config.layout | 29 29 + 0 - 0 !
1 file changed, 29 insertions(+)

 add debian layout (fhs-compatible)

lib/RT/Interface/Web/Handler.pm | 1 1 + 0 - 0 !
1 file changed, 1 insertion(+)

 use rt_sitemodules.pm in lib/rt/interface/web/handler.pm

sbin/rt-setup-database.in | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 fix relative references to config path

docs/system_administration/database.pod | 60 42 + 18 - 0 !
1 file changed, 42 insertions(+), 18 deletions(-)

 customise backup docs for debian

docs/customizing/styling_rt.pod | 13 6 + 7 - 0 !
docs/extending/clickable_links.pod | 4 2 + 2 - 0 !
docs/initialdata.pod | 2 1 + 1 - 0 !
docs/writing_portlets.pod | 8 4 + 4 - 0 !
4 files changed, 13 insertions(+), 14 deletions(-)

 reference correct local directory for debian

share/html/index.html | 6 3 + 3 - 0 !
1 file changed, 3 insertions(+), 3 deletions(-)

 don't include remote image references or redirects in broken install
 page

This fixes the lintian error privacy-breach-logo

docs/UPGRADING-4.2 | 6 3 + 3 - 0 !
1 file changed, 3 insertions(+), 3 deletions(-)

 debianize upgrading-4.2

etc/upgrade/4.1.0/schema.SQLite | 3 3 + 0 - 0 !
1 file changed, 3 insertions(+)

 fix upgrade problems caused by an rtx::assettracker installation bug

The setup of the wheezy rt4-extension-assettracker package
(RTx::AssetTracker 2.0.0b2) accidentally inserted two pairs of system role
accounts, causing upgrade failures on SQLite backends due to uniqueness
constraint violations.

Bug-Debian: https://bugs.debian.org/773343

lib/RT.pm | 4 1 + 3 - 0 !
1 file changed, 1 insertion(+), 3 deletions(-)

 load rt::generated directly from @inc

This allows for the possibility of overriding RT::Generated in test
scenarios.

lib/RT/Test.pm | 3 3 + 0 - 0 !
1 file changed, 3 insertions(+)

 allow overriding databasetype from the environment in rt::test

configure.ac | 8 4 + 4 - 0 !
share/html/Admin/Tools/Config/Elements/Option | 3 3 + 0 - 0 !
share/html/Elements/Footer | 2 1 + 1 - 0 !
3 files changed, 8 insertions(+), 5 deletions(-)

 extract the correct (debian) version number in configure.ac

Also make clear in the web interface that this version number is from
Debian.

etc/RT_Config.pm.in | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 use noto sans instead of droid sans

Droid Sans is deprecated in Debian, and we are using the fonts from
Debian rather than bundled with RT.

Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=804687

lib/RT/Test.pm | 1 1 + 0 - 0 !
1 file changed, 1 insertion(+)

 set lc_all to c

LANG overrides only not set LC_variables, so if LC_CTYPE is set in the
environment, it persists and tons of tests fail.

lib/RT/Interface/Web.pm | 4 4 + 0 - 0 !
1 file changed, 4 insertions(+)

 force the use of cpanel::json::xs

JSON::XS breaks RT due to the removed from_json/to_json methods and JSON.pm
prefers JSON::XS to our preferred implementation Cpanel::JSON::XS by
default.

Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=848041

sbin/rt-munge-attachments.in | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 fix pod for rt-munge-attachments

etc/upgrade/upgrade-mysql-schema.pl | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 fix shebang for debian policy

t/externalauth/ldap.t | 12 9 + 3 - 0 !
t/externalauth/ldap_email_login.t | 11 9 + 2 - 0 !
t/externalauth/ldap_escaping.t | 11 9 + 2 - 0 !
t/externalauth/ldap_group.t | 11 9 + 2 - 0 !
t/externalauth/ldap_privileged.t | 11 9 + 2 - 0 !
t/ldapimport/group-callbacks.t | 11 9 + 2 - 0 !
t/ldapimport/group-import.t | 11 9 + 2 - 0 !
t/ldapimport/group-member-import.t | 11 9 + 2 - 0 !
t/ldapimport/group-rename.t | 11 9 + 2 - 0 !
t/ldapimport/user-import-cfs.t | 11 9 + 2 - 0 !
t/ldapimport/user-import-privileged.t | 11 9 + 2 - 0 !
t/ldapimport/user-import.t | 11 9 + 2 - 0 !
12 files changed, 108 insertions(+), 25 deletions(-)

 force use of ipv4 for ldap test.

