Changelog
request-tracker4 (4.0.5-3) unstable; urgency=high
[ Dmitry Smirnov ]
* debian/copyright update
* added missing 'libfcgi-perl' dependency to 'rt4-fcgi'
* debian/rt4-fcgi.init: fixed 'status' function
[ Dominic Hargreaves ]
* Multiple security fixes for:
- XSS vulnerabilities (CVE-2011-2083)
- information disclosure vulnerabilities including password hash
exposure and correspondence disclosure to privileged users
(CVE-2011-2084)
- CSRF vulnerabilities allowing information disclosure,
privilege escalation, and arbitrary code execution. Original
behaviour may be restored by setting $RestrictReferrer to 0 for
installations which rely on it (CVE-2011-2085)
- remote code execution vulnerabilities including in VERP
functionality (CVE-2011-4458)
* Add vulnerable-password and clean-user-txns scripts to accompany
above fixes, and run in postinst
-- Dominic Hargreaves <email address hidden> Sat, 19 May 2012 22:30:27 +0100