request-tracker5 (5.0.9+dfsg-1) unstable; urgency=medium

  This version of RT has dropped support for File::Dropbox. If you are
  using that as external storage for attachments, please switch to
  WebService::Dropbox.

  This version of RT includes a database index upgrade. If you are using a
  dbconfig-managed database, you will be offered the choice of applying this
  automatically; if not, please apply this change separately using something
  like:

  rt-setup-database-5 --action upgrade --upgrade-from 5.0.6 --upgrade-to 5.0.8

  Please note the database patch is to 5.0.8, as 5.0.8 wasn't uploaded to
  Debian.

 -- Andrew Ruthven <andrew@etc.gen.nz>  Fri, 13 Feb 2026 22:55:55 +1300

request-tracker5 (5.0.7+dfsg-1) unstable; urgency=medium

  There is an information exposure vulnerability due to browser cache usage.
  If you have sensitive information, you may wish to enable the new
  $WebStrictBrowserCache option.

  This version of RT includes a database index upgrade. If you are using a
  dbconfig-managed database, you will be offered the choice of applying this
  automatically; if not, please apply this change separately using something
  like:

  rt-setup-database-5 --action upgrade --upgrade-from 5.0.5 --upgrade-to 5.0.6

 -- Andrew Ruthven <andrew@etc.gen.nz>  Wed, 15 May 2024 23:32:32 +1200

request-tracker5 (5.0.5+dfsg-1) unstable; urgency=high

  This version of RT includes a database content upgrade. If you are using a
  dbconfig-managed database, you will be offered the choice of applying this
  automatically; if not, please apply them separately using something like:

  rt-setup-database-5 --action upgrade --upgrade-from 5.0.4 --upgrade-to 5.0.5

  It is strongly recommended that you ensure that .../REST/1.0/NoAuth is only
  accessible for host(s) that run rt-mailgate for submitting email to RT.
  This is often the system which has request-tracker4 installed. The sample
  configurations supplied by these packages for Apache2 and Nginx restrict
  access to localhost only.

 -- Andrew Ruthven <andrew@etc.gen.nz>  Tue, 24 Oct 2023 00:07:21 +1300

request-tracker5 (5.0.4+dfsg-1) unstable; urgency=medium

  Below are specific notes on an important change in default setting in this
  release of RT and two changes that may break customisations, but please
  also review in full the notes in
  /usr/share/doc/request-tracker5/UPGRADING-5.0.gz and
  /usr/share/doc/request-tracker5/README.Debian.gz as there are some new
  features that you may want to enable.

  * Updated defaults for $WebSecureCookies

    The previous default value for the configuration option $WebSecureCookies
    was '0', meaning that RT did not, by default, set the Secure option on
    session cookies. The default for this option has been changed to '1',
    which will require all users to connect to the RT instance over SSL and
    will trigger other changes in browser behavior, such as cookie caching.

    If you are running RT over http without SSL, this will cause problems and
    you can set your local value back to '0'.

    RT previously did not set a SameSite policy for session cookies. How this
    is handled by browsers varies. RT 5.0.4 introduces the configuration
    option $WebSameSiteCookies with a default value of 'Lax', which provides
    additional defense against CSRF attacks in some browsers. See
    https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite
    for more details on valid values, their meaning, and browser support.

  * ModifyLoginRedirect callback in Logout.html moved

    Best Practical try hard not to modify callbacks since they are made for
    external code to reference, but in this case the logic of the page
    changed and they had to move the callback location so it could correctly
    modify the URL value, if needed. If you were using this callback to modify
    the redirect URL on logout, your code will continue to work as intended.
    However, if you were using this callback for other reasons, you may need
    to update your code to use the BeforeSessionDelete callback instead.

  * Custom role keys in REST2 ticket endpoints changed

    Best Practical updated custom role keys from "GroupType" syntax like
    "RT::CustomRole-1" to "Name" in REST2 ticket endpoints, to be consistent
    with core roles. They also added a "CustomRoles" entry to cover all
    custom roles, making it consistent with similar results for "CustomFields".

  This version of RT includes a database content upgrade.
  If you are using a dbconfig-managed database, you will be offered the
  choice of applying this automatically; if not, please apply them
  separately using something like:

  rt-setup-database-5 --action upgrade --upgrade-from 5.0.3 --upgrade-to 5.0.4

 -- Andrew Ruthven <andrew@etc.gen.nz>  Sat, 27 May 2023 15:52:14 +1200

request-tracker5 (5.0.3+dfsg-1) unstable; urgency=medium

  Below are some specific notes about changes in this major new release
  of RT, but please also review in full the notes in
  /usr/share/doc/request-tracker5/UPGRADING-5.0.gz and
  /usr/share/doc/request-tracker5/README.Debian.gz.

  This version of RT incorporates several new plugins, which should be removed
  from the system if installed locally to prevent conflicts:

  * RT::Extension::QuoteSelection
  * RT::Extension::RightsInspector
  * RT::Extension::ConfigInDatabase
  * RT::Extension::CustomRole::Visibility
  * RT::Extension::PriorityAsString
  * RT::Extension::AssetSQL
  * RT::Extension::LifecycleUI
  * RT::Extension::REST2
  * RT::Authen::Token

  A bug with the Mason cache introduced in 4.4.5 is fixed. This mostly
  impacted RTIR users, but could show up with broken links in other cases
  also.

  This version of RT includes a database content upgrade.
  If you are using a dbconfig-managed database, you will be offered the
  choice of applying this automatically; if not, please apply them
  separately using something like:

  rt-setup-database-5 --action upgrade --upgrade-from 4.4.6 --upgrade-to 5.0.3

 -- Andrew Ruthven <andrew@etc.gen.nz>  Thu, 21 Jul 2022 17:06:28 +1200