Version in base suite: 4.4.6+dfsg-1.1+deb12u3 Base version: request-tracker4_4.4.6+dfsg-1.1+deb12u3 Target version: request-tracker4_4.4.6+dfsg-1.1+deb12u4 Base file: /srv/ftp-master.debian.org/ftp/pool/main/r/request-tracker4/request-tracker4_4.4.6+dfsg-1.1+deb12u3.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/r/request-tracker4/request-tracker4_4.4.6+dfsg-1.1+deb12u4.dsc .git-dpm | 4 changelog | 36 +++ patches/0021-Debian-provides-the-Mozilla-CAs-in-the-ca-certificat.patch | 2 patches/Switch-to-Test-MockTime-HiRes-in-date-api-test.diff | 4 patches/Update-tests-for-EN-datetime-locale-change-to-space.diff | 2 patches/assettracker-sysgroups.diff | 2 patches/debianize_UPGRADING-4.2.diff | 2 patches/debianize_backup_docs.diff | 2 patches/debianize_docs_local.diff | 6 patches/debianize_version.diff | 4 patches/disable-test-smime-realmail.diff | 2 patches/fcgi_client_sigpipe.diff | 4 patches/fix_Attachement_Download.diff | 34 +++ patches/fix_AuthToken_1.diff | 95 ++++++++++ patches/fix_AuthToken_2.diff | 54 +++++ patches/fix_AuthToken_3.diff | 47 ++++ patches/fix_AuthToken_4.diff | 49 +++++ patches/fix_AuthToken_5.diff | 37 +++ patches/fix_CVE-2024-3262.diff | 8 patches/fix_CVE-2024-3262_2.diff | 6 patches/fix_CVE-2026-41073.diff | 34 +++ patches/fix_CVE-2026-41075.diff | 35 +++ patches/fix_CVE-2026-41076.diff | 29 +++ patches/fix_CVE-2026-6841.diff | 55 +++++ patches/fix_Disable_RSS_and_iCal.diff | 79 ++++++++ patches/fix_Disable_RSS_and_iCal_menu.diff | 71 +++++++ patches/fix_expired_certs.dif | 40 ++-- patches/fix_lintian_privacy_break_logo_error.diff | 2 patches/fix_pod_rt_munge_attachments.diff | 2 patches/fix_shebang_upgrade_mysql_schema.diff | 2 patches/fix_test_ldap_ipv4.diff | 24 +- patches/fonts_use_noto_sans.diff | 2 patches/layout.diff | 2 patches/load_rt_generated.diff | 2 patches/no_test_web_installer.diff | 2 patches/no_testdeps.diff | 2 patches/rt_setup_database_upgrade_basedir.diff | 2 patches/rt_test_db_type.diff | 2 patches/series | 13 + patches/sitemodules.diff | 2 patches/test_locale.diff | 2 patches/upstream_4.4.6_cve:_patchset_2023-09-26-tests.diff | 10 - patches/upstream_4.4.6_cve:_patchset_2023-09-26.diff | 8 patches/upstream_4.4.6_cve:_patchset_2025-04-08-RT_Config.diff | 73 +++++++ patches/upstream_4.4.6_cve:_patchset_2025-04-08.diff | 18 - patches/upstream_4.4.6_cve:_patchset_2025-04-11.diff | 2 patches/upstream_4.4.6_cve:_patchset_2025-10-07.diff | 2 patches/use_cpanel_json_xs.diff | 2 48 files changed, 830 insertions(+), 89 deletions(-) dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmptr_l587f/request-tracker4_4.4.6+dfsg-1.1+deb12u3.dsc: no acceptable signature found dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmptr_l587f/request-tracker4_4.4.6+dfsg-1.1+deb12u4.dsc: no acceptable signature found diff -Nru request-tracker4-4.4.6+dfsg/debian/.git-dpm request-tracker4-4.4.6+dfsg/debian/.git-dpm --- request-tracker4-4.4.6+dfsg/debian/.git-dpm 2025-10-10 10:44:30.000000000 +0000 +++ request-tracker4-4.4.6+dfsg/debian/.git-dpm 2026-06-05 08:53:01.000000000 +0000 @@ -1,6 +1,6 @@ # see git-dpm(1) from git-dpm package -45fb0940803c3c233ea44e246b2340d9198a48ca -45fb0940803c3c233ea44e246b2340d9198a48ca +f26dc2b8122ba231b98bb26b3f845ef09b4bc6e8 +f26dc2b8122ba231b98bb26b3f845ef09b4bc6e8 55d7d688b083f85df5b32d685ea4c2d6a4341705 55d7d688b083f85df5b32d685ea4c2d6a4341705 request-tracker4_4.4.6+dfsg.orig.tar.gz diff -Nru request-tracker4-4.4.6+dfsg/debian/changelog request-tracker4-4.4.6+dfsg/debian/changelog --- request-tracker4-4.4.6+dfsg/debian/changelog 2025-10-10 10:44:30.000000000 +0000 +++ request-tracker4-4.4.6+dfsg/debian/changelog 2026-06-05 08:53:01.000000000 +0000 @@ -1,3 +1,39 @@ +request-tracker4 (4.4.6+dfsg-1.1+deb12u4) bookworm-security; urgency=medium + + * Include missing default configuration items for security vulnerability + fixes included in 4.4.6+dfsg-1.1+deb12u2. Namely: RestrictLinkDomains and + Cipher in %SMIME. + * Apply upstream patch which fixes several security vulnerabilities: + - [CVE-2026-6841] Reflected cross-site scripting via the search "Page" URL + parameter. + - [CVE-2026-41073] Spreadsheet (CSV/formula) injection via ticket values + that are exported to a spreadsheet from search results. User-controlled + data is not sanitized before being written to the output file, which can + cause spreadsheet applications such as Microsoft Excel to interpret + crafted values as formulas or macros when the file is opened. + - [CVE-2026-41075] SQL injection via the entry_aggregator parameter in JSON + search. An authenticated user can craft input that is incorporated into + database queries without proper validation, potentially allowing them to + read or modify data in the RT database. + - [CVE-2026-41076] LDAP authentication bypass when RT is configured to + authenticate users against an LDAP or Active Directory server. Under + certain LDAP server configurations, an attacker may be able to + authenticate as any LDAP-backed RT user without supplying valid + credentials. + - [CVE-2026-44229] Cross-site scripting via uploaded content that is served + inline rather than as an attachment. + - [CVE-2026-44231] Privilege escalation and information disclosure via the + REST 2.0 user collection endpoint. A Privileged RT user can obtain + authentication credentials belonging to other users, including + administrators, and use those credentials to read data via RT's RSS and + iCal feed endpoints. The same request that exposes the credentials also + rotates them, which invalidates previously-distributed feed URLs across + the instance. + This vulnerability is likely only possible in RT4 if the + RT::Extension::REST2 extension is installed. + + -- Andrew Ruthven Fri, 05 Jun 2026 20:53:01 +1200 + request-tracker4 (4.4.6+dfsg-1.1+deb12u3) bookworm-security; urgency=medium * Apply upstream patch which fixes a security vulnerability. diff -Nru request-tracker4-4.4.6+dfsg/debian/patches/0021-Debian-provides-the-Mozilla-CAs-in-the-ca-certificat.patch request-tracker4-4.4.6+dfsg/debian/patches/0021-Debian-provides-the-Mozilla-CAs-in-the-ca-certificat.patch --- request-tracker4-4.4.6+dfsg/debian/patches/0021-Debian-provides-the-Mozilla-CAs-in-the-ca-certificat.patch 2025-10-10 10:44:30.000000000 +0000 +++ request-tracker4-4.4.6+dfsg/debian/patches/0021-Debian-provides-the-Mozilla-CAs-in-the-ca-certificat.patch 2026-06-05 08:53:01.000000000 +0000 @@ -9,7 +9,7 @@ 1 file changed, 1 deletion(-) diff --git a/sbin/rt-test-dependencies.in b/sbin/rt-test-dependencies.in -index 941af783..ff1ff755 100644 +index 941af7834d..ff1ff755ed 100644 --- a/sbin/rt-test-dependencies.in +++ b/sbin/rt-test-dependencies.in @@ -204,7 +204,6 @@ $deps{'MAILGATE'} = [ text_to_hash( << '.') ]; diff -Nru request-tracker4-4.4.6+dfsg/debian/patches/Switch-to-Test-MockTime-HiRes-in-date-api-test.diff request-tracker4-4.4.6+dfsg/debian/patches/Switch-to-Test-MockTime-HiRes-in-date-api-test.diff --- request-tracker4-4.4.6+dfsg/debian/patches/Switch-to-Test-MockTime-HiRes-in-date-api-test.diff 2025-10-10 10:44:30.000000000 +0000 +++ request-tracker4-4.4.6+dfsg/debian/patches/Switch-to-Test-MockTime-HiRes-in-date-api-test.diff 