request-tracker4 (4.0.19-1) unstable; urgency=medium

  * Pass "-s /bin/sh" to "su www-data" to cope with the change of www-data's
    shell in base-passwd 3.5.30. Thanks to Colin Watson for the bug report
    and patch (Closes: #734728)
  * New upstream release
  * Include database upgrade scripts/NEWS
  * Don't fetch logo from bestpractical.com from 'broken install'
    page (fixes Lintian privacy error)

 -- Dominic Hargreaves <dom@earth.li>  Sun, 16 Feb 2014 16:15:23 +0000

request-tracker4 (4.0.18-1) unstable; urgency=low

  * New upstream release (Closes: #732013)
    - Add Build-Depends on liblocale-po-perl
  * Remove Depends/Suggests on version-specific PostgreSQL packages
    (Closes: #732497)

 -- Dominic Hargreaves <dom@earth.li>  Wed, 01 Jan 2014 13:58:39 +0000

request-tracker4 (4.0.17-2) unstable; urgency=low

  * Fix double-encoding bug with newer versions of Encode (Closes: #724795)
  * Add alternative build-depends on perl for Pod::Simple
    (thanks, Lintian)

 -- Dominic Hargreaves <dom@earth.li>  Sat, 28 Sep 2013 23:08:49 +0100

request-tracker4 (4.0.17-1) unstable; urgency=medium

  * Remove Dmitry Smirnov from Uploaders, on request
  * Add Brazilian Portuguese debconf templates translation
    (Closes: #719150)
  * New upstream release
    - Fixes perl 5.18 compatibility issues (Closes: #720498)

 -- Dominic Hargreaves <dom@earth.li>  Sat, 24 Aug 2013 11:24:26 +0100

request-tracker4 (4.0.13-1) unstable; urgency=low

  * New upstream release
  * Depend on fonts-droid instead of the transitional ttf-droid
    (Closes: #708940)
  * Update configuration files to Apache 2.4 host ACL style
    (Closes: #669774)
  * Run make testdeps, ignoring errors for now as some dependencies
    aren't needed for the Debian package and aren't packaged
  * Add Build-Depends on libterm-readkey-perl, and don't run
    t/web/installer.t (tests functionality not used in the Debian
    package (Closes: #708950)
  * Add Build-Depends on libfcgi-perl
  * Update Standards-Version (no changes)
  * Remove rt-validate-aliases alternative in prerm (Closes: #708101)

 -- Dominic Hargreaves <dom@earth.li>  Sun, 02 Jun 2013 14:16:34 +0100

request-tracker4 (4.0.12-2) unstable; urgency=high

  * Multiple security fixes for:
    - Privileged user escalation (CVE-2012-4733)
    - Semi-predictable temporary file names (CVE-2013-3368)
    - Arbitrary Mason component execution (CVE-2013-3369)
    - Direct execution of private callback components (CVE-2013-3370)
    - XSS via attachment filenames and URLs in messages (CVE-2013-3371)
    - XSS via Content-Disposition header (CVE-2013-3372)
    - MIME header injection (CVE-2013-3373)
    - Limited session reuse when using Apache::Session::File (CVE-2013-3374)
  * Include database upgrade (dbconfig-common and NEWS)

 -- Dominic Hargreaves <dom@earth.li>  Wed, 22 May 2013 18:53:16 +0100

request-tracker4 (4.0.12-1) unstable; urgency=low

  * New upstream release
    - include database update for consistently lower-case ticket types

 -- Dominic Hargreaves <dom@earth.li>  Sat, 11 May 2013 15:06:11 +0100

request-tracker4 (4.0.11-1) experimental; urgency=low

  * Set the Section of rt-doc-html to doc, matching the current Debian
    archive
  * Run test suite during package build (Closes: #688976)
  * The above change adds a Build-Depends on liblist-moreutils-perl which
    also fixes a FTBFS with 4.0.10-1 (Closes: #705002)
  * New upstream release
    - Update versioned build-dependency on libpod-simple-perl
  * Don't depend on a -1 revision libhtml-mason-perl, to assist with
    backporting (thanks, Lintian)

 -- Dominic Hargreaves <dom@earth.li>  Tue, 16 Apr 2013 21:50:07 +0100

request-tracker4 (4.0.10-1) experimental; urgency=low

  * Switch to git-dpm for patch management
  * Remove no_syslogd_running patch as the bug worked around
    has been fixed
  * New upstream release (Closes: #703345)
    - Update copyright years in debian/copyright
    - Update versioned dependency on libhtml-rewriteattributes-perl
    - Add dbconfig upgrade script and associated NEWS item
    - customize some documentation to refer to Debian paths
    - add POD for rt-validate-aliases
  * Add rt4-doc-html package containing HTML documentation for RT
  * Reorder and trim the long package descriptions to reduce duplication
  * Rework copyright file to meet the Version 1.0 spec

