Debian Patches
Status for request-tracker5/5.0.7+dfsg-4+deb13u3
| Patch | Description | Author | Forwarded | Bugs | Origin | Last update |
|---|---|---|---|---|---|---|
| layout.diff | Add Debian layout (FHS-compatible) | Stephen Quinney <sjq@debian.org> | not-needed | 2013-03-24 | ||
| sitemodules.diff | Use RT_SiteModules.pm in lib/RT/Interface/Web/Handler.pm | Stephen Quinney <sjq@debian.org> | not-needed | 2013-03-24 | ||
| rt_setup_database_upgrade_basedir.diff | Fix relative references to config path | Dominic Hargreaves <dom@earth.li> | not-needed | debian upstream | 2013-03-24 | |
| debianize_backup_docs.diff | Customise backup docs for Debian | Dominic Hargreaves <dom@earth.li> | not-needed | 2013-03-27 | ||
| debianize_docs_local.diff | Reference correct local directory for Debian | Andrew Ruthven <andrew@etc.gen.nz> | not-needed | 2024-05-15 | ||
| fix_lintian_privacy_break_logo_error.diff | Don't include remote image references or redirects in broken install page This fixes the lintian error privacy-breach-logo |
Dominic Hargreaves <dom@earth.li> | not-needed | 2014-02-16 | ||
| debianize_UPGRADING-4.2.diff | Debianize UPGRADING-4.2 | Dominic Hargreaves <dom@earth.li> | not-needed | 2014-02-23 | ||
| assettracker-sysgroups.diff | Fix upgrade problems caused by an RTx::AssetTracker installation bug The setup of the wheezy rt4-extension-assettracker package (RTx::AssetTracker 2.0.0b2) accidentally inserted two pairs of system role accounts, causing upgrade failures on SQLite backends due to uniqueness constraint violations. |
Niko Tyni <ntyni@debian.org> | not-needed | debian | 2014-12-27 | |
| load_rt_generated.diff | Load RT::Generated directly from @INC This allows for the possibility of overriding RT::Generated in test scenarios. |
Dominic Hargreaves <dom@earth.li> | no | 2015-05-06 | ||
| rt_test_db_type.diff | Allow overriding DatabaseType from the environment in RT::Test | Dominic Hargreaves <dom@earth.li> | no | 2015-05-07 | ||
| debianize_version.diff | Extract the correct (Debian) version number in configure.ac Also make clear in the web interface that this version number is from Debian. |
Dominic Hargreaves <dom@earth.li> | not-needed | 2015-12-31 | ||
| fonts_use_noto_sans.diff | Use Noto Sans instead of Droid Sans Droid Sans is deprecated in Debian, and we are using the fonts from Debian rather than bundled with RT. |
Dominic Hargreaves <dom@earth.li> | not-needed | debian | 2016-01-01 | |
| test_locale.diff | set LC_ALL to C LANG overrides only not set LC_variables, so if LC_CTYPE is set in the environment, it persists and tons of tests fail. |
gregor herrmann <gregoa@debian.org> | not-needed | vendor | 2016-10-11 | |
| use_cpanel_json_xs.diff | Force the use of Cpanel::JSON::XS JSON::XS breaks RT due to the removed from_json/to_json methods and JSON.pm prefers JSON::XS to our preferred implementation Cpanel::JSON::XS by default. |
Dominic Hargreaves <dom@earth.li> | not-needed | debian | 2018-09-09 | |
| fix_shebang_upgrade_mysql_schema.diff | Fix shebang for Debian policy | Dominic Hargreaves <dom@earth.li> | not-needed | 2020-03-29 | ||
| fix_test_ldap_ipv4.diff | Force use of IPv4 for LDAP test. Net::LDAP::Server::Test binds to IPv6 by default, but Net::LDAP uses 'localhost' which resolves to an IPv4 address. Even when I switched the call to Net::LDAP->new() to use ip6-localhost it failed elsewhere due to RT using 127.0.0.1. |
Andrew Ruthven <andrew@etc.gen.nz> | yes | 2020-07-06 | ||
| debianize_extensions.diff | Point to Debian location of mason_data. | Andrew Ruthven <andrew@etc.gen.nz> | not-needed | 2020-07-09 | ||