2026-06-05 08:53:01.000000000 +0000 @@ -24,7 +24,7 @@ 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/sbin/rt-test-dependencies.in b/sbin/rt-test-dependencies.in -index ff1ff755..dcb1554b 100644 +index ff1ff755ed..dcb1554b46 100644 --- a/sbin/rt-test-dependencies.in +++ b/sbin/rt-test-dependencies.in @@ -234,6 +234,7 @@ Test::Email @@ -36,7 +36,7 @@ Test::Pod Test::Warn diff --git a/t/api/date.t b/t/api/date.t -index 19a0a015..f97484f8 100644 +index 19a0a01532..f97484f800 100644 --- a/t/api/date.t +++ b/t/api/date.t @@ -1,5 +1,5 @@ diff -Nru request-tracker4-4.4.6+dfsg/debian/patches/Update-tests-for-EN-datetime-locale-change-to-space.diff request-tracker4-4.4.6+dfsg/debian/patches/Update-tests-for-EN-datetime-locale-change-to-space.diff --- request-tracker4-4.4.6+dfsg/debian/patches/Update-tests-for-EN-datetime-locale-change-to-space.diff 2025-10-10 10:44:30.000000000 +0000 +++ request-tracker4-4.4.6+dfsg/debian/patches/Update-tests-for-EN-datetime-locale-change-to-space.diff 2026-06-05 08:53:01.000000000 +0000 @@ -20,7 +20,7 @@ 1 file changed, 21 insertions(+), 16 deletions(-) diff --git a/t/api/date.t b/t/api/date.t -index f97484f8..7f7ecd70 100644 +index f97484f800..7f7ecd7016 100644 --- a/t/api/date.t +++ b/t/api/date.t @@ -81,6 +81,11 @@ my $current_user; diff -Nru request-tracker4-4.4.6+dfsg/debian/patches/assettracker-sysgroups.diff request-tracker4-4.4.6+dfsg/debian/patches/assettracker-sysgroups.diff --- request-tracker4-4.4.6+dfsg/debian/patches/assettracker-sysgroups.diff 2025-10-10 10:44:30.000000000 +0000 +++ request-tracker4-4.4.6+dfsg/debian/patches/assettracker-sysgroups.diff 2026-06-05 08:53:01.000000000 +0000 @@ -17,7 +17,7 @@ diff --git a/etc/upgrade/4.1.0/schema.SQLite b/etc/upgrade/4.1.0/schema.SQLite new file mode 100644 -index 00000000..b38fded5 +index 0000000000..b38fded53f --- /dev/null +++ b/etc/upgrade/4.1.0/schema.SQLite @@ -0,0 +1,3 @@ diff -Nru request-tracker4-4.4.6+dfsg/debian/patches/debianize_UPGRADING-4.2.diff request-tracker4-4.4.6+dfsg/debian/patches/debianize_UPGRADING-4.2.diff --- request-tracker4-4.4.6+dfsg/debian/patches/debianize_UPGRADING-4.2.diff 2025-10-10 10:44:30.000000000 +0000 +++ request-tracker4-4.4.6+dfsg/debian/patches/debianize_UPGRADING-4.2.diff 2026-06-05 08:53:01.000000000 +0000 @@ -10,7 +10,7 @@ 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/UPGRADING-4.2 b/docs/UPGRADING-4.2 -index 45a000e8..9c144536 100644 +index 45a000e876..9c14453612 100644 --- a/docs/UPGRADING-4.2 +++ b/docs/UPGRADING-4.2 @@ -107,7 +107,7 @@ extra transactions, and keeping the summed time spent consistent. diff -Nru request-tracker4-4.4.6+dfsg/debian/patches/debianize_backup_docs.diff request-tracker4-4.4.6+dfsg/debian/patches/debianize_backup_docs.diff --- request-tracker4-4.4.6+dfsg/debian/patches/debianize_backup_docs.diff 2025-10-10 10:44:30.000000000 +0000 +++ request-tracker4-4.4.6+dfsg/debian/patches/debianize_backup_docs.diff 2026-06-05 08:53:01.000000000 +0000 @@ -10,7 +10,7 @@ 1 file changed, 31 insertions(+), 12 deletions(-) diff --git a/docs/system_administration/database.pod b/docs/system_administration/database.pod -index 43fbf753..9c197028 100644 +index 43fbf753f6..9c197028b0 100644 --- a/docs/system_administration/database.pod +++ b/docs/system_administration/database.pod @@ -25,6 +25,13 @@ become an issue. You don't want to discover problems with your backups while diff -Nru request-tracker4-4.4.6+dfsg/debian/patches/debianize_docs_local.diff request-tracker4-4.4.6+dfsg/debian/patches/debianize_docs_local.diff --- request-tracker4-4.4.6+dfsg/debian/patches/debianize_docs_local.diff 2025-10-10 10:44:30.000000000 +0000 +++ request-tracker4-4.4.6+dfsg/debian/patches/debianize_docs_local.diff 2026-06-05 08:53:01.000000000 +0000 @@ -12,7 +12,7 @@ 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/docs/customizing/styling_rt.pod b/docs/customizing/styling_rt.pod -index 80687a43..1eead153 100644 +index 80687a4378..1eead153e4 100644 --- a/docs/customizing/styling_rt.pod +++ b/docs/customizing/styling_rt.pod @@ -93,7 +93,7 @@ default CSS styles, via the C<@CSSFiles> configuration option. To add @@ -36,7 +36,7 @@ $ mkdir -p local/html/NoAuth/css/localstyle $ cp -R share/html/NoAuth/css/rudder/* local/html/NoAuth/css/localstyle/ diff --git a/docs/extending/clickable_links.pod b/docs/extending/clickable_links.pod -index d52ea599..89a744ad 100644 +index d52ea59965..89a744ad41 100644 --- a/docs/extending/clickable_links.pod +++ b/docs/extending/clickable_links.pod @@ -54,7 +54,7 @@ arbitrary HTML. @@ -58,7 +58,7 @@ <%ARGS> diff --git a/docs/initialdata.pod b/docs/initialdata.pod -index f862fde7..eaf0181c 100644 +index f862fde79c..eaf0181c59 100644 --- a/docs/initialdata.pod +++ b/docs/initialdata.pod @@ -24,7 +24,7 @@ of one another while the top level initialdata file is for fresh RT installs. diff -Nru request-tracker4-4.4.6+dfsg/debian/patches/debianize_version.diff request-tracker4-4.4.6+dfsg/debian/patches/debianize_version.diff --- request-tracker4-4.4.6+dfsg/debian/patches/debianize_version.diff 2025-10-10 10:44:30.000000000 +0000 +++ request-tracker4-4.4.6+dfsg/debian/patches/debianize_version.diff 2026-06-05 08:53:01.000000000 +0000 @@ -13,7 +13,7 @@ 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/configure.ac b/configure.ac -index 22fd18a1..64096c27 100755 +index 22fd18a176..64096c27a5 100755 --- a/configure.ac +++ b/configure.ac @@ -4,7 +4,7 @@ dnl Process this file with autoconf to produce a configure script @@ -41,7 +41,7 @@ test "x$rt_version_minor" = 'x' && rt_version_minor=0 test "x$rt_version_patch" = 'x' && rt_version_patch=0 diff --git a/share/html/Elements/Footer b/share/html/Elements/Footer -index d78d5dac..67b688e7 100644 +index d78d5dacd2..67b688e725 100644 --- a/share/html/Elements/Footer +++ b/share/html/Elements/Footer @@ -53,7 +53,7 @@ diff -Nru request-tracker4-4.4.6+dfsg/debian/patches/disable-test-smime-realmail.diff request-tracker4-4.4.6+dfsg/debian/patches/disable-test-smime-realmail.diff --- request-tracker4-4.4.6+dfsg/debian/patches/disable-test-smime-realmail.diff 2025-10-10 10:44:30.000000000 +0000 +++ request-tracker4-4.4.6+dfsg/debian/patches/disable-test-smime-realmail.diff 2026-06-05 08:53:01.000000000 +0000 @@ -13,7 +13,7 @@ 1 file changed, 3 insertions(+) diff --git a/t/mail/smime/realmail.t b/t/mail/smime/realmail.t -index 6676de5f..8abafd88 100644 +index 6676de5f2e..8abafd8821 100644 --- a/t/mail/smime/realmail.t +++ b/t/mail/smime/realmail.t @@ -4,6 +4,9 @@ use warnings; diff -Nru request-tracker4-4.4.6+dfsg/debian/patches/fcgi_client_sigpipe.diff request-tracker4-4.4.6+dfsg/debian/patches/fcgi_client_sigpipe.diff --- request-tracker4-4.4.6+dfsg/debian/patches/fcgi_client_sigpipe.diff 2025-10-10 10:44:30.000000000 +0000 +++ request-tracker4-4.4.6+dfsg/debian/patches/fcgi_client_sigpipe.diff 2026-06-05 08:53:01.000000000 +0000 @@ -17,7 +17,7 @@ 2 files changed, 6 insertions(+) diff --git a/sbin/rt-server.fcgi b/sbin/rt-server.fcgi -index c91c7118..4c7f2a51 100755 +index c91c711844..4c7f2a5115 100755 --- a/sbin/rt-server.fcgi +++ b/sbin/rt-server.fcgi @@ -159,6 +159,9 @@ $SIG{INT} = sub { @@ -31,7 +31,7 @@ __END__ diff --git