request-tracker5 (5.0.3+dfsg-3~deb12u6) bookworm-security; urgency=medium

  * Include missing default configuration items for security vulnerability
    fixes included in 5.0.3+dfsg-3~deb12u3. Namely: RestrictLinkDomains and
    Cipher in %SMIME.
  * Apply upstream patch which fixes several security vulnerabilities:
    - [CVE-2026-6841] Reflected cross-site scripting via the search "Page" URL
      parameter.
    - [CVE-2026-41073] Spreadsheet (CSV/formula) injection via ticket values
      that are exported to a spreadsheet from search results.  User-controlled
      data is not sanitized before being written to the output file, which can
      cause spreadsheet applications such as Microsoft Excel to interpret
      crafted values as formulas or macros when the file is opened.
    - [CVE-2026-41075] SQL injection via the entry_aggregator parameter in JSON
      search. An authenticated user can craft input that is incorporated into
      database queries without proper validation, potentially allowing them to
      read or modify data in the RT database.
    - [CVE-2026-41076] LDAP authentication bypass when RT is configured to
      authenticate users against an LDAP or Active Directory server. Under
      certain LDAP server configurations, an attacker may be able to
      authenticate as any LDAP-backed RT user without supplying valid
      credentials.
    - [CVE-2026-44229] Cross-site scripting via uploaded content that is served
      inline rather than as an attachment.
    - [CVE-2026-44231] Privilege escalation and information disclosure via the
      REST 2.0 user collection endpoint. A Privileged RT user can obtain
      authentication credentials belonging to other users, including
      administrators, and use those credentials to read data via RT's RSS and
      iCal feed endpoints. The same request that exposes the credentials also
      rotates them, which invalidates previously-distributed feed URLs across
      the instance.

 -- Andrew Ruthven <andrew@etc.gen.nz>  Mon, 01 Jun 2026 13:10:19 +1200

request-tracker5 (5.0.3+dfsg-3~deb12u5) bookworm; urgency=medium

  * Set a version for ckeditor when we build it to allow Firefox v148 to
    correctly detect that it needs a work around, see:
    https://bugzilla.mozilla.org/show_bug.cgi?id=2002481
    (Closes: #1129090)

 -- Andrew Ruthven <andrew@etc.gen.nz>  Sun, 08 Mar 2026 12:18:18 +1300

request-tracker5 (5.0.3+dfsg-3~deb12u4) bookworm-security; urgency=medium

  * Apply upstream patch which fixes a security vulnerability.
    - [CVE-2025-61873] Fix CSV injection via ticket values with special
      characters that are exported to a TSV from search results.

 -- Andrew Ruthven <andrew@etc.gen.nz>  Wed, 08 Oct 2025 20:40:55 +1300

request-tracker5 (5.0.3+dfsg-3~deb12u3) bookworm-security; urgency=medium

  * Correct CVE-2023-41260 number in previous entry (Closes: #1055128).
  * Add patches from 5.0.6 to resolve CVE-2024-3262. Information exposure
    vulnerability due to browser cache usage. If you have sensitive
    information enable the $WebStrictBrowserCache option (Closes: #1068453).
  * Apply upstream patches which fix several security vulnerabilities.
    (Closes: #1104422).
    - [CVE-2025-30087] Vulnerable to Cross Site Scripting via injection of
      malicious parameters in a search URL.
    - [CVE-2025-2545] RT uses the default OpenSSL cipher, 3DES (des3), for
      encrypting SMIME email. This is an outdated cipher algorithm, so the
      default is changed to aes-128-cbc. In addition, this is now configurable
      so you can pick an alternate cipher now or in the future, or revert to
      des3 if needed for compatibility.
    - [CVE-2025-31501] Vulnerable to Cross Site Scripting via JavaScript
      injection in an Asset name. 
    - [CVE-2025-31500] Vulnerable to Cross Site Scripting via JavaScript
      injection in a RT permalink.

 -- Andrew Ruthven <andrew@etc.gen.nz>  Thu, 17 Apr 2025 15:57:24 +1200

request-tracker5 (5.0.3+dfsg-3~deb12u2) bookworm-security; urgency=medium

  * Apply upstream patch which fixes several security vulnerabilities
    (Closes: #1054517).
    - [CVE-2023-41259] Vulnerablility to unvalidated email headers in
      incoming email and the mail-gateway REST interface.
    - [CVE-2023-41260] Information leakage via response messages returned
      from requests sent via the mail-gateway REST interface.
    - [CVE-2023-45024] Information leakage via transaction searches made by
      authenticated users in the transaction query builder.
    - Reveal information about data on various RT objects in errors and other
      response messages to REST 2 requests.
  * Add upstream fix to tests for FTBFS due to expired certs.

 -- Andrew Ruthven <andrew@etc.gen.nz>  Wed, 25 Oct 2023 22:26:55 +1300

request-tracker5 (5.0.3+dfsg-3~deb12u1) bookworm; urgency=medium

  * Rebuild for bookworm.

 -- Andrew Ruthven <andrew@etc.gen.nz>  Mon, 26 Jun 2023 13:36:32 +1200

request-tracker5 (5.0.3+dfsg-3) unstable; urgency=medium

  * Strip Debian version suffix from generated hyperlinks to upstream docs
    (Closes: 1033304).
  * Fix the changelog date entry for the 5.0.3+dfsg-2 release.

