Thank you for submitting debdiffs for this issue. It looks like Debian had to add several regression fixes for request-tracker3.8. In particular:
request-tracker3.8 (3.8.8-7+squeeze5) stable-security; urgency=low
* Apply upstream patch fixing regression in rt-email-dashboards, and
whitelist search results and calendar helper from CSRF protection
(Closes: #686392)
* Apply fix for regression introduced by previous security fix
when sending email with mod_perl (Closes: #674522)
* Provide specific instructions for restarting a mod_perl based
Apache server (Closes: #674558)
Should these fixes be incorporated into your debdiffs? Based on patch 79 and 80, it seems like squeeze3 and squeeze4 were incorporated, but not squeeze5 yet.
Also, the debdiff does not comply with https://wiki.ubuntu.com/SecurityTeam/UpdatePreparation#Packaging in the following ways:
* SECURITY UPDATE is not listed in the debian/changelog
* The patches do not contain DEP-3 comments (http://dep.debian.net/deps/dep3/). Lack of DEP-3 comments makes it difficult for reviewers to verify that the patches are correct. For example:
* 77_patchset-2012-05-07-3.8.7.dpatch has comments but not the specific commit for the patch
* 78_patchset-2012-05-15-3.8.7.dpatch does not have the specific commit for the patch
* 79_sendmail_mod_perl_pipe_fix.dpatch has comments, but not in the form of DEP-3
* 80_sendmail_mod_perl_pipe_fix_again.dpatch has comments, but not in the form of DEP-3
If you are going to resubmit to incorporate the squeeze5 changes, can you update the debdiffs for the above?
Unsubscribing ubuntu-security-sponsors for now. After resubmitting the new debdiffs, please resubscribe ubuntu-security-sponsors. Thanks again for all your work on this! :)
Thank you for submitting debdiffs for this issue. It looks like Debian had to add several regression fixes for request-tracker3.8. In particular:
request-tracker3.8 (3.8.8-7+squeeze5) stable-security; urgency=low
* Apply upstream patch fixing regression in rt-email- dashboards, and
whitelist search results and calendar helper from CSRF protection
(Closes: #686392)
-- Dominic Hargreaves <email address hidden> Thu, 13 Sep 2012 18:53:17 +0100
request-tracker3.8 (3.8.8-7+squeeze4) stable-security; urgency=low
* Apply second fix for regression introduced by previous security fix
when sending email with mod_perl (Closes: #674924)
-- Dominic Hargreaves <email address hidden> Sun, 03 Jun 2012 19:31:47 +0100
request-tracker3.8 (3.8.8-7+squeeze3) stable-security; urgency=high
* Apply fix for regression introduced by previous security fix
when sending email with mod_perl (Closes: #674522)
* Provide specific instructions for restarting a mod_perl based
Apache server (Closes: #674558)
-- Dominic Hargreaves <email address hidden> Sat, 26 May 2012 11:17:34 +0100
Should these fixes be incorporated into your debdiffs? Based on patch 79 and 80, it seems like squeeze3 and squeeze4 were incorporated, but not squeeze5 yet.
Also, the debdiff does not comply with https:/ /wiki.ubuntu. com/SecurityTea m/UpdatePrepara tion#Packaging in the following ways: dep.debian. net/deps/ dep3/). Lack of DEP-3 comments makes it difficult for reviewers to verify that the patches are correct. For example: 2012-05- 07-3.8. 7.dpatch has comments but not the specific commit for the patch 2012-05- 15-3.8. 7.dpatch does not have the specific commit for the patch mod_perl_ pipe_fix. dpatch has comments, but not in the form of DEP-3 mod_perl_ pipe_fix_ again.dpatch has comments, but not in the form of DEP-3
* SECURITY UPDATE is not listed in the debian/changelog
* The patches do not contain DEP-3 comments (http://
* 77_patchset-
* 78_patchset-
* 79_sendmail_
* 80_sendmail_
If you are going to resubmit to incorporate the squeeze5 changes, can you update the debdiffs for the above?
Unsubscribing ubuntu- security- sponsors for now. After resubmitting the new debdiffs, please resubscribe ubuntu- security- sponsors. Thanks again for all your work on this! :)