a/sbin/rt-server.in b/sbin/rt-server.in -index 871b66c6..56a93a15 100644 +index 871b66c6c8..56a93a15c5 100644 --- a/sbin/rt-server.in +++ b/sbin/rt-server.in @@ -159,6 +159,9 @@ $SIG{INT} = sub { diff -Nru request-tracker4-4.4.6+dfsg/debian/patches/fix_Attachement_Download.diff request-tracker4-4.4.6+dfsg/debian/patches/fix_Attachement_Download.diff --- request-tracker4-4.4.6+dfsg/debian/patches/fix_Attachement_Download.diff 1970-01-01 00:00:00.000000000 +0000 +++ request-tracker4-4.4.6+dfsg/debian/patches/fix_Attachement_Download.diff 2026-06-05 08:53:01.000000000 +0000 @@ -0,0 +1,34 @@ +From 274d01944b0e0514252a3d8ad3737eb8ca4a4023 Mon Sep 17 00:00:00 2001 +From: sunnavy +Date: Mon, 27 Apr 2026 13:17:59 -0400 +Subject: Avoid potential XSS for custom field value download endpoints + +This follows the same logic as the attachment download endpoint. + +Patch-Name: fix_Attachement_Download.diff +Applied-Upstream: 5.0.10, commit: ecdb229b38206888401655974d0aec153640eb59 +Origin: vendor +Forwarded: not-needed +--- + share/html/Download/CustomFieldValue/dhandler | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/share/html/Download/CustomFieldValue/dhandler b/share/html/Download/CustomFieldValue/dhandler +index 5099299531..188dfdf140 100644 +--- a/share/html/Download/CustomFieldValue/dhandler ++++ b/share/html/Download/CustomFieldValue/dhandler +@@ -65,11 +65,12 @@ Abort( loc('Permission Denied'), Code => HTTP::Status::HTTP_FORBIDDEN ) unless $ + + my $content_type = $OCFV->ContentType || 'text/plain; charset=utf-8'; + +-if (RT->Config->Get('AlwaysDownloadAttachments')) { ++if (RT->Config->Get('AlwaysDownloadAttachments') || $content_type =~ m{^(image/svg\+xml|application/pdf)}i) { + $r->headers_out->{'Content-Disposition'} = "attachment"; + } + elsif (!RT->Config->Get('TrustHTMLAttachments')) { +- $content_type = 'text/plain; charset=utf-8' if ($content_type =~ /^text\/html/i); ++ $content_type = 'text/plain; charset=utf-8' ++ if $content_type =~ m{^(text/html|application/xhtml\+xml|text/xml|application/xml)}i; + } + + $r->headers_out->{'X-Content-Type-Options'} = 'nosniff' if RT->Config->Get('StrictContentTypes'); diff -Nru request-tracker4-4.4.6+dfsg/debian/patches/fix_AuthToken_1.diff request-tracker4-4.4.6+dfsg/debian/patches/fix_AuthToken_1.diff --- request-tracker4-4.4.6+dfsg/debian/patches/fix_AuthToken_1.diff 1970-01-01 00:00:00.000000000 +0000 +++ request-tracker4-4.4.6+dfsg/debian/patches/fix_AuthToken_1.diff 2026-06-05 08:53:01.000000000 +0000 @@ -0,0 +1,95 @@ +From cc083a3e9cf874b19e28c426a8e7679e57c32e62 Mon Sep 17 00:00:00 2001 +From: Jim Brandt +Date: Thu, 30 Apr 2026 10:40:12 -0400 +Subject: Return false for no user AuthToken with no side-effects + +The AuthToken getter method in RT::User was originally designed to +always return a value. This made it behave as a non-standard getter +which led to problems when it was called in a standard way, namely +that it would create and return a token if one didn't exist. Worse, +if the current user didn't have rights to see the token, it would +seem it didn't exist and a new token would be generated and returned. + +Make AuthToken behave like a normal getter, returning the value if +the caller has rights, and returning undef if the user does not have +rights or if there is no value. + +Since AuthToken doesn't accept a value for setter mode like other +methods, add a warning if a value is passed in. + +GenerateAuthString relied on this auto-create behavior. Move this to +that method so it is explicit when needed. This makes it more obvious +since it is in a "Generate" method. + +Patch-Name: fix_AuthToken_1.diff +Applied-Upstream: 5.0.10, commit: 5e35133b90303c7517b82de7c57cdb891ee61400 +Origin: vendor +Forwarded: not-needed +--- + lib/RT/User.pm | 40 +++++++++++++++++++++++----------------- + 1 file changed, 23 insertions(+), 17 deletions(-) + +diff --git a/lib/RT/User.pm b/lib/RT/User.pm +index 718b24f8fa..f1205d0c14 100644 +--- a/lib/RT/User.pm ++++ b/lib/RT/User.pm +@@ -1344,28 +1344,19 @@ sub CurrentUserRequireToSetPassword { + + =head3 AuthToken + +-Returns an authentication string associated with the user. This +-string can be used to generate passwordless URLs to integrate +-RT with services and programms like callendar managers, rss +-readers and other. ++Returns the authentication string associated with the user, or undef ++if no token has been generated or the current user is not allowed to ++see it. This string is used to sign passwordless RSS and iCal feed ++URLs and CSRF tokens via L. + + =cut + + sub AuthToken { + my $self = shift; +- my $secret = $self->_Value( AuthToken => @_ ); +- return $secret if $secret; +- +- $secret = substr(Digest::MD5::md5_hex(time . {} . rand()),0,16); +- +- my $tmp = RT::User->new( RT->SystemUser ); +- $tmp->Load( $self->id ); +- my ($status, $msg) = $tmp->SetAuthToken( $secret ); +- unless ( $status ) { +- $RT::Logger->error( "Couldn't set auth token: $msg" ); +- return undef; ++ if (@_) { ++ RT->Logger->warning("AuthToken() called with arguments; ignored. Use SetAuthToken to change the token."); + } +- return $secret; ++ return $self->_Value('AuthToken'); + } + + =head3 GenerateAuthToken +@@ -1391,7 +1382,22 @@ sub GenerateAuthString { + my $self = shift; + my $protect = shift; + +- my $str = Encode::encode( "UTF-8", $self->AuthToken . $protect ); ++ my $token = $self->_Value('AuthToken'); ++ unless ($token) { ++ # Mint on demand via SystemUser: signing RSS/iCal/CSRF URLs is a ++ # system action, but ModifySelf isn't granted to Privileged users ++ # by default, so SetAuthToken under the current user would fail. ++ $token = substr(Digest::MD5::md5_hex(time . {} . rand()), 0, 16); ++ my $writer = RT::User->new( RT->SystemUser ); ++ $writer->Load( $self->id ); ++ my ($ok, $msg) = $writer->SetAuthToken($token); ++ unless ($ok) { ++ $RT::Logger->error("Couldn't set auth token: $msg"); ++ return; ++ } ++ } ++ ++ my $str = Encode::encode( "UTF-8", $token . $protect ); + + return substr(Digest::MD5::md5_hex($str),0,16); + } diff -Nru request-tracker4-4.4.6+dfsg/debian/patches/fix_AuthToken_2.diff request-tracker4-4.4.6+dfsg/debian/patches/fix_AuthToken_2.diff --- request-tracker4-4.4.6+dfsg/debian/patches/fix_AuthToken_2.diff 1970-01-01 00:00:00.000000000 +0000 +++ request-tracker4-4.4.6+dfsg/debian/patches/fix_AuthToken_2.diff 2026-06-05 08:53:01.000000000 +0000 @@ -0,0 +1,54 @@ +From 8740d2c0020ff0fcc4586ff227b41e9e2ad3f20b Mon Sep 17 00:00:00 2001 +From: Jim Brandt +Date: Thu, 30 Apr 2026 12:02:20 -0400 +Subject: Reject AuthString validation when no AuthToken is stored + +Previously ValidateAuthString called $self->AuthToken, which under +the old auto-create behavior always returned a non-empty string. +With AuthToken now a pure getter (058b12db97), it returns undef when +no token has been generated, and undef stringifies to "" in the hash +input. Validation would then succeed against md5_hex($protected), +a value an attacker can precompute, authenticating as any user who +has not yet had a token created. + +Always compute the candidate hash and run constant_time_eq, then +gate the result on whether a token was actually stored. This