 -- Andrew Ruthven <andrew@etc.gen.nz>  Sun, 11 Jun 2023 14:19:13 +1200

request-tracker5 (5.0.3+dfsg-2) unstable; urgency=medium

  * Add more fields to d/upstream/metadata 
  * Update the ckeditor licenses in d/copyright.
  * Use java instead of jexec to build ckeditor (Closes: #1026669).
  * Update Standards-Version to 4.6.2 (no changes)
  * Set rt5-doc-html to be Multi-Arch: foreign as suggested by the Multiarch
    hinter.
  * Add Update-tests-for-EN-datetime-locale-change-to-space.diff from upstream
    which handles libdatetime-perl >= 2:1.59-1.
  * Add libdatetime-format-natural-perl-v0.14.diff which handles
    libdatetime-format-natural-perl >= 0.14.
  * Remove dependency on lsb-base as it is an obsolete package.
  * Refresh d/copyright

 -- Andrew Ruthven <andrew@etc.gen.nz>  Sat, 04 Feb 2023 12:30:17 +1300

request-tracker5 (5.0.3+dfsg-1.1) unstable; urgency=medium

  * Non-maintainer upload.
  * No source change upload to rebuild with debhelper 13.10.

 -- Michael Biebl <biebl@debian.org>  Sat, 15 Oct 2022 12:42:57 +0200

request-tracker5 (5.0.3+dfsg-1) unstable; urgency=medium

  * New upstream release (Closes: #988905).
  * Drop patches merged upstream:
    - use_webpath_for_relateddata_links.diff
    - rt-crypt-gnupg-combine-call.diff
  * Ensure package descriptions consistently refer to version 5
    (Closes: #984676).
  * Ensure a sane database admin user is specified for both PostgreSQL
    and MySQL.
  * Only create symlinks for the DB upgrade scripts we ship (Closes: #985704).
  * Fixes a security vulnerability that involves a login timing side-channel
    attack. This resolves CVE-2021-38562 (Closes: #995167)
  * Update fix_test_ldap_ipv4.diff for new test
      t/externalauth/ldap_email_login.t
  * Add missing dependencies on dbconfig-{mysql,postgresql,sqlite3}.
  * Refresh debian/copyright
  * Fix multiple security issues:
    - [CVE-2022-25803] RT 5.0 is vulnerable to unvalidated, or open,
      redirects in ticket searches.
    - [CVE-2022-25802] A cross-site scripting (XSS) issue when displaying
      attachment content with fraudulent content types. This vulnerability
      is assigned
    - Not performing full rights checks on access to file or image type
      custom fields, possibly allowing access to these custom fields by
      users without rights to access to the associated objects (like the
      ticket it is associated with).
  * RT is incompatible with Test::WWW::Mechanize 1.58, exclude that version.
  * Update upstream signing key.
  * Update Standards-Version to 4.6.1 (no changes)

 -- Andrew Ruthven <andrew@etc.gen.nz>  Thu, 21 Jul 2022 17:06:28 +1200

request-tracker5 (5.0.1+dfsg-1) unstable; urgency=medium

  [ Dominic Hargreaves ]
  * Depend on perl-doc so that script usage is printed correctly
    (Closes: #666123)
  * Downgrade Depends on rsyslog | system-log-daemon to Recommends
    to support installations which prefer to use only systemd for
    logging (see #981942)
  * Remove obsolete alternative depends on dual-lived modules

  [ Andrew Ruthven ]
  * New upstream release.
  * Update debian/copyright.
  * Skip check for Mozilla::CA module to allow make testdeps to succeed.
  * Add third-party-source tarball to d/watch.
  * Add GPG signature verification of upstream tarballs.
  * Fix path to /bin/true in request-tracker5.service (Closes: #983752).
  * Resolve reportbug script issue where it'll exit with error code 255 if
    no files are present under /usr/local/share/request-tracker5 .

  [ Dominic Hargreaves ]
  * Don't ignore the exit status of make testdeps any more
  * Drop patches no_testdeps and no_test_web_installer
  * Add Build-Depends on starlet

 -- Andrew Ruthven <andrew@etc.gen.nz>  Wed, 03 Mar 2021 23:05:11 +1300

request-tracker5 (5.0.0+dfsg-1) unstable; urgency=medium

  [ Andrew Ruthven ]
  * Branch request-tracker5 packaging from request-tracker4
  * New upstream release (Closes: #981077)
  * Drop patches which are no longer required as GnuPG::Interface supports
    gpg2:
    - runtime_gpg1.diff
    - test_gnupg-interface_gpg1.diff
    - test_gpg1.diff
  * Drop patch fix_privacy_breach_generic.diff as images are now local
    not loaded from Best Practical's website.
  * Add fix_test_ldap_ipv4.diff to fix LDAP test.
  * Add use-webpath-for-relateddata-links.diff so that RelatedData links
    for the default Debian path of "rt" work.
  * Add rt-crypt-gnupg-combine-call.diff to ensure that GnuPG::Interface
    instantiates with the gpg binary to use
  * Add myself to copyright file and as an uploader.

  [ Dominic Hargreaves ]
  * Import new dfsg version of third-party sources
  * Add scripts to add additional sources to third-party directory
  * Further updates to Lintian overrides for sources supplied in
    third-party
  * Remove conflicting Recommends on libhtml-formatexternal-perl which we
    also depend on
  * Refresh debian/copyright
  * Update README.Debian to reflect the current status of migration
    support.

 -- Dominic Hargreaves <dom@earth.li>  Tue, 26 Jan 2021 01:21:36 +0000