 -- Dominic Hargreaves <dom@earth.li>  Fri, 29 Mar 2013 17:33:17 +0000

request-tracker4 (4.0.7-5) unstable; urgency=medium

  * Change localstatedir from /var/cache/request-tracker4 to
    /var/lib/request-tracker4 as it contains things which aren't caches
  * Update other references to /var/cache/request-tracker4 where
    appropriate
  * Move /var/cache/request-tracker4/data/gpg to
    /var/lib/request-tracker4/data/gpg in postinst
  * Add NEWS item about moves from /var/cache/request-tracker4
  * Closes: #704107

 -- Dominic Hargreaves <dom@earth.li>  Fri, 29 Mar 2013 13:15:32 +0000

request-tracker4 (4.0.7-4) unstable; urgency=low

  * Add extra robustness to hostname handling (Closes: 685502)

 -- Dominic Hargreaves <dom@earth.li>  Sun, 16 Dec 2012 14:08:31 +0000

request-tracker4 (4.0.7-3) unstable; urgency=low

  * Cherry-pick fix from 4.0.8 fixing duplicate transaction creation
    bug (Closes: #691701)
  * Remove unused code which uses Digest::SHA1 which in turn has been
    removed from Debian (Closes: #694484)

 -- Dominic Hargreaves <dom@earth.li>  Mon, 10 Dec 2012 14:13:24 +0000

request-tracker4 (4.0.7-2) unstable; urgency=high

  * Multiple security fixes for:
    - Email header injection attack (CVE-2012-4730)
    - Missing rights checking for Articles (CVE-2012-4731)
    - CSRF protection allows attack on bookmarks (CVE-2012-4732)
    - Confused deputy attack for non-logged-in users (CVE-2012-4734)
    - Multiple message signing/encryption attacks related to GnuPG
      (CVE-2012-4735)
    - Arbitrary command-line argument injection to GnuPG (CVE-2012-4884)

 -- Dominic Hargreaves <dom@earth.li>  Tue, 23 Oct 2012 10:58:58 +0100

request-tracker4 (4.0.7-1) unstable; urgency=low

  * In debian/config, fall back to using plain 'hostname' if
    'hostname -f' does not work. Thanks to Daniel Baumann
    (Closes: #685502)
  * New upstream release
  * Add missing dependency on libipc-run-perl (versioned to 0.90 following
    upstream dependencies)

 -- Dominic Hargreaves <dom@earth.li>  Mon, 15 Oct 2012 18:23:39 +0100

request-tracker4 (4.0.6-4) unstable; urgency=low

  * Remove recommendation of libapache2-mod-fastcgi since this is
    non-free (Closes: #682133)
  * Remove cron job during package purge (Closes: #682186)

 -- Dominic Hargreaves <dom@earth.li>  Fri, 17 Aug 2012 19:54:42 +0100

request-tracker4 (4.0.6-3) unstable; urgency=high

  * Fix broken regex character range that results in failed installs;
    thanks to Carl Fürstenber (Closes: #678239)
  * Urgency high due to RC bug fix

 -- Dominic Hargreaves <dom@earth.li>  Thu, 21 Jun 2012 22:28:11 +0100

request-tracker4 (4.0.6-2) unstable; urgency=low

  * update-rt-siteconfig: Allow inclusion of files with capital letters
    and underscores in their name (Closes: #674409)

 -- Dominic Hargreaves <dom@earth.li>  Sun, 03 Jun 2012 17:50:50 +0100

request-tracker4 (4.0.6-1) unstable; urgency=low

  * Provide specific instructions for restarting a mod_perl based
    Apache server
  * New upstream release
    - update dependencies
    - add NEWS items
    - apply database upgrades
  * Update mod_fcgid config to allow large attachments
  * Fix debian/copyright syntax (thanks, Lintian)

 -- Dominic Hargreaves <dom@earth.li>  Sun, 27 May 2012 18:24:26 +0100

request-tracker4 (4.0.5-3) unstable; urgency=high

  [ Dmitry Smirnov ]
  * debian/copyright update
  * added missing 'libfcgi-perl' dependency to 'rt4-fcgi'
  * debian/rt4-fcgi.init: fixed 'status' function

  [ Dominic Hargreaves ]
  * Multiple security fixes for:
    - XSS vulnerabilities (CVE-2011-2083)
    - information disclosure vulnerabilities including password hash
      exposure and correspondence disclosure to privileged users
      (CVE-2011-2084)
    - CSRF vulnerabilities allowing information disclosure,
      privilege escalation, and arbitrary code execution. Original
      behaviour may be restored by setting $RestrictReferrer to 0 for
      installations which rely on it (CVE-2011-2085)
    - remote code execution vulnerabilities including in VERP
      functionality (CVE-2011-4458)
  * Add vulnerable-password and clean-user-txns scripts to accompany
    above fixes, and run in postinst