| debianize_commands.diff | Use Debian location of commands and data | Andrew Ruthven <andrew@etc.gen.nz> | not-needed | 2020-07-09 | ||
| debianize_charts.diff | On Debian there is no need to install the GD modules if GD is desired. | Andrew Ruthven <andrew@etc.gen.nz> | not-needed | 2020-07-09 | ||
| skip_Mozilla::CA_check.diff | Debian provides the Mozilla CAs in the ca-certificates package. | Andrew Ruthven <andrew@etc.gen.nz> | not-needed | 2021-02-13 | ||
| disable-test-smime-realmail.diff | Skip t/mail/smime/realmail.t for now. Broken by OpenSSL 3.0 as the test emails use DES which is now disabled. |
Andrew Ruthven <andrew@etc.gen.nz> | yes | debian | 2022-06-26 | |
| downgrade_GD::Graph.diff | Downgrade dependency on GD::Graph to >= 1.54 In Debian, we already have the fix for the XBM failing tests, which is the only significant change in 1.56. I'm keeping this patch to simplify backports to Bookworm. |
Andrew Ruthven <andrew@etc.gen.nz> | not-needed | 2023-05-08 | ||
| disable_dirmngr_in_tests.diff | Don't run dirmngr during tests runs This process is left running after the tests finish and prevents this package from passing the reproducible builds. |
Andrew Ruthven <andrew@etc.gen.nz> | not-needed | 2023-08-16 | ||
| fix_spelling.diff | Fix spelling in documentation | Andrew Ruthven <andrew@etc.gen.nz> | no | 2024-05-15 | ||
| fix_lintian_privacy_README.diff | Don't include remote images in README This fixes a lintian privacy-breach-logo issue. |
Andrew Ruthven <andrew@etc.gen.nz> | not-needed | 2024-07-16 | ||
| upstream_5.0.7_cve:_patchset_2025-10-07.diff | Fix for CVE-2025-61873 and CVE-2025-9158 Resolve vulnerabilities: - regarding CSV injection via ticket values with special characters that are exported to a TSV from search results (CVE-2025-61873). - XSS via calendar invitations added to a ticket (CVE-2025-9158). |
Best Practical <support@bestpractical.com> | not-needed | 2025-10-08 | ||
| debianize_UPGRADING-4.4.diff | Debianize UPGRADING-4.4 | Andrew Ruthven <andrew@etc.gen.nz> | not-needed | 2025-05-21 | ||
| fix_dbix_searchbuilder_for_perl_5.40.diff | Drop unnecessary and outdated version requirement of DBIx::SearchBuilder The updated version has already been specified in etc/cpanfile. Besides, perl 5.40 doesn't like the weird version string "1.40"(numeric 1.40 is ok) and issues a warning: Attempt to call undefined import method with arguments ("1.40") via package "DBIx::SearchBuilder" |
sunnavy <sunnavy@bestpractical.com> | not-needed | debian | vendor | 2024-06-18 |
| use-io-socket-inet-in-tests.diff | Change free port detection to how PSGI binds to a port The previous method using socket/connect would allow us to bind to a port that PSGI then couldn't bind to. If a port is connected on a specific IP, then using connect with 0.0.0.0 would still connect okay. Using IO::Socket::INET this will fail, which is reasonable for 0.0.0.0, and then PSGI wouldn't be able to start and the test would fail. This may resolve the intermittant test failures. |
Andrew Ruthven <andrew@etc.gen.nz> | yes | debian upstream | 2024-09-26 | |
| upstream_5.0.7_cve:_patchset_2025-04-08.diff | Fix four security issues in RT. * RT is vulnerable to Cross Site Scripting via injection of malicious parameters in a search URL. This vulnerability is assigned CVE-2025-30087. * RT uses the default OpenSSL cipher, 3DES (des3), for encrypting SMIME email. This is an outdated cipher algorithm, so the default is changed to aes-128-cbc. In addition, we have made this option configurable so you can pick an alternate cipher now or in the future, or revert to des3 if needed for compatibility. This vulnerability is assigned CVE-2025-2545. * RT is vulnerable to Cross Site Scripting via JavaScript injection in an Asset name. This vulnerability is assigned CVE-2025-31501. * RT is vulnerable to Cross Site Scripting via JavaScript injection in an RT permalink. This vulnerability is assigned CVE-2025-31500. |