both +eliminates the precomputable hash and equalizes timing between the +"no token" and "stored token but wrong signature" paths, so the +existence of a stored AuthToken cannot be probed via response +timing. + +Patch-Name: fix_AuthToken_2.diff +Applied-Upstream: 5.0.10, commit: b2ebecec307fb7a3ae1cf17b8728fae4f3457d7e +Origin: vendor +Forwarded: not-needed +--- + lib/RT/User.pm | 13 +++++++++++-- + 1 file changed, 11 insertions(+), 2 deletions(-) + +diff --git a/lib/RT/User.pm b/lib/RT/User.pm +index f1205d0c14..6c384afb25 100644 +--- a/lib/RT/User.pm ++++ b/lib/RT/User.pm +@@ -1414,10 +1414,19 @@ sub ValidateAuthString { + my $auth_string_to_validate = shift; + my $protected = shift; + +- my $str = Encode::encode( "UTF-8", $self->AuthToken . $protected ); ++ # Always compute the hash and run the constant-time compare so the ++ # "no stored token" path looks like a regular failed validation rather ++ # than returning a precomputable md5_hex($protected) or short-circuiting ++ # on a measurable timing differential. ++ my $token = $self->_Value('AuthToken'); ++ my $has_token = defined $token && length $token; ++ $token //= ''; ++ ++ my $str = Encode::encode( "UTF-8", $token . $protected ); + my $valid_auth_string = substr(Digest::MD5::md5_hex($str),0,16); + +- return RT::Util::constant_time_eq( $auth_string_to_validate, $valid_auth_string ); ++ my $eq = RT::Util::constant_time_eq( $auth_string_to_validate, $valid_auth_string ); ++ return $has_token && $eq; + } + + =head2 SetDisabled diff -Nru request-tracker4-4.4.6+dfsg/debian/patches/fix_AuthToken_3.diff request-tracker4-4.4.6+dfsg/debian/patches/fix_AuthToken_3.diff --- request-tracker4-4.4.6+dfsg/debian/patches/fix_AuthToken_3.diff 1970-01-01 00:00:00.000000000 +0000 +++ request-tracker4-4.4.6+dfsg/debian/patches/fix_AuthToken_3.diff 2026-06-05 08:53:01.000000000 +0000 @@ -0,0 +1,47 @@ +From c75ccbb59d1a7c612246ef1fe7c7d51c19a1aa92 Mon Sep 17 00:00:00 2001 +From: Jim Brandt +Date: Thu, 30 Apr 2026 13:22:54 -0400 +Subject: Use default DBIx::SearchBuilder getter for AuthToken + +After the changes to remove the custom auto-create behavior +for the AuthToken method, the remaining version was doing the +same thing DBIx::SearchBuilder does by default. Since there is no +reason for the custom method, remove it and allow it to fall back +to default behavior. + +Patch-Name: fix_AuthToken_3.diff +Applied-Upstream: 5.0.10, commit: d4c1f75941aeb54e39be62e5811045aa7a5cb29d +Origin: vendor +Forwarded: not-needed +--- + lib/RT/User.pm | 17 ----------------- + 1 file changed, 17 deletions(-) + +diff --git a/lib/RT/User.pm b/lib/RT/User.pm +index 6c384afb25..08f70e4f50 100644 +--- a/lib/RT/User.pm ++++ b/lib/RT/User.pm +@@ -1342,23 +1342,6 @@ sub CurrentUserRequireToSetPassword { + return %res; + } + +-=head3 AuthToken +- +-Returns the authentication string associated with the user, or undef +-if no token has been generated or the current user is not allowed to +-see it. This string is used to sign passwordless RSS and iCal feed +-URLs and CSRF tokens via L. +- +-=cut +- +-sub AuthToken { +- my $self = shift; +- if (@_) { +- RT->Logger->warning("AuthToken() called with arguments; ignored. Use SetAuthToken to change the token."); +- } +- return $self->_Value('AuthToken'); +-} +- + =head3 GenerateAuthToken + + Generate a random authentication string for the user. diff -Nru request-tracker4-4.4.6+dfsg/debian/patches/fix_AuthToken_4.diff request-tracker4-4.4.6+dfsg/debian/patches/fix_AuthToken_4.diff --- request-tracker4-4.4.6+dfsg/debian/patches/fix_AuthToken_4.diff 1970-01-01 00:00:00.000000000 +0000 +++ request-tracker4-4.4.6+dfsg/debian/patches/fix_AuthToken_4.diff 2026-06-05 08:53:01.000000000 +0000 @@ -0,0 +1,49 @@ +From 4850bf83c860add53ee0ff0b30d95e74344d54ba Mon Sep 17 00:00:00 2001 +From: Jim Brandt +Date: Thu, 30 Apr 2026 14:07:57 -0400 +Subject: Update AuthToken access configuration to restrict read and write + +In the RT web UI, SuperUsers have no way to read the RSS AuthToken +of a user, so it's not necessary to provide it via any other +interface. Update the read flag to 0 to enforce this restriction. + +Internally, RT generates the AuthToken value that is set. It should +never be set by a caller from the published method, so remove it from +the standard list of writable methods in RT::User. + +Patch-Name: fix_AuthToken_4.diff +Applied-Upstream: 5.0.10, commit: 79b2cae3757fc1714a392f198c3252358a251ef5 +Origin: vendor +Forwarded: not-needed +--- + lib/RT/User.pm | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/lib/RT/User.pm b/lib/RT/User.pm +index 08f70e4f50..2347caf096 100644 +--- a/lib/RT/User.pm ++++ b/lib/RT/User.pm +@@ -93,6 +93,7 @@ sub _OverlayAccessible { + + Name => { public => 1, admin => 1 }, # loc_left_pair + Password => { read => 0 }, ++ AuthToken => { read => 0 }, + EmailAddress => { public => 1 }, # loc_left_pair + Organization => { public => 1, admin => 1 }, # loc_left_pair + RealName => { public => 1 }, # loc_left_pair +@@ -106,6 +107,15 @@ sub _OverlayAccessible { + } + } + ++# AuthToken is settable internally (GenerateAuthToken / GenerateAuthString / ++# SetCanonicalUserInfo go through SetAuthToken), but no client-facing entry ++# point should let a caller write it directly. Drop it from the allow-list ++# used by REST 2 update_record, the web UI autocreate path, and rt-config. ++sub WritableAttributes { ++ my $self = shift; ++ return grep { $_ ne 'AuthToken' } $self->SUPER::WritableAttributes(@_); ++} ++ + + + =head2 Create { PARAMHASH } diff -Nru request-tracker4-4.4.6+dfsg/debian/patches/fix_AuthToken_5.diff request-tracker4-4.4.6+dfsg/debian/patches/fix_AuthToken_5.diff --- request-tracker4-4.4.6+dfsg/debian/patches/fix_AuthToken_5.diff 1970-01-01 00:00:00.000000000 +0000 +++ request-tracker4-4.4.6+dfsg/debian/patches/fix_AuthToken_5.diff 2026-06-05 08:53:01.000000000 +0000 @@ -0,0 +1,37 @@ +From 57e4d969a84661495e219e2a6bb5b8d7cbafda21 Mon Sep 17 00:00:00 2001 +From: Jim Brandt +Date: Thu, 30 Apr 2026 14:52:57 -0400 +Subject: Catch some classes of invalid auth token strings + +Add an eval to catch some classes of failures when calling +constant_time_eq. + +Patch-Name: fix_AuthToken_5.diff +Applied-Upstream: 5.0.10, commit: ec1235aaf1ce4e3b4025d9ba9fb6dddd3fd61dd2 +Origin: vendor +Forwarded: not-needed +--- + lib/RT/User.pm | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +diff --git a/lib/RT/User.pm b/lib/RT/User.pm +index 2347caf096..77375a9972 100644 +--- a/lib/RT/User.pm ++++ b/lib/RT/User.pm +@@ -1418,7 +1418,15 @@ sub ValidateAuthString { + my $str = Encode::encode( "UTF-8", $token . $protected ); + my $valid_auth_string = substr(Digest::MD5::md5_hex($str),0,16); + +- my $eq = RT::Util::constant_time_eq( $auth_string_to_validate, $valid_auth_string ); ++ # constant_time_eq dies on undef or length mismatch. Catch so the ++ # rss/iCal dhandlers return 404 instead of 500 when callers send a ++ # malformed auth string, and log so the failure isn't silent. ++ my $eq = do { ++ local $@; ++ my $r = eval { RT::Util::constant_time_eq( $auth_string_to_validate, $valid_auth_string ) }; ++ RT->Logger->warning("ValidateAuthString: $@") if $@; ++ $r // 0; ++ }; + return $has_token && $eq; + } + diff -Nru request-tracker4-4.4.6+dfsg/debian/patches/fix_CVE-2024-3262.diff request-tracker4-4.4.6+dfsg/debian/patches/fix_CVE-2024-3262.diff --- request-tracker4-4.4.6+dfsg/debian/patches/fix_CVE-2024-3262.diff 2025-10-10 10:44:30.000000000 +0000 +++ request-tracker4-4.4.6+dfsg/debian/patches/fix_CVE-2024-3262.diff 2026-06-05 08:53:01.000000000 +0000 @@ -26,7 +26,7 @@ create mode 100644 share/html/Elements/HttpResponseHeaders diff --git a/etc/RT_Config.pm.in b/etc/RT_Config.pm.in -index 6b0284dd..c9eb309d 100644 +index 6b0284dd40..c9eb309d72 100644 --- a/etc/RT_Config.pm.in +++ b/etc/RT_Config.pm.in @@ -2750,6 +2750,20 @@ connections. @@ -51,7 +51,7 @@ Default RT's session cookie to not being directly accessible to diff --git a/share/html/Elements/Header b/share/html/Elements/Header -index ad17a431..9281342d 100644 +index ad17a431af..9281342d5e 100644 --- a/share/html/Elements/Header +++ b/share/html/Elements/Header @@ -118,8 +118,7 @@ $lang = $session{'CurrentUser'}->LanguageHandle->language_tag @@ -66,7 +66,7 @@ $id =~ s|^/||g; diff --git a/share/html/Elements/HttpResponseHeaders b/share/html/Elements/HttpResponseHeaders new file mode 100644 -index 00000000..3b452f01 +index 0000000000..3b452f01a1 --- /dev/null +++ b/share/html/Elements/HttpResponseHeaders @@ -0,0 +1,99 @@ @@ -170,7 +170,7 @@ +$MaxAgeSeconds => undef # Time in seconds to allow for cache + diff --git a/share/html/m/_elements/header b/share/html/m/_elements/header -index 0bb72e28..2a192dc1 100644 +index 0bb72e2830..2a192dc18d 100644 --- a/share/html/m/_elements/header +++ b/share/html/m/_elements/header @@ -50,8 +50,7 @@ $title => loc('RT for [_1]', RT->Config->Get('rtname')) diff -Nru request-tracker4-4.4.6+dfsg/debian/patches/fix_CVE-2024-3262_2.diff request-tracker4-4.4.6+dfsg/debian/patches/fix_CVE-2024-3262_2.diff --- request-tracker4-4.4.6+dfsg/debian/patches/fix_CVE-2024-3262_2.diff 2025-10-10 10:44:30.000000000 +0000 +++ request-tracker4-4.4.6+dfsg/debian/patches/fix_CVE-2024-3262_2.diff 2026-06-05 08:53:01.000000000 +0000 @@ -38,7 +38,7 @@ 3 files changed, 6 insertions(+), 9 deletions(-) diff --git a/share/html/Helpers/Autocomplete/autohandler b/share/html/Helpers/Autocomplete/autohandler -index 63463278..33312ca1 100644 +index 63463278c6..33312ca1a5 100644 --- a/share/html/Helpers/Autocomplete/autohandler +++ b/share/html/Helpers/Autocomplete/autohandler @@ -46,8 +46,6 @@ @@ -53,7 +53,7 @@ - diff --git a/share/html/Helpers/autohandler b/share/html/Helpers/autohandler -index 6c74ee3f..3466485b 100644 +index 6c74ee3f35..3466485b77 100644 --- a/share/html/Helpers/autohandler +++ b/share/html/Helpers/autohandler @@ -46,7 +46,6 @@ @@ -67,7 +67,7 @@ +$m->call_next; diff --git a/t/web/helpers-http-cache-headers.t b/t/web/helpers-http-cache-headers.t -index 1ffef2de..a586d6a5 100644 +index 1ffef2de33..a586d6a507 100644 --- a/t/web/helpers-http-cache-headers.t +++ b/t/web/helpers-http-cache-headers.t @@ -73,8 +73,8 @@ diag "set up expected date headers"; diff -Nru request-tracker4-4.4.6+dfsg/debian/patches/fix_CVE-2026-41073.diff request-tracker4-4.4.6+dfsg/debian/patches/fix_CVE-2026-41073.diff --- request-tracker4-4.4.6+dfsg/debian/patches/fix_CVE-2026-41073.diff 1970-01-01 00:00:00.000000000 +0000 +++ request-tracker4-4.4.6+dfsg/debian/patches/fix_CVE-2026-41073.diff 2026-06-05 08:53:01.000000000 +0000 @@ -0,0 +1,34 @@ +From 39bebf078d6cfe29a047b8058104873010e72ce0 Mon Sep 17 00:00:00 2001 +From: sunnavy +Date: Wed, 22 Oct 2025 18:19:56 -0400 +Subject: Prepend a space to TSV header cells that begin with a special + character + +This ensures applications like Excel treat headers as literal strings +instead of interpreting them as formulas. + +We made a similar fix for non-header rows in 2f5798fee4, this commit amends +headers too. + +Patch-Name: fix_CVE-2026-41073.diff +Applied-Upstream: 5.0.10, commit: dce7ff6799d930d09c10a50539325f1290440d4b +Origin: vendor +Forwarded: not-needed +--- + share/html/Elements/TSVExport | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/share/html/Elements/TSVExport b/share/html/Elements/TSVExport +index 13f03ccd5b..79b75426f5 100644 +--- a/share/html/Elements/TSVExport ++++ b/share/html/Elements/TSVExport +@@ -107,7 +107,8 @@ else { + } + + for (@columns) { +- $m->out(join("\t", map { $_->{header} } @$_)."\n"); ++ # To prevent injection, add a leading space to make sure excel-ish applications treat it like a literal ++ $m->out(join("\t", map { s/^(?=-|\+|=|\@|")/ /; $_ } map { $_->{header} } @$_)."\n"); + } + + my $i = 0; diff -Nru request-tracker4-4.4.6+dfsg/debian/patches/fix_CVE-2026-41075.diff request-tracker4-4.4.6+dfsg/debian/patches/fix_CVE-2026-41075.diff --- request-tracker4-4.4.6+dfsg/debian/patches/fix_CVE-2026-41075.diff 1970-01-01 00:00:00.000000000 +0000 +++ request-tracker4-4.4.6+dfsg/debian/patches/fix_CVE-2026-41075.diff 2026-06-05 08:53:01.000000000 +0000 @@ -0,0 +1,35 @@ +From b869fde4539f0a635a4ede2848d17ab0af02896a Mon Sep 17 00:00:00 2001 +From: sunnavy +Date: Fri, 10 Apr 2026 16:21:40 -0400 +Subject: Validate ENTRYAGGREGATOR to prevent SQL injection + +Patch-Name: fix_CVE-2026-41075.diff +Applied-Upstream: 5.0.10, commit: 9ed06dadc29a75e17b25017f929edeff62d224bc +Origin: vendor +Forwarded: not-needed +--- + lib/RT/SearchBuilder.pm | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +diff --git a/lib/RT/SearchBuilder.pm b/lib/RT/SearchBuilder.pm +index c21a3fe489..150f9e0fb2 100644 +--- a/lib/RT/SearchBuilder.pm ++++ b/lib/RT/SearchBuilder.pm +@@ -973,6 +973,17 @@ sub Limit { + ); + } + ++ if ( $ARGS{ENTRYAGGREGATOR} && $ARGS{ENTRYAGGREGATOR} !~ /^(AND|OR|none)$/i ) { ++ $RT::Logger->crit("Possible SQL injection attack via ENTRYAGGREGATOR: $ARGS{ENTRYAGGREGATOR}"); ++ %ARGS = ( ++ %ARGS, ++ FIELD => 'id', ++ OPERATOR => '<', ++ VALUE => '0', ++ ENTRYAGGREGATOR => 'AND', ++ ); ++ } ++ + my $table; + ($table) = $ARGS{'ALIAS'} && $ARGS{'ALIAS'} ne 'main' + ? ($ARGS{'ALIAS'} =~ /^(.*)_\d+$/) diff -Nru request-tracker4-4.4.6+dfsg/debian/patches/fix_CVE-2026-41076.diff request-tracker4-4.4.6+dfsg/debian/patches/fix_CVE-2026-41076.diff --- request-tracker4-4.4.6+dfsg/debian/patches/fix_CVE-2026-41076.diff 1970-01-01 00:00:00.000000000 +0000 +++ request-tracker4-4.4.6+dfsg/debian/patches/fix_CVE-2026-41076.diff 2026-06-05 08:53:01.000000000 +0000 @@ -0,0 +1,29 @@ +From 75fb716f8759d0cd55cd923e6cd9518a73fb8a04 Mon Sep 17 00:00:00 2001 +From: sunnavy +Date: Fri, 10 Apr 2026 15:43:49 -0400 +Subject: Reject empty passwords in external authentication + +Patch-Name: fix_CVE-2026-41076.diff +Applied-Upstream: 5.0.10, commit: c8120898d92adf1adae6fce11e0816d08afb395f +Origin: vendor +Forwarded: not-needed +--- + lib/RT/Authen/ExternalAuth.pm | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/lib/RT/Authen/ExternalAuth.pm b/lib/RT/Authen/ExternalAuth.pm +index 7384c92a91..eaeaffb207 100644 +--- a/lib/RT/Authen/ExternalAuth.pm ++++ b/lib/RT/Authen/ExternalAuth.pm +@@ -631,6 +631,11 @@ sub GetAuth { + + my ($service,$username,$password) = @_; + ++ unless ( defined $password && length $password ) { ++ $RT::Logger->debug("External auth ($service) rejecting empty password for $username"); ++ return 0; ++ } ++ + my $success = 0; + + # Get the full configuration for that service as a hashref diff -Nru request-tracker4-4.4.6+dfsg/debian/patches/fix_CVE-2026-6841.diff request-tracker4-4.4.6+dfsg/debian/patches/fix_CVE-2026-6841.diff --- request-tracker4-4.4.6+dfsg/debian/patches/fix_CVE-2026-6841.diff 1970-01-01 00:00:00.000000000 +0000 +++ request-tracker4-4.4.6+dfsg/debian/patches/fix_CVE-2026-6841.diff 2026-06-05 08:53:01.000000000 +0000 @@ -0,0 +1,55 @@ +From 4ec6dc6ead92595d8837ebd2fba50d5bc646175a Mon Sep 17 00:00:00 2001 +From: Jim Brandt +Date: Wed, 22 Apr 2026 15:58:38 -0400 +Subject: Sanitize passed-in page arguments + +Patch-Name: fix_CVE-2026-6841.diff +Applied-Upstream: 5.0.10, commit: d7abb692a5ab7a7738a08be3debb92b1c6ab8215 +Origin: vendor +Forwarded: not-needed +--- + share/html/Elements/CollectionList | 2 +- + share/html/Elements/CollectionListPaging | 3 ++- + share/html/Search/Results.html | 2 +- + 3 files changed, 4 insertions(+), 3 deletions(-) + +diff --git a/share/html/Elements/CollectionList b/share/html/Elements/CollectionList +index 499442dec0..09a38e3a9a 100644 +--- a/share/html/Elements/CollectionList ++++ b/share/html/Elements/CollectionList +@@ -83,7 +83,7 @@ if ( @OrderBy && ($AllowSorting || $PreferOrderBy || !$Collection->{'order_by'}) + } + + $Collection->RowsPerPage( $Rows ) if $Rows; +-$Page = 1 unless $Page && $Page > 0; # workaround problems with $Page = '' or undef ++$Page = 1 unless $Page && $Page =~ /\A\d+\z/ && $Page > 1; # workaround problems with $Page = '' or undef + $Collection->GotoPage( $Page - 1 ); # SB uses page 0 as the first page + + # DisplayFormat lets us use a "temporary" format for display, while +diff --git a/share/html/Elements/CollectionListPaging b/share/html/Elements/CollectionListPaging +index 12b200c37d..2565bbda3a 100644 +--- a/share/html/Elements/CollectionListPaging ++++ b/share/html/Elements/CollectionListPaging +@@ -85,7 +85,8 @@ else{ + ), + 'h', + ); +- $m->out(qq{$number }); ++ my $number_display = $m->interp->apply_escapes($number, 'h'); ++ $m->out(qq{$number_display }); + } + } + } else { +diff --git a/share/html/Search/Results.html b/share/html/Search/Results.html +index 06a33c2f57..da82027784 100644 +--- a/share/html/Search/Results.html ++++ b/share/html/Search/Results.html +@@ -120,7 +120,7 @@ if ( !defined($Rows) ) { + $Rows = 50; + } + } +-$Page = 1 unless $Page && $Page > 0; ++$Page = 1 unless $Page && $Page =~ /\A\d+\z/ && $Page > 1; + + $session{'i'}++; + $session{'tickets'} = RT::Tickets->new($session{'CurrentUser'}) ; diff -Nru request-tracker4-4.4.6+dfsg/debian/patches/fix_Disable_RSS_and_iCal.diff request-tracker4-4.4.6+dfsg/debian/patches/fix_Disable_RSS_and_iCal.diff --- request-tracker4-4.4.6+dfsg/debian/patches/fix_Disable_RSS_and_iCal.diff 1970-01-01 00:00:00.000000000 +0000 +++ request-tracker4-4.4.6+dfsg/debian/patches/fix_Disable_RSS_and_iCal.diff 2026-06-05 08:53:01.000000000 +0000 @@ -0,0 +1,79 @@ +From 353ed67f23fee69c3509faf725259c5476babc2f Mon Sep 17 00:00:00 2001 +From: Jim Brandt +Date: Thu, 30 Apr 2026 14:30:03 -0400 +Subject: Provide options to disable RSS and iCal feeds in RT + +Some RT instances may not use these features, so provide a way +to disable these endpoints, similar to the existing option +to disable REST 2. + +Modified by Andrew Ruthven to remove the lib/RT/Config.pm changes as they +aren't relevant to RT 4. + +Patch-Name: fix_Disable_RSS_and_iCal.diff +Applied-Upstream: 5.0.10, commit: e045dfe919aac20b76ca6d6fe026a5471d6569b5 +Origin: vendor +Forwarded: not-needed +--- + etc/RT_Config.pm.in | 20 ++++++++++++++++++++ + share/html/NoAuth/iCal/dhandler | 2 ++ + share/html/NoAuth/rss/dhandler | 2 ++ + 3 files changed, 24 insertions(+) + +diff --git a/etc/RT_Config.pm.in b/etc/RT_Config.pm.in +index c9eb309d72..7147149eea 100644 +--- a/etc/RT_Config.pm.in ++++ b/etc/RT_Config.pm.in +@@ -147,6 +147,26 @@ Example: + + Set( @StaticRoots, () ); + ++=item C<$EnableRSS> ++ ++RT's per-user RSS feed endpoint at C is enabled by ++default. Set this option to 0 to disable it: requests to that path ++return 404, and search-results pages stop rendering RSS feed links. ++ ++=cut ++ ++Set($EnableRSS, 1); ++ ++=item C<$EnableICal> ++ ++RT's per-user iCal feed endpoint at C is enabled by ++default. Set this option to 0 to disable it: requests to that path ++return 404, and search-results pages stop rendering iCal feed links. ++ ++=cut ++ ++Set($EnableICal, 1); ++ + =back + + +diff --git a/share/html/NoAuth/iCal/dhandler b/share/html/NoAuth/iCal/dhandler +index ea03178bc0..55e7203e0e 100644 +--- a/share/html/NoAuth/iCal/dhandler ++++ b/share/html/NoAuth/iCal/dhandler +@@ -56,6 +56,8 @@ my $notfound = sub { + $m->clear_and_abort; + }; + ++$notfound->() unless RT->Config->Get('EnableICal'); ++ + $notfound->() unless $path =~ m!^([^/]+)/([^/]+)/(.*)(\.(ical|ics))?!; + + my ($name, $auth, $search) = ($1, $2, $3); +diff --git a/share/html/NoAuth/rss/dhandler b/share/html/NoAuth/rss/dhandler +index b0cb73d2aa..210d5004ae 100644 +--- a/share/html/NoAuth/rss/dhandler ++++ b/share/html/NoAuth/rss/dhandler +@@ -55,6 +55,8 @@ my $notfound = sub { + $m->clear_and_abort; + }; + ++$notfound->("RSS feeds disabled by configuration") unless RT->Config->Get('EnableRSS'); ++ + $notfound->("Invalid path: $path") unless $path =~ m!^([^/]+)/([^/]+)/?!; + + my ( $name, $auth ) = ( $1, $2 ); diff -Nru request-tracker4-4.4.6+dfsg/debian/patches/fix_Disable_RSS_and_iCal_menu.diff request-tracker4-4.4.6+dfsg/debian/patches/fix_Disable_RSS_and_iCal_menu.diff --- request-tracker4-4.4.6+dfsg/debian/patches/fix_Disable_RSS_and_iCal_menu.diff 1970-01-01 00:00:00.000000000 +0000 +++ request-tracker4-4.4.6+dfsg/debian/patches/fix_Disable_RSS_and_iCal_menu.diff 2026-06-05 08:53:01.000000000 +0000 @@ -0,0 +1,71 @@ +From f26dc2b8122ba231b98bb26b3f845ef09b4bc6e8 Mon Sep 17 00:00:00 2001 +From: Andrew Ruthven +Date: Sat, 6 Jun 2026 23:57:35 +1200 +Subject: Disable RSS and iCal menu items if disabled + +Some RT instances may not use these features, so provide a way +to disable these endpoints, similar to the existing option +to disable REST 2. + +Modified commit e045dfe919aac20b76ca6d6fe026a5471d6569b5 by Andrew Ruthven to +work on RT 4. + +Patch-Name: fix_Disable_RSS_and_iCal_menu.diff +Origin: vendor +Forwarded: not-needed +--- + share/html/Elements/Tabs | 41 ++++++++++++++++++++++------------------ + 1 file changed, 23 insertions(+), 18 deletions(-) + +diff --git a/share/html/Elements/Tabs b/share/html/Elements/Tabs +index 1cb6b17208..518508aa42 100644 +--- a/share/html/Elements/Tabs ++++ b/share/html/Elements/Tabs +@@ -1001,24 +1001,29 @@ my $build_main_nav = sub { + my %rss_data = map { + $_ => $QueryArgs->{$_} || $fallback_query_args{$_} || '' } + qw(Query Order OrderBy); +- my $RSSQueryString = "?" +- . $query_string->( Query => $rss_data{Query}, +- Order => $rss_data{Order}, +- OrderBy => $rss_data{OrderBy} +- ); +- my $RSSPath = join '/', map $m->interp->apply_escapes( $_, 'u' ), +- $session{'CurrentUser'}->UserObj->Name, +- $session{'CurrentUser'} +- ->UserObj->GenerateAuthString( $rss_data{Query} +- . $rss_data{Order} +- . $rss_data{OrderBy} ); +- +- $more->child( rss => title => loc('RSS'), path => "/NoAuth/rss/$RSSPath/$RSSQueryString"); +- my $ical_path = join '/', map $m->interp->apply_escapes($_, 'u'), +- $session{'CurrentUser'}->UserObj->Name, +- $session{'CurrentUser'}->UserObj->GenerateAuthString( $rss_data{Query} ), +- $rss_data{Query}; +- $more->child( ical => title => loc('iCal'), path => '/NoAuth/iCal/'.