Net::LDAP::Server::Test binds to IPv6 by default, but Net::LDAP uses
'localhost' which resolves to an IPv4 address.  Even when I switched
the call to Net::LDAP->new() to use ip6-localhost it failed elsewhere
due to RT using 127.0.0.1.

docs/extensions.pod | 4 2 + 2 - 0 !
1 file changed, 2 insertions(+), 2 deletions(-)

 point to debian locaton of mason_data.

docs/authentication.pod | 2 1 + 1 - 0 !
docs/automating_rt.pod | 16 8 + 8 - 0 !
docs/customizing/assets/tutorial.pod | 6 3 + 3 - 0 !
docs/customizing/scrip_conditions_and_action.pod | 6 3 + 3 - 0 !
docs/customizing/search_result_columns.pod | 8 4 + 4 - 0 !
docs/extending/external_custom_fields.pod | 8 4 + 4 - 0 !
docs/extensions.pod | 7 3 + 4 - 0 !
docs/full_text_indexing.pod | 30 15 + 15 - 0 !
docs/incremental-export/README | 15 9 + 6 - 0 !
docs/initialdata.pod | 2 1 + 1 - 0 !
docs/reminders.pod | 2 1 + 1 - 0 !
docs/system_administration/database.pod | 10 5 + 5 - 0 !
docs/tracking-rt-configuration.pod | 10 5 + 5 - 0 !
13 files changed, 62 insertions(+), 60 deletions(-)

 use debian location of commands and data

docs/charts.pod | 52 10 + 42 - 0 !
1 file changed, 10 insertions(+), 42 deletions(-)

 on debian there is no need to install the gd modules if gd is
 desired.

etc/cpanfile | 1 0 + 1 - 0 !
1 file changed, 1 deletion(-)

 debian provides the mozilla cas in the ca-certificates package.

sbin/rt-server.fcgi | 3 3 + 0 - 0 !
sbin/rt-server.in | 3 3 + 0 - 0 !
2 files changed, 6 insertions(+)

 a client terminating a connection shouldn't kill a fcgi process

When a client disconnects before processing is complete than a SIGPIPE
is sent to the FCGI process. Previously this would cause the process
to exit. Discussed on the forum here:

* https://forum.bestpractical.com/t/rt-4-4-fastcgi-processes-frequently-dying/34812
* https://forum.bestpractical.com/t/why-does-rts-fcgi-server-not-handle-sigpipe/35902

t/mail/smime/realmail.t | 3 3 + 0 - 0 !
1 file changed, 3 insertions(+)

 skip t/mail/smime/realmail.t for now.

Broken by OpenSSL 3.0 as the test emails use DES which is now disabled.

etc/cpanfile | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 remove exclude of test::www::mechanize 1.58

The Debian maintainers of libtest-www-mechanize-perl have built their
version of 1.58 with the patch that fixes the issue with Text::LongString
breaking the RT tests.

Upstream report of issue (merged for the upcoming 1.59 release):
  https://github.com/petdance/test-www-mechanize/pull/79

t/api/date.t | 37 21 + 16 - 0 !
1 file changed, 21 insertions(+), 16 deletions(-)

 update tests for en datetime locale change to space

This patch has been cherry-picked from upstream 5.0-trunk. It can be
dropped once we import 5.0.4 (when it is released).

DateTime::Locale version 1.58 published CLDR 42.0.0 which changed
the space character in times before the AM and PM to be
U+202F NARROW NO-BREAK SPACE (aka NNBSP) from the previous
space (U+0020). This broke tests looking for a space character
for localized datetimes with an AM/PM.

