Stable update for request-tracker3.6
Hi,
Please find attached a proposed stable update for request-tracker3.6.
Let me know if it's okay to upload.
Thanks,
Dominic.
--
Dominic Hargreaves | http://www.larted.org.uk/~dom/
PGP key 5178E2A5 from the.earth.li (keyserver,web,email)
Index: debian/patches/73_session_headers.dpatch
===================================================================
--- debian/patches/73_session_headers.dpatch (revision 0)
+++ debian/patches/73_session_headers.dpatch (revision 788)
@@ -0,0 +1,18 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 73_session-headers.dpatch
+##
+## DP: Possibly fix regression in security update
+## http://lists.bestpractical.com/pipermail/rt-users/2009-December/062777.html
+diff --git a/html/Elements/SetupSessionCookie b/html/Elements/SetupSessionCookie
+index 3225c0d..00f97ce 100755
+--- a/html/Elements/SetupSessionCookie
++++ b/html/Elements/SetupSessionCookie
+@@ -122,7 +122,7 @@ if ( !$cookies{$cookiename} ) {
+ -path => $RT::WebPath,
+ -secure => ($RT::WebSecureCookies ? 1 :0)
+ );
+- $r->headers_out->{'Set-Cookie'} = $cookie->as_string;
++ $r->err_headers_out->{'Set-Cookie'} = $cookie->as_string;
+
+ }
+
Index: debian/patches/00list
===================================================================
--- debian/patches/00list (revision 751)
+++ debian/patches/00list (working copy)
@@ -15,3 +15,4 @@
70_RT-ShowConfigTab-3.6
71_RT-3.6-escape_custom_field_value
72_RT-3.6.4-3.6.9-session_fixation.v2.dpatch
+73_session_headers.dpatch
Index: debian/scripts/update-rt-siteconfig
===================================================================
--- debian/scripts/update-rt-siteconfig (revision 751)
+++ debian/scripts/update-rt-siteconfig (working copy)
@@ -14,6 +14,10 @@
# redistribute it and/or modify it under the terms of the Perl
# Artistic License.
+CONFBASE="/etc/request-tracker3.6"
+SITE_CONFIG_INCLUDE_DIR="$CONFBASE/RT_SiteConfig.d"
+SITE_CONFIG="$CONFBASE/RT_SiteConfig.pm"
+
myname=$(basename $0)
tfile=$(mktemp -t "$myname".XXXXXXXX) || exit 1
cat <<EOF > $tfile
@@ -29,9 +33,8 @@
EOF
# ignore *.ucf-old and the like
-find /etc/request-tracker3.6/RT_SiteConfig.d/ -type f \
- ! -name '*.ucf-*' -a \
- ! -name '*.dpkg-*' | sort | \
+find "$SITE_CONFIG_INCLUDE_DIR" -type f \
+ -regex "^$SITE_CONFIG_INCLUDE_DIR/[a-z0-9][a-z0-9-]+$" | sort | \
while read file
do
echo "# start $file" >> $tfile
@@ -42,13 +45,13 @@
# the result is a Perl module, so it needs to return 1.
echo '1;' >> $tfile
-if [ -f /etc/request-tracker3.6/RT_SiteConfig.pm ]
+if [ -f "$SITE_CONFIG" ]
then
# try to honor the existing mode and owner of the file
- chown --reference /etc/request-tracker3.6/RT_SiteConfig.pm $tfile
- chmod --reference /etc/request-tracker3.6/RT_SiteConfig.pm $tfile
+ chown --reference "$SITE_CONFIG" $tfile
+ chmod --reference "$SITE_CONFIG" $tfile
fi
ucf --sum-file /usr/share/request-tracker3.6/debian/RT_SiteConfig.pm.etch.md5sum \
- --debconf-ok $tfile /etc/request-tracker3.6/RT_SiteConfig.pm
+ --debconf-ok $tfile "$SITE_CONFIG"
rm $tfile
Index: debian/changelog
===================================================================
--- debian/changelog (revision 751)
+++ debian/changelog (working copy)
@@ -1,3 +1,11 @@
+request-tracker3.6 (3.6.7-5+lenny4~test.2) stable; urgency=low
+
+ * Apply patch to fix SelfService repeated login problem
+ introduced in previous security fix
+ * Don't use editor backup files in SiteConfig.d (Closes: #574453)
+
+ -- Dominic Hargreaves <dom@earth.li> Sat, 20 Mar 2010 17:11:52 +0000
+
request-tracker3.6 (3.6.7-5+lenny3) stable-security; urgency=high
* Security fix for session fixation vulnerability (CVE-2009-3585)
Reply to: