Bug#693123: unblock: rt-authen-externalauth/0.10-3
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
Please unblock package rt-authen-externalauth in order to ensure compatibility
with request-tracker4/4.0.7-2:
rt-authen-externalauth (0.10-3) unstable; urgency=low
* Adding patch from Thomas Sibley <trs@bestpractical.com> to redirect
correctly on RT 4.0.8, 3.8.15, and the 2012-10-25 security patches
(Closes: #691783).
* Adding postinst script for clearing the mason cache after configuring
the package.
* Fixing incorrect line wrap in previous changelog entry.
-- Tom Jampen <tom@cryptography.ch> Thu, 08 Nov 2012 07:37:05 +0100
Thanks
Tom
diff -Nru rt-authen-externalauth-0.10/debian/changelog rt-authen-externalauth-0.10/debian/changelog
--- rt-authen-externalauth-0.10/debian/changelog 2012-08-20 10:49:19.000000000 +0200
+++ rt-authen-externalauth-0.10/debian/changelog 2012-11-08 09:08:49.000000000 +0100
@@ -1,8 +1,19 @@
+rt-authen-externalauth (0.10-3) unstable; urgency=low
+
+ * Adding patch from Thomas Sibley <trs@bestpractical.com> to redirect
+ correctly on RT 4.0.8, 3.8.15, and the 2012-10-25 security patches
+ (Closes: #691783).
+ * Adding postinst script for clearing the mason cache after configuring
+ the package.
+ * Fixing incorrect line wrap in previous changelog entry.
+
+ -- Tom Jampen <tom@cryptography.ch> Thu, 08 Nov 2012 07:37:05 +0100
+
rt-authen-externalauth (0.10-2) unstable; urgency=low
* Fixing typos in README.Debian.
- * Adding patch from Alex Vandiver <alex@chmrr.net> to fix privilege escalation
- bug (Closes: #683288).
+ * Adding patch from Alex Vandiver <alex@chmrr.net> to fix privilege
+ escalation bug (Closes: #683288).
-- Tom Jampen <tom@cryptography.ch> Thu, 10 Aug 2012 21:53:49 +0200
diff -Nru rt-authen-externalauth-0.10/debian/patches/03-rt4-security-fix-compatibility.patch rt-authen-externalauth-0.10/debian/patches/03-rt4-security-fix-compatibility.patch
--- rt-authen-externalauth-0.10/debian/patches/03-rt4-security-fix-compatibility.patch 1970-01-01 01:00:00.000000000 +0100
+++ rt-authen-externalauth-0.10/debian/patches/03-rt4-security-fix-compatibility.patch 2012-11-07 18:45:09.000000000 +0100
@@ -0,0 +1,20 @@
+Author: Thomas Sibley <trs@bestpractical.com>
+Description:
+ Redirect correctly on RT 4.0.8, 3.8.15, and the 2012-10-25 security patches
+ .
+ The NextPage session stash started storing hashrefs instead of strings.
+ This manifested as redirects to /HASH(0xDEADBEEF) instead of the proper
+ destination. Older and unpatched RTs will continue to work correctly
+ due to the "if ref $next" check.
+
+diff -Naurp a/html/Callbacks/ExternalAuth/autohandler/Session b/html/Callbacks/ExternalAuth/autohandler/Session
+--- a/html/Callbacks/ExternalAuth/autohandler/Session 2012-10-30 13:01:56.611512695 +0100
++++ b/html/Callbacks/ExternalAuth/autohandler/Session 2012-10-30 18:12:18.663173646 +0100
+@@ -7,6 +7,7 @@ if ( $m->request_comp->path eq '/NoAut
+ && $ARGS{next} )
+ {
+ my $next = delete $session{'NextPage'}->{ $ARGS{'next'} };
++ $next = $next->{'url'} if ref $next;
+ RT::Interface::Web::Redirect( $next || RT->Config->Get('WebURL') );
+ }
+ </%init>
diff -Nru rt-authen-externalauth-0.10/debian/patches/series rt-authen-externalauth-0.10/debian/patches/series
--- rt-authen-externalauth-0.10/debian/patches/series 2012-08-20 10:34:00.000000000 +0200
+++ rt-authen-externalauth-0.10/debian/patches/series 2012-11-07 18:45:09.000000000 +0100
@@ -1,2 +1,3 @@
01-fix-plugindir.patch
02-privilege-escalation.patch
+03-rt4-security-fix-compatibility.patch
diff -Nru rt-authen-externalauth-0.10/debian/rt4-extension-authenexternalauth.postinst rt-authen-externalauth-0.10/debian/rt4-extension-authenexternalauth.postinst
--- rt-authen-externalauth-0.10/debian/rt4-extension-authenexternalauth.postinst 1970-01-01 01:00:00.000000000 +0100
+++ rt-authen-externalauth-0.10/debian/rt4-extension-authenexternalauth.postinst 2012-11-08 09:07:59.000000000 +0100
@@ -0,0 +1,21 @@
+#!/bin/sh
+
+set -e
+
+case "${1}" in
+ configure)
+ # clear mason cache
+ rm -rf /var/cache/request-tracker4/mason_data/obj/*
+ ;;
+ abort-upgrade|abort-remove|abort-deconfigure)
+
+ ;;
+ *)
+ echo "postinst called with unknown argument \`${1}'" >&2
+ exit 1
+ ;;
+esac
+
+#DEBHELPER#
+
+exit 0
Reply to: