config.layout | 27 27 + 0 - 0 !
1 file changed, 27 insertions(+)

 add debian layout (fhs-compatible)

lib/RT/Interface/Web/Handler.pm | 1 1 + 0 - 0 !
1 file changed, 1 insertion(+)

 use rt_sitemodules.pm in lib/rt/interface/web/handler.pm

sbin/rt-setup-database.in | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 fix relative references to config path

lib/RT.pm | 14 12 + 2 - 0 !
1 file changed, 12 insertions(+), 2 deletions(-)

 a workaround for #469155 in liblog-dispatch-perl:
  don't die if syslogd isn't running
  this is important because we use RT.pm from the maintainer
  scripts through rt-setup-database, and the lack of syslogd
  shouldn't make them fail.
  .
  This patch should be kept until liblog-dispatch-perl >= 2.22-1
  is in stable.

sbin/rt-server.in | 2 2 + 0 - 0 !
1 file changed, 2 insertions(+)

 require the correct major version of rt
  to provide more helpful errors when the wrong version of RT is in @LIB
  (for example in a mod_perl context)

Makefile.in | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 don't run the testdeps portion of configuration

sbin/rt-setup-database.in | 4 1 + 3 - 0 !
1 file changed, 1 insertion(+), 3 deletions(-)

 [patch] revert "default to the configure-time dba in
 rt-setup-database"

Bug-Debian: http://bugs.debian.org/637215

This reverts commit 2370ad8c83696fb51a54adff665c4cf947b44e49.

sbin/rt-setup-fulltext-index.in | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 [patch] revert "pull default dba from autoconf"

Bug-Debian: http://bugs.debian.org/644093

This reverts commit e7f378895ec06e64bd056e1c966277aeee2ef6bd.

etc/upgrade/sanity-check-stylesheets.pl | 1 1 + 0 - 0 !
1 file changed, 1 insertion(+)

 add missing interpreter to etc/upgrade/sanity-check-stylesheets.pl

We install these scripts executable, so they need to have a valid
interpreter.

Bug: http://issues.bestpractical.com/Ticket/Display.html?id=18856

lib/RT/Action/SendEmail.pm | 54 19 + 35 - 0 !
lib/RT/Article.pm | 2 1 + 1 - 0 !
lib/RT/Attachment.pm | 49 34 + 15 - 0 !
lib/RT/Crypt/GnuPG.pm | 14 12 + 2 - 0 !
lib/RT/Interface/Email.pm | 52 35 + 17 - 0 !
lib/RT/Interface/Email/Auth/GnuPG.pm | 3 2 + 1 - 0 !
lib/RT/Interface/Web.pm | 117 99 + 18 - 0 !
lib/RT/Queue.pm | 40 32 + 8 - 0 !
lib/RT/Template.pm | 1 1 + 0 - 0 !
lib/RT/User.pm | 1 1 + 0 - 0 !
share/html/Admin/Queues/Modify.html | 6 4 + 2 - 0 !
share/html/Admin/Users/GnuPG.html | 15 11 + 4 - 0 !
share/html/Elements/CSRF | 6 4 + 2 - 0 !
share/html/Elements/GnuPG/SignEncryptWidget | 10 7 + 3 - 0 !
share/html/Elements/Login | 2 2 + 0 - 0 !
share/html/Elements/LoginRedirectWarning | 20 20 + 0 - 0 !
share/html/NoAuth/css/base/login.css | 8 8 + 0 - 0 !
17 files changed, 292 insertions(+), 108 deletions(-)

---

lib/RT/Record.pm | 35 35 + 0 - 0 !
lib/RT/Ticket.pm | 10 7 + 3 - 0 !
t/ticket/race.t | 51 51 + 0 - 0 !
3 files changed, 93 insertions(+), 3 deletions(-)

 [patch] lock transaction updates so scrips get a consistent snapshot

Previously, nothing prevented multiple transactions from being run on
the system concurrently, and making identical changes.  This could lead
to multiple Corrrespondences, followed by multiple "Status changed from
new to open" transactions.  Prevent this by always running
->_NewTransaction in a database transaction, and ensuring that it takes
a write lock on the row before running scrips and purges the cache.
This ensures a coherent and serial execution of scrips.

lib/RT/CurrentUser.pm | 40 0 + 40 - 0 !
1 file changed, 40 deletions(-)

 [patch] remove the unused authenticate method

This method was added as part of an Atom feature, the functionality of
which was removed from core in ec3af9f and made into RTx-Atom, which
rolls its own version of this method.

bin/rt.in | 10 4 + 6 - 0 !
etc/upgrade/4.0.13/schema.Oracle | 2 2 + 0 - 0 !
etc/upgrade/4.0.13/schema.Pg | 2 2 + 0 - 0 !
etc/upgrade/4.0.13/schema.mysql | 2 2 + 0 - 0 !
lib/RT/Interface/Web.pm | 9 5 + 4 - 0 !
lib/RT/Lifecycle.pm | 140 113 + 27 - 0 !
lib/RT/Ticket.pm | 23 19 + 4 - 0 !
lib/RT/Tickets.pm | 2 2 + 0 - 0 !
lib/RT/Transaction.pm | 7 5 + 2 - 0 !
share/html/Admin/Tools/Shredder/Elements/Object/RT--Attachment | 2 1 + 1 - 0 !
share/html/Download/CustomFieldValue/dhandler | 2 1 + 1 - 0 !
share/html/Elements/ColumnMap | 6 4 + 2 - 0 !
share/html/Elements/EditCustomFieldBinary | 2 1 + 1 - 0 !
share/html/Elements/MakeClicky | 19 10 + 9 - 0 !
share/html/Elements/ShowCustomFieldBinary | 2 1 + 1 - 0 !
share/html/NoAuth/Logout.html | 2 1 + 1 - 0 !
share/html/REST/1.0/logout | 5 4 + 1 - 0 !
share/html/Ticket/Attachment/dhandler | 2 1 + 1 - 0 !
share/html/Ticket/Elements/ShowAttachments | 2 1 + 1 - 0 !
share/html/Ticket/Elements/ShowTransactionAttachments | 5 3 + 2 - 0 !
share/html/m/logout | 2 1 + 1 - 0 !
share/html/m/ticket/show | 2 1 + 1 - 0 !
22 files changed, 184 insertions(+), 66 deletions(-)

---

lib/RT/Lifecycle.pm | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

---

lib/RT.pm | 2 2 + 0 - 0 !
share/html/Search/Elements/ResultsRSSView | 20 12 + 8 - 0 !
2 files changed, 14 insertions(+), 8 deletions(-)

 [patch 1/3] hide utf8 warnings during attempted decoding

EncodeFromToWithCroak is used to exploratorily attempt to decode unknown
byte strings.  This operation, under Encode::FB_DEFAULT, may generate
warnings -- lots of warnings.  This can lead to denial of service in
some situations.  This vulnerability has been assigned CVE-2014-9472.

Unfortunately, "no warnings 'utf8'" does not work to quiet them until
Encode 2.64; simply skip warnings of this type in the logging handler.

share/html/NoAuth/js/util.js | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 [patch] escape principal name as we insert it into the dom

jQuery's text() setter method escapes the passed-in content. Using the original
html() leaves us vulnerable to an XSS injection attack. This resolves
CVE-2015-5475.