Ubuntu
request-tracker3.8 package

Bug #1004834
Comment #6

Comment 6 for bug 1004834

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2012-10-15:

Thank you for submitting debdiffs for this issue. It looks like Debian had to add several regression fixes for request-tracker3.8. In particular:
request-tracker3.8 (3.8.8-7+squeeze5) stable-security; urgency=low

  * Apply upstream patch fixing regression in rt-email-dashboards, and
    whitelist search results and calendar helper from CSRF protection
    (Closes: #686392)

-- Dominic Hargreaves <email address hidden> Thu, 13 Sep 2012 18:53:17 +0100

request-tracker3.8 (3.8.8-7+squeeze4) stable-security; urgency=low

* Apply second fix for regression introduced by previous security fix
when sending email with mod_perl (Closes: #674924)

-- Dominic Hargreaves <email address hidden> Sun, 03 Jun 2012 19:31:47 +0100

request-tracker3.8 (3.8.8-7+squeeze3) stable-security; urgency=high

  * Apply fix for regression introduced by previous security fix
    when sending email with mod_perl (Closes: #674522)
  * Provide specific instructions for restarting a mod_perl based
    Apache server (Closes: #674558)

-- Dominic Hargreaves <email address hidden> Sat, 26 May 2012 11:17:34 +0100

Should these fixes be incorporated into your debdiffs? Based on patch 79 and 80, it seems like squeeze3 and squeeze4 were incorporated, but not squeeze5 yet.

Also, the debdiff does not comply with https://wiki.ubuntu.com/SecurityTeam/UpdatePreparation#Packaging in the following ways:
* SECURITY UPDATE is not listed in the debian/changelog
* The patches do not contain DEP-3 comments (http://dep.debian.net/deps/dep3/). Lack of DEP-3 comments makes it difficult for reviewers to verify that the patches are correct. For example:
  * 77_patchset-2012-05-07-3.8.7.dpatch has comments but not the specific commit for the patch
  * 78_patchset-2012-05-15-3.8.7.dpatch does not have the specific commit for the patch
  * 79_sendmail_mod_perl_pipe_fix.dpatch has comments, but not in the form of DEP-3
  * 80_sendmail_mod_perl_pipe_fix_again.dpatch has comments, but not in the form of DEP-3

If you are going to resubmit to incorporate the squeeze5 changes, can you update the debdiffs for the above?

Unsubscribing ubuntu-security-sponsors for now. After resubmitting the new debdiffs, please resubscribe ubuntu-security-sponsors. Thanks again for all your work on this! :)

* Apply upstream patch fixing regression in rt-email-dashboards, and
    whitelist search results and calendar helper from CSRF protection
    (Closes: #686392)

-- Dominic Hargreaves <dom@earth.li>  Thu, 13 Sep 2012 18:53:17 +0100

request-tracker3.8 (3.8.8-7+squeeze4) stable-security; urgency=low

* Apply second fix for regression introduced by previous security fix
    when sending email with mod_perl (Closes: #674924)

-- Dominic Hargreaves <dom@earth.li>  Sun, 03 Jun 2012 19:31:47 +0100

request-tracker3.8 (3.8.8-7+squeeze3) stable-security; urgency=high

-- Dominic Hargreaves <dom@earth.li>  Sat, 26 May 2012 11:17:34 +0100

Should these fixes be incorporated into your debdiffs? Based on patch 79 and 80, it seems like squeeze3 and squeeze4 were incorporated, but not squeeze5 yet.

Also, the debdiff does not comply with https://wiki.ubuntu.com/SecurityTeam/UpdatePreparation#Packaging in the following ways:
 * SECURITY UPDATE is not listed in the debian/changelog
 * The patches do not contain DEP-3 comments (http://dep.debian.net/deps/dep3/). Lack of DEP-3 comments makes it difficult for reviewers to verify that the patches are correct. For example:
  * 77_patchset-2012-05-07-3.8.7.dpatch has comments but not the specific commit for the patch
  * 78_patchset-2012-05-15-3.8.7.dpatch does not have the specific commit for the patch
  * 79_sendmail_mod_perl_pipe_fix.dpatch has comments, but not in the form of DEP-3
  * 80_sendmail_mod_perl_pipe_fix_again.dpatch has comments, but not in the form of DEP-3

If you are going to resubmit to incorporate the squeeze5 changes, can you update the debdiffs for the above?

Unsubscribing ubuntu-security-sponsors for now. After resubmitting the new debdiffs, please resubscribe ubuntu-security-sponsors. Thanks again for all your work on this! :)

Ubunturequest-tracker3.8 package

Comment 6 for bug 1004834

Ubuntu
request-tracker3.8 package