 -- Dominic Hargreaves <dom@earth.li>  Sat, 19 May 2012 22:30:27 +0100

request-tracker4 (4.0.5-2) unstable; urgency=low

  * Improve rt4-fcgi description to clarify that it's only required
    where an external FCGI process is needed, and that it's not
    nginx specific
  * Add Dutch debconf translation (Closes: #661101)
  * Create cron job world-readable during new installations
    (Closes: #660867)
  * Correctly remove all conffiles during purge (Closes: #668451)
  * Remove references to obsolete /etc/apache2/conf.d (see #669774)
  * Update Standards-Version (no changes)

 -- Dominic Hargreaves <dom@earth.li>  Sun, 22 Apr 2012 14:58:39 +0100

request-tracker4 (4.0.5-1) unstable; urgency=low

  * New upstream release
  * Remove no longer needed libhtml-parser-perl dependency
  * Remove patch 67_restore_database_disconnection_state, integrated
    upstream

 -- Dominic Hargreaves <dom@earth.li>  Sun, 05 Feb 2012 22:48:38 +0000

request-tracker4 (4.0.4-3) unstable; urgency=low

  [ Dmitry Smirnov ]
  * debian/copyright
    + updated to DEP-5
    + corrected source URL
    + added copyrights of debian contributors
    - removed Perl copyright paragraph
  * debian/watch is updated
  * new rt4-fcgi package and sample nginx configuration
  * debian/control:
    + request-tracker4 depend either on rt4-apache2 or on rt4-fcgi

 -- Dominic Hargreaves <dom@earth.li>  Thu, 26 Jan 2012 19:59:23 +0000

request-tracker4 (4.0.4-2) unstable; urgency=low

  * Add Recommends on all Apache-related modules; although any one can
    be used to produce a working configuration, installing them all will
    result in less confusion (LP: #769765)
  * Restore database disconnection state after successful safe_run_child;
    fixes problems with mod_perl + PostgreSQL + mod_ssl. Thanks to
    Alex Vandiver (Closes: #632129)

 -- Dominic Hargreaves <dom@earth.li>  Mon, 02 Jan 2012 15:05:48 +0000

request-tracker4 (4.0.4-1) unstable; urgency=low

  * New upstream release
  * Don't hard-code the DBA user in rt-setup-fulltext-index
    (Closes: #644093)

 -- Dominic Hargreaves <dom@earth.li>  Thu, 10 Nov 2011 23:02:28 +0000

request-tracker4 (4.0.2-1) unstable; urgency=low

  * Include Homepage in debian/control (Closes: #631668)
  * Don't hard-code the DBA user in rt-setup-database (Closes: #637215)
  * Improve reference to upstream documentation
  * New upstream release
  * Remove dependency on libjavascript-minifier-perl, no longer used 

 -- Dominic Hargreaves <dom@earth.li>  Wed, 17 Aug 2011 22:53:39 +0100

request-tracker4 (4.0.1-1) unstable; urgency=low

  * New upstream release
  * Tidy up obsolete strings from Debconf translations
  * Add Danish debconf translation (from: #631304)
  * Add build-arch and build-indep targets to debian/rules
    (thanks, Lintian)
  * Move po-debconf from Build-Depends-Indep to Build-Depends
    (thanks, Lintian)
  * Correct name of cron.d file from request-tracker40 to request-tracker4

 -- Dominic Hargreaves <dom@earth.li>  Fri, 24 Jun 2011 19:48:24 +0100

request-tracker4 (4.0.1~rc2-1) experimental; urgency=low

  * New upstream release candidate

 -- Dominic Hargreaves <dom@earth.li>  Tue, 14 Jun 2011 20:51:13 +0100

request-tracker4 (4.0.1~rc1-2) experimental; urgency=low

  * Ignore quilt .pc files when backing up generated files;
    fixes FTBFS under some circumstances (Closes: #628901)

 -- Dominic Hargreaves <dom@earth.li>  Sun, 05 Jun 2011 15:41:32 +0100

request-tracker4 (4.0.1~rc1-1) experimental; urgency=low

  * Initial release with packaging taken from request-tracker3.8
    3.8.8-6 (Closes: #605103)
    - rebase/drop various patches
    - install new scripts
    - update documentation
    - remove support for SpeedyCGI
    - update example Apache configurations
    - update dependencies
    - remove some old upgrade utility scripts
  * Correct name of file in cron.d to one which will be run by cron
  * Remove completely misleading documentation from NOTES.Debian
    relating to migrating between SQLite and other databases
  * Bump Standards-Version (no changes)
  * Include BSD license text in debian/copyright (thanks, Lintian)

 -- Dominic Hargreaves <dom@earth.li>  Sun, 29 May 2011 13:01:30 +0100
