[request-tracker-maintainers] [dom at earth.li: Fixes for RT 3.x issue CVE-2011-0009 in testing: preapproval requested]

Dominic Hargreaves dom at earth.li
Thu Jan 20 08:46:53 UTC 2011 

Whoops, missed off CC to this list.

Dominic.

----- Forwarded message from Dominic Hargreaves <dom at earth.li> -----

Date: Thu, 20 Jan 2011 08:39:12 +0000
From: Dominic Hargreaves <dom at earth.li>
To: debian-release at lists.debian.org
Subject: Fixes for RT 3.x issue CVE-2011-0009 in testing: preapproval
	requested
User-Agent: Mutt/1.5.18 (2008-05-17)

Hello,

A security issue in RT has been disclosed at

<http://lists.bestpractical.com/pipermail/rt-announce/2011-January/000185.html>

A fix is included in version 3.8.8-7, which is ready to upload to
unstable. This also includes some documentation fixes and a fix for
one other important bug:

  * Correct name of file in cron.d to one which will be run by cron
    (Closes: #607209)
  * Apply patch from upstream reducing the severity of the
    RTAddressRegexp warning message to "debug", to avoid the cron jobs
    generating noise
  * Remove completely misleading documentation from NOTES.Debian
    relating to migrating between SQLite and other databases
    (Closes: #608481)
  * Correct name of libapache2-mod-fcgid in debian/conf/apache2-fcgid.conf
  * Security fix: support salted passwords in database and upgrade
    unsalted passwords (CVE-2011-0009)

I hope that it will possible to upload this to unstable now and have
it migrate to testing, but I'm not completely sure how this fits with
your current policy for testing. Certainly the security issue would
qualify as RC, and I believe that the other fixes will also provide
important improvements to squeeze and are low-risk.

I attach the full interdiff for review. Please could you let me
know whether it would be okay to go ahead with this upload to unstable,
or whether a targetted upload covering just the security fix will be
required,

Many thanks,
Dominic

-- 
Dominic Hargreaves | http://www.larted.org.uk/~dom/
PGP key 5178E2A5 from the.earth.li (keyserver,web,email)

----- End forwarded message -----

-- 
Dominic Hargreaves | http://www.larted.org.uk/~dom/
PGP key 5178E2A5 from the.earth.li (keyserver,web,email)

More information about the pkg-request-tracker-maintainers mailing list