths to try to re-use functionality from CacheControlExpiresHeaders, including moving all of the code to GetStaticHeaders. This probably wasn't really needed since it's reasonable to allow the special case static handler to send it's own one or two headers. It also made the code confusing since dynamic pages in Mason called CacheControlExpiresHeaders, which then called GetStaticHeaders to get headers for responses that were not static. This update gets all of the Mason web pages using the same code for these headers. It leaves the current methods in place to continue handling static files. That can likely be simplified and cleaned up in a future commit. |
Jim Brandt <jbrandt@bestpractical.com> | not-needed | vendor | 2023-12-22 | |
| upstream_5.0.3_cve:_patchset_2025-04-08.diff | Fix four security issues in RT. * RT is vulnerable to Cross Site Scripting via injection of malicious parameters in a search URL. This vulnerability is assigned CVE-2025-30087. * RT uses the default OpenSSL cipher, 3DES (des3), for encrypting SMIME email. This is an outdated cipher algorithm, so the default is changed to aes-128-cbc. In addition, we have made this option configurable so you can pick an alternate cipher now or in the future, or revert to des3 if needed for compatibility. This vulnerability is assigned CVE-2025-2545. * RT is vulnerable to Cross Site Scripting via JavaScript injection in an Asset name. This vulnerability is assigned CVE-2025-31501. * RT is vulnerable to Cross Site Scripting via JavaScript injection in an RT permalink. This vulnerability is assigned CVE-2025-31500. |
Best Practical <support@bestpractical.com> | not-needed | 2025-04-16 | ||
| upstream_5.0.3_cve:_patchset_2025-04-11.diff | Improve fix to CVE-2025-30087 After releasing the fix for CVE-2025-30087, Best Practical became aware that the new linking restrictions were too strict in some cases, causing legitimate links to stop working. This is most pronounced for users running RTIR, where many links stop working. This patch should resolve that. |
Best Practical <support@bestpractical.com> | not-needed | 2025-04-16 |
All known versions for source package 'request-tracker5'
- 5.0.7+dfsg-4 (trixie, sid, forky)
- 5.0.3+dfsg-3~deb12u3 (bookworm, bookworm-security)