Hi, Please find attached a proposed stable update for request-tracker3.6.
Let me know if it's okay to upload. Thanks, Dominic. -- Dominic Hargreaves | http://www.larted.org.uk/~dom/ PGP key 5178E2A5 from the.earth.li (keyserver,web,email)
Index: debian/patches/73_session_headers.dpatch =================================================================== --- debian/patches/73_session_headers.dpatch (revision 0) +++ debian/patches/73_session_headers.dpatch (revision 788) @@ -0,0 +1,18 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## 73_session-headers.dpatch +## +## DP: Possibly fix regression in security update +## http://lists.bestpractical.com/pipermail/rt-users/2009-December/062777.html +diff --git a/html/Elements/SetupSessionCookie b/html/Elements/SetupSessionCookie +index 3225c0d..00f97ce 100755 +--- a/html/Elements/SetupSessionCookie ++++ b/html/Elements/SetupSessionCookie +@@ -122,7 +122,7 @@ if ( !$cookies{$cookiename} ) { + -path => $RT::WebPath, + -secure => ($RT::WebSecureCookies ? 1 :0) + ); +- $r->headers_out->{'Set-Cookie'} = $cookie->as_string; ++ $r->err_headers_out->{'Set-Cookie'} = $cookie->as_string; + + } + Index: debian/patches/00list =================================================================== --- debian/patches/00list (revision 751) +++ debian/patches/00list (working copy) @@ -15,3 +15,4 @@ 70_RT-ShowConfigTab-3.6 71_RT-3.6-escape_custom_field_value 72_RT-3.6.4-3.6.9-session_fixation.v2.dpatch +73_session_headers.dpatch Index: debian/scripts/update-rt-siteconfig =================================================================== --- debian/scripts/update-rt-siteconfig (revision 751) +++ debian/scripts/update-rt-siteconfig (working copy) @@ -14,6 +14,10 @@ # redistribute it and/or modify it under the terms of the Perl # Artistic License. +CONFBASE="/etc/request-tracker3.6" +SITE_CONFIG_INCLUDE_DIR="$CONFBASE/RT_SiteConfig.d" +SITE_CONFIG="$CONFBASE/RT_SiteConfig.pm" + myname=$(basename $0) tfile=$(mktemp -t "$myname".XXXXXXXX) || exit 1 cat <<EOF > $tfile @@ -29,9 +33,8 @@ EOF # ignore *.ucf-old and the like -find /etc/request-tracker3.6/RT_SiteConfig.d/ -type f \ - ! -name '*.ucf-*' -a \ - ! -name '*.dpkg-*' | sort | \ +find "$SITE_CONFIG_INCLUDE_DIR" -type f \ + -regex "^$SITE_CONFIG_INCLUDE_DIR/[a-z0-9][a-z0-9-]+$" | sort | \ while read file do echo "# start $file" >> $tfile @@ -42,13 +45,13 @@ # the result is a Perl module, so it needs to return 1. echo '1;' >> $tfile -if [ -f /etc/request-tracker3.6/RT_SiteConfig.pm ] +if [ -f "$SITE_CONFIG" ] then # try to honor the existing mode and owner of the file - chown --reference /etc/request-tracker3.6/RT_SiteConfig.pm $tfile - chmod --reference /etc/request-tracker3.6/RT_SiteConfig.pm $tfile + chown --reference "$SITE_CONFIG" $tfile + chmod --reference "$SITE_CONFIG" $tfile fi ucf --sum-file /usr/share/request-tracker3.6/debian/RT_SiteConfig.pm.etch.md5sum \ - --debconf-ok $tfile /etc/request-tracker3.6/RT_SiteConfig.pm + --debconf-ok $tfile "$SITE_CONFIG" rm $tfile Index: debian/changelog =================================================================== --- debian/changelog (revision 751) +++ debian/changelog (working copy) @@ -1,3 +1,11 @@ +request-tracker3.6 (3.6.7-5+lenny4~test.2) stable; urgency=low + + * Apply patch to fix SelfService repeated login problem + introduced in previous security fix + * Don't use editor backup files in SiteConfig.d (Closes: #574453) + + -- Dominic Hargreaves <[email protected]> Sat, 20 Mar 2010 17:11:52 +0000 + request-tracker3.6 (3.6.7-5+lenny3) stable-security; urgency=high * Security fix for session fixation vulnerability (CVE-2009-3585)