Update to a like test to work for older versions of DateTime::Locale
and for new ones from 1.58 forward.

etc/cpanfile | 1 1 + 0 - 0 !
t/api/date.t | 2 1 + 1 - 0 !
2 files changed, 2 insertions(+), 1 deletion(-)

 support datetime::format::natural >= 0.13_01

Version 0.13_01 switched from using DateTime to DateTime::HiRes for setting
the initial time. This means we in turn need to use Test::MockTime::HiRes.

Error I was getting in Debian with libdatetime-format-natural-perl v0.14 and
v0.15:

  t/api/date.t .. 4/?
  #   Failed test 'April in the past'
  #   at t/api/date.t line 650.
  #          got: '2023-03-31 16:00:00'
  #     expected: '2015-03-31 16:00:00'

  #   Failed test 'Monday in the past'
  #   at t/api/date.t line 655.
  #          got: '2023-01-29 16:00:00'
  #     expected: '2015-11-22 16:00:00'

  #   Failed test 'April in the future'
  #   at t/api/date.t line 661.
  #          got: '2023-03-31 16:00:00'
  #     expected: '2016-03-31 16:00:00'
  # Some tests failed or we bailed out, tmp directory '/home/puck/personal/RT/debian/rt/request-tracker5/t/tmp/api-date.t-qhyuAiqU' is not cleaned
  # Looks like you failed 3 tests of 231.

docs/web_deployment.pod | 25 25 + 0 - 0 !
lib/RT/Articles.pm | 5 5 + 0 - 0 !
lib/RT/Assets.pm | 5 5 + 0 - 0 !
lib/RT/Attachment.pm | 11 11 + 0 - 0 !
lib/RT/Catalog.pm | 22 22 + 0 - 0 !
lib/RT/Catalogs.pm | 5 5 + 0 - 0 !
lib/RT/Class.pm | 33 33 + 0 - 0 !
lib/RT/Classes.pm | 5 5 + 0 - 0 !
lib/RT/CustomField.pm | 22 22 + 0 - 0 !
lib/RT/CustomFields.pm | 5 5 + 0 - 0 !
lib/RT/CustomRole.pm | 22 22 + 0 - 0 !
lib/RT/CustomRoles.pm | 6 6 + 0 - 0 !
lib/RT/Group.pm | 34 30 + 4 - 0 !
lib/RT/Groups.pm | 5 5 + 0 - 0 !
lib/RT/Interface/Email.pm | 4 4 + 0 - 0 !
lib/RT/Interface/Email/Crypt.pm | 5 3 + 2 - 0 !
lib/RT/Interface/Web.pm | 22 22 + 0 - 0 !
lib/RT/ObjectCustomFieldValue.pm | 1 1 + 0 - 0 !
lib/RT/Queue.pm | 23 23 + 0 - 0 !
lib/RT/Queues.pm | 5 5 + 0 - 0 !
lib/RT/REST2/Resource/Article.pm | 10 2 + 8 - 0 !
lib/RT/REST2/Resource/Asset.pm | 6 2 + 4 - 0 !
lib/RT/REST2/Resource/Collection.pm | 28 15 + 13 - 0 !
lib/RT/REST2/Resource/CustomField.pm | 15 0 + 15 - 0 !
lib/RT/REST2/Resource/Group.pm | 39 12 + 27 - 0 !
lib/RT/REST2/Resource/GroupMembers.pm | 2 0 + 2 - 0 !
lib/RT/REST2/Resource/ObjectCustomFieldValue.pm | 6 0 + 6 - 0 !
lib/RT/REST2/Resource/RT.pm | 4 3 + 1 - 0 !
lib/RT/REST2/Resource/Record.pm | 17 14 + 3 - 0 !
lib/RT/REST2/Resource/Ticket.pm | 11 3 + 8 - 0 !
lib/RT/REST2/Resource/User.pm | 3 1 + 2 - 0 !
lib/RT/SearchBuilder.pm | 5 5 + 0 - 0 !
lib/RT/SearchBuilder/Role/Roles.pm | 4 2 + 2 - 0 !
lib/RT/Ticket.pm | 4 4 + 0 - 0 !
lib/RT/Tickets.pm | 11 10 + 1 - 0 !
lib/RT/Transactions.pm | 98 97 + 1 - 0 !
lib/RT/Users.pm | 5 5 + 0 - 0 !
share/html/Elements/CollectionList | 6 1 + 5 - 0 !
share/html/REST/1.0/NoAuth/mail-gateway | 13 12 + 1 - 0 !
share/html/Search/Results.html | 10 2 + 8 - 0 !
share/html/Search/Results.tsv | 10 2 + 8 - 0 !
41 files changed, 451 insertions(+), 121 deletions(-)

 fix a number of security issues in rt.