Best Practical <support@bestpractical.com> | not-needed | 2025-05-03 | ||
| upstream_5.0.7_cve:_patchset_2025-04-11.diff | Improve fix to CVE-2025-30087 After releasing the fix for CVE-2025-30087, Best Practical became aware that the new linking restrictions were too strict in some cases, causing legitimate links to stop working. This is most pronounced for users running RTIR, where many links stop working. This patch should resolve that. |
Best Practical <support@bestpractical.com> | not-needed | 2025-05-03 | ||
| upstream_5.0.8_test_web:_patchset_2025-04-08.diff | Fix test for 2025-04-08 CVE patchset | Best Practical <support@bestpractical.com> | not-needed | 2025-05-04 | ||
| debianize_UPGRADING-5.0.diff | Debianize UPGRADING-5.0 | Andrew Ruthven <andrew@etc.gen.nz> | not-needed | 2025-05-21 | ||
| upstream_5.0.7_cve:_patchset_2026-05-05.diff | Fix seven security issues in RT. Resolve vulnerabilities: - [CVE-2026-6841] Reflected cross-site scripting via the search "Page" URL parameter. - [CVE-2026-41073] Spreadsheet (CSV/formula) injection via ticket values that are exported to a spreadsheet from search results. User-controlled data is not sanitized before being written to the output file, which can cause spreadsheet applications such as Microsoft Excel to interpret crafted values as formulas or macros when the file is opened. - [CVE-2026-41075] SQL injection via the entry_aggregator parameter in JSON search. An authenticated user can craft input that is incorporated into database queries without proper validation, potentially allowing them to read or modify data in the RT database. - [CVE-2026-41076] LDAP authentication bypass when RT is configured to authenticate users against an LDAP or Active Directory server. Under certain LDAP server configurations, an attacker may be able to authenticate as any LDAP-backed RT user without supplying valid credentials. - [CVE-2026-44229] Cross-site scripting via uploaded content that is served inline rather than as an attachment. - [CVE-2026-44230] Fix a reflected cross-site scripting on search-results chart pages. - [CVE-2026-44231] Privilege escalation and information disclosure via the REST 2.0 user collection endpoint. A Privileged RT user can obtain authentication credentials belonging to other users, including administrators, and use those credentials to read data via RT's RSS and iCal feed endpoints. The same request that exposes the credentials also rotates them, which invalidates previously-distributed feed URLs across the instance. |
Best Practical <support@bestpractical.com> | not-needed | 2026-05-22 | ||
| upstream_5.0.7_cve:_patchset_2026-05-05-RT_Config.diff | Config settings for EnableRSS and EnableICal Add the new configuration options to RT_Config.pm.in as we regenerate the RT_Config.pm file. |
Andrew Ruthven <andrew@etc.gen.nz> | not-needed | 2026-05-27 | ||
| upstream_5.0.7_cve:_patchset_2025-04-08-RT_Config.diff | Config settings for RestrictLinkDomains, and Cipher in SMIME. Add the new configuration options to RT_Config.pm.in as we regenerate the RT_Config.pm file. |
Andrew Ruthven <andrew@etc.gen.nz> | not-needed | 2026-05-27 |
All known versions for source package 'request-tracker5'
- 5.0.10+dfsg-3 (forky, sid)
- 5.0.7+dfsg-4+deb13u3 (trixie-proposed-updates, trixie-security)
- 5.0.7+dfsg-4+deb13u2 (trixie)
- 5.0.3+dfsg-3~deb12u6 (bookworm-proposed-updates, bookworm-security)
- 5.0.3+dfsg-3~deb12u5 (bookworm)