[Bug 766386] [NEW] FFe: Sync request-tracker3.8 3.8.10-1 (universe) from Debian unstable (main)

Launchpad Bug Tracker 766386 at bugs.launchpad.net
Tue Apr 19 19:58:53 UTC 2011 

You have been subscribed to a public bug by Iulian Udrea (iulian):

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 affects ubuntu/request-tracker3.8
 status new
 importance wishlist
 subscribe ubuntu-release
 done

Please sync request-tracker3.8 3.8.10-1 (universe) from Debian unstable
(main)

Explanation of FeatureFreeze exception:

There's one intermediate release from what we have in Natty and the most
recent release, so an FFe is appropriate, but given that it's in Universe and
the most recent update fixes a hefty six CVES, I think we ought to have it in.

It's also made it to Debian Testing, so it's at least not obvoiusly RC buggy
and I tested it builds in Natty.  I think the security updates outweigh any
regression risk potential.

Changelog entries since current natty version 3.8.8-7:

request-tracker3.8 (3.8.10-1) unstable; urgency=high

  * New upstream release; includes multiple security fixes
    (Closes: #622774):
    - Remote code execution in external custom fields (CVE-2011-1685)
    - Information disclosure via SQL injection (CVE-2011-1686)
    - Information disclosure via search interface (CVE-2011-1687)
    - Information disclosure via directory traversal (CVE-2011-1688)
    - User javascript execution via XSS vulnerability (CVE-2011-1689)
    - Authentication credentials theft (CVE-2011-1690)
  * Update Standards-Version (no changes)

 -- Dominic Hargreaves <dom at earth.li>  Thu, 14 Apr 2011 18:37:55 +0100

request-tracker3.8 (3.8.9-1) unstable; urgency=low

  * New upstream release; includes:
    - fastcgi_server now honours "-s" flag (Closes: #597496)
  * Remove patches 10_rt_confdir, 40_versioned_use_webmux, 
    60_rtaddressregexp_not_error, 74_salted_passwords included upstream
  * Remove long-obsoleted patch 09_commandline (Closes: #592794)
  * Remove Debian-specific installation of vulnerable-passwords
    script now included upstream, and update postinst accordingly
  * Update Standards-Version (no changes)
  * Include some additional utility manpages from RT 4 to fix missing
    manpage Lintian warnings
  * Include BSD license text in debian/copyright (thanks, Lintian)
  * Remove some .in files mistakenly installed in
    /usr/share/request-tracker3.8/etc/upgrade

 -- Dominic Hargreaves <dom at earth.li>  Fri, 18 Feb 2011 22:51:42 +0000

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)

iEYEARECAAYFAk2t1k0ACgkQHajaM93NaGo/AQCdFjrFe8NGu9QaQ7ursNEGMTbF
yyMAnjP++8IRC+WjPsqlMjyFkACFcdIw
=5/bV
-----END PGP SIGNATURE-----

** Affects: request-tracker3.8 (Ubuntu)
     Importance: Wishlist
         Status: Confirmed

-- 
FFe: Sync request-tracker3.8 3.8.10-1 (universe) from Debian unstable (main)
https://bugs.launchpad.net/bugs/766386
You received this bug notification because you are a member of Ubuntu Package Archive Administrators, which is a direct subscriber.

More information about the ubuntu-archive mailing list