* RT is vulnerable to unvalidated email headers in incoming email and the
  mail-gateway REST interface. This vulnerability is assigned CVE-2023-41259.
* RT is vulnerable to information leakage via response messages returned from
  requests sent via the mail-gateway REST interface. This vulnerability is
  assigned CVE-2023-41260.
* RT 5.0 is vulnerable to information leakage via transaction searches made
  by authenticated users in the transaction query builder. This vulnerability
  is assigned CVE-2023-45024.
* RT 5.0 can reveal information about data on various RT objects in errors
  and other response messages to REST 2 requests.

t/data/smime/keys/demoCA/cacert.pem | 68 35 + 33 - 0 !
t/data/smime/keys/otherCA/cacert.pem | 93 47 + 46 - 0 !
t/data/smime/keys/root@example.com.crt | 104 73 + 31 - 0 !
t/data/smime/keys/root@example.com.csr | 33 26 + 7 - 0 !
t/data/smime/keys/root@example.com.key | 64 52 + 12 - 0 !
t/data/smime/keys/root@example.com.pem | 168 125 + 43 - 0 !
t/data/smime/keys/sender@example.com.crt | 104 73 + 31 - 0 !
t/data/smime/keys/sender@example.com.csr | 33 26 + 7 - 0 !
t/data/smime/keys/sender@example.com.key | 64 52 + 12 - 0 !
t/data/smime/keys/sender@example.com.pem | 168 125 + 43 - 0 !
t/data/smime/mails/1-signed.eml | 151 77 + 74 - 0 !
t/data/smime/mails/2-signed-attachment.eml | 179 89 + 90 - 0 !
t/data/smime/mails/3-signed-binary.eml | 189 94 + 95 - 0 !
t/data/smime/mails/4-encrypted-plain.eml | 81 49 + 32 - 0 !
t/data/smime/mails/5-encrypted-attachment.eml | 100 58 + 42 - 0 !
t/data/smime/mails/6-encrypted-binary.eml | 112 64 + 48 - 0 !
t/data/smime/mails/7-signed-encrypted-plain.eml | 215 118 + 97 - 0 !
t/data/smime/mails/8-signed-encrypted-attachment.eml | 234 127 + 107 - 0 !
t/data/smime/mails/9-signed-encrypted-binary.eml | 246 133 + 113 - 0 !
t/web/smime/outgoing.t | 2 1 + 1 - 0 !
20 files changed, 1444 insertions(+), 964 deletions(-)

 update expired certificates and related tests

S/MIME certs in tests expired in August 2023. This is the upstream fix
that'll be in release 5.0.5 of RT.

t/mail/gateway.t | 2 1 + 1 - 0 !
t/mail/han-encodings.t | 2 1 + 1 - 0 !
t/mail/sendmail-plaintext.t | 2 1 + 1 - 0 !
t/mail/sendmail.t | 2 1 + 1 - 0 !
t/rest2/articles.t | 2 1 + 1 - 0 !
t/rest2/assets.t | 2 1 + 1 - 0 !
t/rest2/attachments.t | 4 2 + 2 - 0 !
t/rest2/cf-image.t | 2 1 + 1 - 0 !
t/rest2/customfields.t | 2 1 + 1 - 0 !
t/rest2/group-members.t | 24 5 + 19 - 0 !
t/rest2/searches.t | 2 1 + 1 - 0 !
t/rest2/tickets.t | 4 1 + 3 - 0 !
t/rest2/transactions.t | 4 2 + 2 - 0 !
t/ticket/interface.t | 2 1 + 1 - 0 !
14 files changed, 20 insertions(+), 36 deletions(-)

 patches to tests for cve-2023-41259, cve-2023-41260, and cve-45024

etc/RT_Config.pm.in | 14 14 + 0 - 0 !
lib/RT/Config.pm | 3 3 + 0 - 0 !
share/html/Elements/Header | 3 1 + 2 - 0 !
share/html/Elements/HttpResponseHeaders | 99 99 + 0 - 0 !
share/html/m/_elements/header | 3 1 + 2 - 0 !
5 files changed, 118 insertions(+), 4 deletions(-)

 add $webstrictbrowsercache option to disable browser cache

RT systems that store sensitive data may want to disable all
browser cache and back button behavior. This option enables
that and moves these headers to a separate Mason template
for easy override.

