Thank you for submitting debdiffs for this issue. It looks like Debian had to
add several regression fixes for request-tracker3.8. In particular:
request-tracker3.8 (3.8.8-7+squeeze5) stable-security; urgency=low
* Apply upstream patch fixing regression in rt-email-dashboards, and
whitelist search results and calendar helper from CSRF protection
(Closes: #686392)
-- Dominic Hargreaves <[email protected]> Thu, 13 Sep 2012 18:53:17 +0100
request-tracker3.8 (3.8.8-7+squeeze4) stable-security; urgency=low
* Apply second fix for regression introduced by previous security fix
when sending email with mod_perl (Closes: #674924)
-- Dominic Hargreaves <[email protected]> Sun, 03 Jun 2012 19:31:47 +0100
request-tracker3.8 (3.8.8-7+squeeze3) stable-security; urgency=high
* Apply fix for regression introduced by previous security fix
when sending email with mod_perl (Closes: #674522)
* Provide specific instructions for restarting a mod_perl based
Apache server (Closes: #674558)
-- Dominic Hargreaves <[email protected]> Sat, 26 May 2012 11:17:34 +0100
Should these fixes be incorporated into your debdiffs? Based on patch 79 and
80, it seems like squeeze3 and squeeze4 were incorporated, but not squeeze5 yet.
Also, the debdiff does not comply with
https://wiki.ubuntu.com/SecurityTeam/UpdatePreparation#Packaging in the
following ways:
* SECURITY UPDATE is not listed in the debian/changelog
* The patches do not contain DEP-3 comments
(http://dep.debian.net/deps/dep3/). Lack of DEP-3 comments makes it difficult
for reviewers to verify that the patches are correct. For example:
* 77_patchset-2012-05-07-3.8.7.dpatch has comments but not the specific
commit for the patch
* 78_patchset-2012-05-15-3.8.7.dpatch does not have the specific commit for
the patch
* 79_sendmail_mod_perl_pipe_fix.dpatch has comments, but not in the form of
DEP-3
* 80_sendmail_mod_perl_pipe_fix_again.dpatch has comments, but not in the
form of DEP-3
If you are going to resubmit to incorporate the squeeze5 changes, can
you update the debdiffs for the above?
Unsubscribing ubuntu-security-sponsors for now. After resubmitting the
new debdiffs, please resubscribe ubuntu-security-sponsors. Thanks again
for all your work on this! :)
** Changed in: request-tracker3.8 (Ubuntu Lucid)
Status: Triaged => Incomplete
** Changed in: request-tracker3.8 (Ubuntu Lucid)
Assignee: (unassigned) => Dominic Hargreaves (dom)
** Changed in: request-tracker3.8 (Ubuntu Natty)
Status: Triaged => Incomplete
** Changed in: request-tracker3.8 (Ubuntu Natty)
Assignee: (unassigned) => Dominic Hargreaves (dom)
** Changed in: request-tracker3.8 (Ubuntu Oneiric)
Status: Triaged => Incomplete
** Changed in: request-tracker3.8 (Ubuntu Oneiric)
Assignee: (unassigned) => Dominic Hargreaves (dom)
** Changed in: request-tracker3.8 (Ubuntu Precise)
Status: Triaged => Incomplete
** Changed in: request-tracker3.8 (Ubuntu Precise)
Assignee: (unassigned) => Dominic Hargreaves (dom)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1004834
Title:
Multiple security vulnerabilities in request-tracker3.8
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/request-tracker3.8/+bug/1004834/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
