[request-tracker-maintainers] upstream 3.4.6
    Niko Tyni 
    ntyni at iki.fi
       
    Thu Oct 26 21:46:29 UTC 2006
    
    
  
Hi pkg-request-tracker folks,
I have prepared the new 3.4 upstream release, 3.4.6, in our SVN repository
and run it for a while in a test installation where it seems to be
working OK.
The release has been out for a week now, and there's one known upstream
bug: the test-deps stuff doesn't look for the new dependency on
Universal::Require.  I have added that to the Depends, so that doesn't
concern us.
The upstream announcement is here:
 http://lists.bestpractical.com/pipermail/rt-announce/2006-October/000143.html
Do you think we should try to get this in etch? Or should we stay
with 3.4.5, which has been out for almost a year now? There's a
security-related fix that we should maybe backport in that case:
> Todd Chapman discovered a case where RT's mail gateway would
> default to the RT::SystemUser if no valid 'From' header were
> found. This could allow a malicious user to create tickets or
> reply to tickets, but not to gain access to data.
OTOH, this doesn't look too bad to me, as the email sender can
be forged anyway...
Cheers,
-- 
Niko Tyni		ntyni at iki.fi
    
    
More information about the pkg-request-tracker-maintainers
mailing list