See: https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/04-Authentication_Testing/06-Testing_for_Browser_Cache_Weaknesses

share/html/Helpers/Autocomplete/autohandler | 6 2 + 4 - 0 !
share/html/Helpers/RightsInspector/Search | 2 1 + 1 - 0 !
share/html/Helpers/autohandler | 5 2 + 3 - 0 !
t/web/helpers-http-cache-headers.t | 4 2 + 2 - 0 !
4 files changed, 7 insertions(+), 10 deletions(-)

 convert other mason templates to new headers template

27bd738eaf created a single method in Web.pm, CacheControlExpiresHeaders
to generate HTTP response headers, specifically those related to
caching instructions for browsers. That was applied to Helpers, but
wasn't used for regular RT pages.

Later, 915eb4b7d0 sought to fix a regression that resulted in
cache headers not being sent for static files returned via
Plack::Middleware::Static. That fix went to great lengths to
try to re-use functionality from CacheControlExpiresHeaders,
including moving all of the code to GetStaticHeaders. This
probably wasn't really needed since it's reasonable to allow
the special case static handler to send it's own one or two headers.
It also made the code confusing since dynamic pages in Mason
called CacheControlExpiresHeaders, which then called GetStaticHeaders
to get headers for responses that were not static.

This update gets all of the Mason web pages using the same code
for these headers. It leaves the current methods in place to continue
handling static files. That can likely be simplified and cleaned up
in a future commit.

etc/RT_Config.pm | 24 24 + 0 - 0 !
lib/RT/Crypt/SMIME.pm | 2 1 + 1 - 0 !
lib/RT/Interface/Web.pm | 9 7 + 2 - 0 !
lib/RT/Interface/Web/Scrubber/Restrictive.pm | 148 148 + 0 - 0 !
share/html/Asset/Elements/TSVExport | 2 1 + 1 - 0 !
share/html/Elements/CollectionList | 4 2 + 2 - 0 !
share/html/Elements/ScrubHTML | 2 1 + 1 - 0 !
share/html/Elements/TSVExport | 2 1 + 1 - 0 !
share/html/Search/Build.html | 2 1 + 1 - 0 !
share/html/Search/Edit.html | 2 1 + 1 - 0 !
share/html/Ticket/Graphs/dhandler | 4 4 + 0 - 0 !
share/static/js/util.js | 13 12 + 1 - 0 !
12 files changed, 203 insertions(+), 11 deletions(-)

 fix four security issues in rt.

* RT is vulnerable to Cross Site Scripting via injection of malicious
  parameters in a search URL. This vulnerability is assigned CVE-2025-30087.
* RT uses the default OpenSSL cipher, 3DES (des3), for encrypting SMIME email.
  This is an outdated cipher algorithm, so the default is changed to
  aes-128-cbc. In addition, we have made this option configurable so you can
  pick an alternate cipher now or in the future, or revert to des3 if needed
  for compatibility. This vulnerability is assigned CVE-2025-2545.
* RT is vulnerable to Cross Site Scripting via JavaScript injection in an
  Asset name. This vulnerability is assigned CVE-2025-31501.
* RT is vulnerable to Cross Site Scripting via JavaScript injection in an RT
  permalink. This vulnerability is assigned CVE-2025-31500.

lib/RT/Interface/Web/Scrubber/Restrictive.pm | 3 2 + 1 - 0 !
1 file changed, 2 insertions(+), 1 deletion(-)

 improve fix to cve-2025-30087

After releasing the fix for CVE-2025-30087, Best Practical became aware that
the new linking restrictions were too strict in some cases, causing legitimate
links to stop working. This is most pronounced for users running RTIR, where
many links stop working. This patch should resolve that.