$ical_path); ++ if ( RT->Config->Get('EnableRSS') ) { ++ my $RSSQueryString = "?" ++ . $query_string->( Query => $rss_data{Query}, ++ Order => $rss_data{Order}, ++ OrderBy => $rss_data{OrderBy} ++ ); ++ my $RSSPath = join '/', map $m->interp->apply_escapes( $_, 'u' ), ++ $session{'CurrentUser'}->UserObj->Name, ++ $session{'CurrentUser'} ++ ->UserObj->GenerateAuthString( $rss_data{Query} ++ . $rss_data{Order} ++ . $rss_data{OrderBy} ); ++ ++ $more->child( rss => title => loc('RSS'), path => "/NoAuth/rss/$RSSPath/$RSSQueryString"); ++ } ++ ++ if ( RT->Config->Get('EnableICal') ) { ++ my $ical_path = join '/', map $m->interp->apply_escapes($_, 'u'), ++ $session{'CurrentUser'}->UserObj->Name, ++ $session{'CurrentUser'}->UserObj->GenerateAuthString( $rss_data{Query} ), ++ $rss_data{Query}; ++ $more->child( ical => title => loc('iCal'), path => '/NoAuth/iCal/'.$ical_path); ++ } + + if ($request_path =~ m{^/Search/Results.html} + && #XXX TODO better abstraction diff -Nru request-tracker4-4.4.6+dfsg/debian/patches/fix_expired_certs.dif request-tracker4-4.4.6+dfsg/debian/patches/fix_expired_certs.dif --- request-tracker4-4.4.6+dfsg/debian/patches/fix_expired_certs.dif 2025-10-10 10:44:30.000000000 +0000 +++ request-tracker4-4.4.6+dfsg/debian/patches/fix_expired_certs.dif 2026-06-05 08:53:01.000000000 +0000 @@ -32,7 +32,7 @@ 20 files changed, 1444 insertions(+), 964 deletions(-) diff --git a/t/data/smime/keys/demoCA/cacert.pem b/t/data/smime/keys/demoCA/cacert.pem -index de734a98..c60df475 100644 +index de734a98f4..c60df4752c 100644 --- a/t/data/smime/keys/demoCA/cacert.pem +++ b/t/data/smime/keys/demoCA/cacert.pem @@ -1,13 +1,14 @@ @@ -119,7 +119,7 @@ +47QL9Jf0xKHMrHoJ -----END CERTIFICATE----- diff --git a/t/data/smime/keys/otherCA/cacert.pem b/t/data/smime/keys/otherCA/cacert.pem -index bebd5f3a..9523c3a2 100644 +index bebd5f3a66..9523c3a2da 100644 --- a/t/data/smime/keys/otherCA/cacert.pem +++ b/t/data/smime/keys/otherCA/cacert.pem @@ -1,13 +1,14 @@ @@ -231,7 +231,7 @@ +dKa+MKaaRpsgSCo2IHHwe5IZDbpb -----END CERTIFICATE----- diff --git a/t/data/smime/keys/root@example.com.crt b/t/data/smime/keys/root@example.com.crt -index 45e3eb44..c4aaadb7 100644 +index 45e3eb4485..c4aaadb75e 100644 --- a/t/data/smime/keys/root@example.com.crt +++ b/t/data/smime/keys/root@example.com.crt @@ -1,43 +1,85 @@ @@ -352,7 +352,7 @@ +DHtvq/s01mRR -----END CERTIFICATE----- diff --git a/t/data/smime/keys/root@example.com.csr b/t/data/smime/keys/root@example.com.csr -index a72677a5..c0afa8f2 100644 +index a72677a55d..c0afa8f2e4 100644 --- a/t/data/smime/keys/root@example.com.csr +++ b/t/data/smime/keys/root@example.com.csr @@ -1,9 +1,28 @@ @@ -392,7 +392,7 @@ +QUdddI/E8yQtTWVV9oPbl3GJHCg= -----END CERTIFICATE REQUEST----- diff --git a/t/data/smime/keys/root@example.com.key b/t/data/smime/keys/root@example.com.key -index 7b24e4e8..0e44023f 100644 +index 7b24e4e828..0e44023fce 100644 --- a/t/data/smime/keys/root@example.com.key +++ b/t/data/smime/keys/root@example.com.key @@ -1,12 +1,52 @@ @@ -461,7 +461,7 @@ +l8kdzuSa4Kx4pnCQ4gjGtcDyaYWDfrna +-----END PRIVATE KEY----- diff --git a/t/data/smime/keys/root@example.com.pem b/t/data/smime/keys/root@example.com.pem -index 802475e6..6d641a2a 100644 +index 802475e665..6d641a2aff 100644 --- a/t/data/smime/keys/root@example.com.pem +++ b/t/data/smime/keys/root@example.com.pem @@ -1,55 +1,137 @@ @@ -646,7 +646,7 @@ +l8kdzuSa4Kx4pnCQ4gjGtcDyaYWDfrna +-----END PRIVATE KEY----- diff --git a/t/data/smime/keys/sender@example.com.crt b/t/data/smime/keys/sender@example.com.crt -index 9497a202..9ef32380 100644 +index 9497a20222..9ef323807b 100644 --- a/t/data/smime/keys/sender@example.com.crt +++ b/t/data/smime/keys/sender@example.com.crt @@ -1,43 +1,85 @@ @@ -767,7 +767,7 @@ +Gboprt6qmw== -----END CERTIFICATE----- diff --git a/t/data/smime/keys/sender@example.com.csr b/t/data/smime/keys/sender@example.com.csr -index 18fa799a..44d4ffe0 100644 +index 18fa799a4c..44d4ffe07e 100644 --- a/t/data/smime/keys/sender@example.com.csr +++ b/t/data/smime/keys/sender@example.com.csr @@ -1,9 +1,28 @@ @@ -807,7 +807,7 @@ +qQWDtWQ+XRCayAJG5sox73Je -----END CERTIFICATE REQUEST----- diff --git a/t/data/smime/keys/sender@example.com.key b/t/data/smime/keys/sender@example.com.key -index 26ed8506..fe8609a1 100644 +index 26ed850662..fe8609a143 100644 --- a/t/data/smime/keys/sender@example.com.key +++ b/t/data/smime/keys/sender@example.com.key @@ -1,12 +1,52 @@ @@ -876,7 +876,7 @@ +oysIX0sWQfO1ZCDtnWL5ow9Z446flzk= +-----END PRIVATE KEY----- diff --git a/t/data/smime/keys/sender@example.com.pem b/t/data/smime/keys/sender@example.com.pem -index 500bc83f..95b282bd 100644 +index 500bc83f73..95b282bd16 100644 --- a/t/data/smime/keys/sender@example.com.pem +++ b/t/data/smime/keys/sender@example.com.pem @@ -1,55 +1,137 @@ @@ -1061,7 +1061,7 @@ +oysIX0sWQfO1ZCDtnWL5ow9Z446flzk= +-----END PRIVATE KEY----- diff --git a/t/data/smime/mails/1-signed.eml b/t/data/smime/mails/1-signed.eml -index 57c09b7a..906c2183 100644 +index 57c09b7ac2..906c21839e 100644 --- a/t/data/smime/mails/1-signed.eml +++ b/t/data/smime/mails/1-signed.eml @@ -1,74 +1,77 @@ @@ -1217,7 +1217,7 @@ +m9DZ6yb9pvd1yS2FLOmvjwAAAAAAAA== +--------------ms050903060100010602090608-- diff --git a/t/data/smime/mails/2-signed-attachment.eml b/t/data/smime/mails/2-signed-attachment.eml -index 5c8ab27c..6afea9f7 100644 +index 5c8ab27cbe..6afea9f7aa 100644 --- a/t/data/smime/mails/2-signed-attachment.eml +++ b/t/data/smime/mails/2-signed-attachment.eml @@ -1,90 +1,89 @@ @@ -1401,7 +1401,7 @@ +w9+K5ueBQt7qb7XsbSoRQgAAAAAAAA== +--------------ms060104030103070206000606-- diff --git a/t/data/smime/mails/3-signed-binary.eml b/t/data/smime/mails/3-signed-binary.eml -index ff3449da..0588c1b9 100644 +index ff3449daf5..0588c1b9ad 100644 --- a/t/data/smime/mails/3-signed-binary.eml +++ b/t/data/smime/mails/3-signed-binary.eml @@ -1,95 +1,94 @@ @@ -1595,7 +1595,7 @@ +/Muu/T7yCrODtxAWVZQI5gAAAAAAAA== +--------------ms080409050107030404080700-- diff --git a/t/data/smime/mails/4-encrypted-plain.eml b/t/data/smime/mails/4-encrypted-plain.eml -index 481a858b..ccec76f9 100644 +index 481a858b03..ccec76f986 100644 --- a/t/data/smime/mails/4-encrypted-plain.eml +++ b/t/data/smime/mails/4-encrypted-plain.eml @@ -1,32 +1,49 @@ @@ -1681,7 +1681,7 @@ +tztQLcmzLtUknjfp6rXC6OdjTQsv3S8XLdgzEo/zPd0Y/6Mn403KBvup7rQoWnYEEIm7iyjq +QchMtSkYzCMSHlEAAAAAAAAAAAAA diff --git a/t/data/smime/mails/5-encrypted-attachment.eml b/t/data/smime/mails/5-encrypted-attachment.eml -index b6fb9b46..50cf4ad2 100644 +index b6fb9b46bc..50cf4ad256 100644 --- a/t/data/smime/mails/5-encrypted-attachment.eml +++ b/t/data/smime/mails/5-encrypted-attachment.eml @@ -1,42 +1,58 @@ @@ -1786,7 +1786,7 @@ +YEfJ1X0560sjklABpXEzzDOPUVu2aV0XIq3TV3n7u5+khaG85duuDKZaBBCjV9C70vnzn3Gt +pmNe5VAVAAAAAAAAAAAAAA== diff --git a/t/data/smime/mails/6-encrypted-binary.eml b/t/data/smime/mails/6-encrypted-binary.eml -index f4d50886..2171dc49 100644 +index f4d50886b3..2171dc4903 100644 --- a/t/data/smime/mails/6-encrypted-binary.eml +++ b/t/data/smime/mails/6-encrypted-binary.eml @@ -1,48 +1,64 @@ @@ -1903,7 +1903,7 @@ +ygaHaTOI+6yHVMAfXHe4mQGZW31IWv9gjRP/qW8JZdmzhq45ZxAJuSdEbEVP4LwcFcLzO9/d +IsjKG2IdXYr3w+vfOwZpCAQQssh609K/PKF4P8m3ZBzkbQAAAAAAAAAAAAA= diff --git a/t/data/smime/mails/7-signed-encrypted-plain.eml b/t/data/smime/mails/7-signed-encrypted-plain.eml -index 7dd981a2..d58ecfd4 100644 +index 7dd981a240..d58ecfd496 100644 --- a/t/data/smime/mails/7-signed-encrypted-plain.eml +++ b/t/data/smime/mails/7-signed-encrypted-plain.eml @@ -1,97 +1,118 @@ @@ -2123,7 +2123,7 @@ +O5KiCiM9ad5zTWmXYPKCXJBHX81l0ptNl417SuHhFvnFPgQQMoJoMFziJ229oq4CJ4PJtgAA +AAAAAAAAAAA= diff --git a/t/data/smime/mails/8-signed-encrypted-attachment.eml b/t/data/smime/mails/8-signed-encrypted-attachment.eml -index 1c53ad95..3087778c 100644 +index 1c53ad9562..3087778c3d 100644 --- a/t/data/smime/mails/8-signed-encrypted-attachment.eml +++ b/t/data/smime/mails/8-signed-encrypted-attachment.eml @@ -1,107 +1,127 @@ @@ -2362,7 +2362,7 @@ +xC6XoePChJvueMJwDMjxTS/8tgDtRgq+Zm1VdQQQqdfPAKnftJEqnwLHPYcIigAAAAAAAAAA +AAA= diff --git a/t/data/smime/mails/9-signed-encrypted-binary.eml b/t/data/smime/mails/9-signed-encrypted-binary.eml -index eab9d5b6..6d7e1431 100644 +index eab9d5b655..6d7e143185 100644 --- a/t/data/smime/mails/9-signed-encrypted-binary.eml +++ b/t/data/smime/mails/9-signed-encrypted-binary.eml @@ -1,113 +1,133 @@ @@ -2613,7 +2613,7 @@ +a1iEPHDwoq1aDlDJRG4D5uFK7kz7py7Ckd24z1Izvhy38A4JJqRypwQQ2m8XG6wa54nkE44y +YcWmNQAAAAAAAAAAAAA= diff --git a/t/web/smime/outgoing.t b/t/web/smime/outgoing.t -index 227a9230..84b03cd1 100644 +index 227a923025..84b03cd12d 100644 --- a/t/web/smime/outgoing.t +++ b/t/web/smime/outgoing.t @@ -222,7 +222,7 @@ foreach my $mail ( map cleanup_headers($_), @{ $mail{'signed_encrypted'} } ) { diff -Nru request-tracker4-4.4.6+dfsg/debian/patches/fix_lintian_privacy_break_logo_error.diff request-tracker4-4.4.6+dfsg/debian/patches/fix_lintian_privacy_break_logo_error.diff --- request-tracker4-4.4.6+dfsg/debian/patches/fix_lintian_privacy_break_logo_error.diff 2025-10-10 10:44:30.000000000 +0000 +++ request-tracker4-4.4.6+dfsg/debian/patches/fix_lintian_privacy_break_logo_error.diff 2026-06-05 08:53:01.000000000 +0000 @@ -13,7 +13,7 @@ 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/share/html/index.html b/share/html/index.html -index a56593b1..cadfa79a 100644 +index a56593b11b..cadfa79ac7 100644 --- a/share/html/index.html +++ b/share/html/index.html @@ -5,11 +5,9 @@ diff -Nru request-tracker4-4.4.6+dfsg/debian/patches/fix_pod_rt_munge_attachments.diff request-tracker4-4.4.6+dfsg/debian/patches/fix_pod_rt_munge_attachments.diff --- request-tracker4-4.4.6+dfsg/debian/patches/fix_pod_rt_munge_attachments.diff 2025-10-10 10:44:30.000000000 +0000 +++ request-tracker4-4.4.6+dfsg/debian/patches/fix_pod_rt_munge_attachments.diff 2026-06-05 08:53:01.000000000 +0000 @@ -9,7 +9,7 @@ 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sbin/rt-munge-attachments.in b/sbin/rt-munge-attachments.in -index 7b72c0c9..77d9ad6a 100644 +index 7b72c0c99b..77d9ad6ab9 100644 --- a/sbin/rt-munge-attachments.in +++ b/sbin/rt-munge-attachments.in @@ -120,7 +120,7 @@ my ( $ret, $msg ) = $attachments->ReplaceAttachments( diff -Nru request-tracker4-4.4.6+dfsg/debian/patches/fix_shebang_upgrade_mysql_schema.diff request-tracker4-4.4.6+dfsg/debian/patches/fix_shebang_upgrade_mysql_schema.diff --- request-tracker4-4.4.6+dfsg/debian/patches/fix_shebang_upgrade_mysql_schema.diff 2025-10-10 10:44:30.000000000 +0000 +++ request-tracker4-4.4.6+dfsg/debian/patches/fix_shebang_upgrade_mysql_schema.diff 2026-06-05 08:53:01.000000000 +0000 @@ -9,7 +9,7 @@ 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/etc/upgrade/upgrade-mysql-schema.pl b/etc/upgrade/upgrade-mysql-schema.pl -index 6ef9247e..b3d7b9ed 100755 +index 6ef9247e08..b3d7b9edba 100755 --- a/etc/upgrade/upgrade-mysql-schema.pl +++ b/etc/upgrade/upgrade-mysql-schema.pl @@ -1,4 +1,4 @@ diff -Nru request-tracker4-4.4.6+dfsg/debian/patches/fix_test_ldap_ipv4.diff request-tracker4-4.4.6+dfsg/debian/patches/fix_test_ldap_ipv4.diff --- request-tracker4-4.4.6+dfsg/debian/patches/fix_test_ldap_ipv4.diff 2025-10-10 10:44:30.000000000 +0000 +++ request-tracker4-4.4.6+dfsg/debian/patches/fix_test_ldap_ipv4.diff 2026-06-05 08:53:01.000000000 +0000 @@ -25,7 +25,7 @@ 12 files changed, 108 insertions(+), 25 deletions(-) diff --git a/t/externalauth/ldap.t b/t/externalauth/ldap.t -index b6d696ab..396eeab8 100644 +index b6d696abcb..396eeab872 100644 --- a/t/externalauth/ldap.t +++ b/t/externalauth/ldap.t @@ -1,5 +1,6 @@ @@ -57,7 +57,7 @@ my $username = "testuser"; my $base = "dc=bestpractical,dc=com"; diff --git a/t/externalauth/ldap_email_login.t b/t/externalauth/ldap_email_login.t -index ffb726f7..69e715a7 100644 +index ffb726f736..69e715a7cc 100644 --- a/t/externalauth/ldap_email_login.t +++ b/t/externalauth/ldap_email_login.t @@ -1,5 +1,6 @@ @@ -87,7 +87,7 @@ my $base = 'dc=bestpractical,dc=com'; diff --git a/t/externalauth/ldap_escaping.t b/t/externalauth/ldap_escaping.t -index b46c3ffe..6f8b500f 100644 +index b46c3ffe69..6f8b500fcd 100644 --- a/t/externalauth/ldap_escaping.t +++ b/t/externalauth/ldap_escaping.t @@ -1,5 +1,6 @@ @@ -117,7 +117,7 @@ my $users_dn = "ou=users,dc=bestpractical,dc=com"; diff --git a/t/externalauth/ldap_group.t b/t/externalauth/ldap_group.t -index 168c37b0..3bb23ede 100644 +index 168c37b077..3bb23edecf 100644 --- a/t/externalauth/ldap_group.t +++ b/t/externalauth/ldap_group.t @@ -1,5 +1,6 @@ @@ -147,7 +147,7 @@ my $users_dn = "ou=users,dc=bestpractical,dc=com"; diff --git a/t/externalauth/ldap_privileged.t b/t/externalauth/ldap_privileged.t -index 02e760bf..7e1db471 100644 +index 02e760bf3d..7e1db47154 100644 --- a/t/externalauth/ldap_privileged.t +++ b/t/externalauth/ldap_privileged.t @@ -1,5 +1,6 @@ @@ -177,7 +177,7 @@ my $username = "testuser"; my $base = "dc=bestpractical,dc=com"; diff --git a/t/ldapimport/group-callbacks.t b/t/ldapimport/group-callbacks.t -index 272d3292..86901b31 100644 +index 272d32921a..86901b312d 100644 --- a/t/ldapimport/group-callbacks.t +++ b/t/ldapimport/group-callbacks.t @@ -1,5 +1,6 @@ @@ -206,7 +206,7 @@ $ldap->add("dc=bestpractical,dc=com"); diff --git a/t/ldapimport/group-import.t b/t/ldapimport/group-import.t -index fc3f97bd..dddf3c6b 100644 +index fc3f97bd92..dddf3c6ba3 100644 --- a/t/ldapimport/group-import.t +++ b/t/ldapimport/group-import.t @@ -1,5 +1,6 @@ @@ -235,7 +235,7 @@ $ldap->add("dc=bestpractical,dc=com"); diff --git a/t/ldapimport/group-member-import.t b/t/ldapimport/group-member-import.t -index 651f5ab6..9be83c54 100644 +index 651f5ab6c8..9be83c54e2 100644 --- a/t/ldapimport/group-member-import.t +++ b/t/ldapimport/group-member-import.t @@ -1,5 +1,6 @@ @@ -264,7 +264,7 @@ $ldap->add("dc=bestpractical,dc=com"); diff --git a/t/ldapimport/group-rename.t b/t/ldapimport/group-rename.t -index 786533ef..56967620 100644 +index 786533ef9b..569676203d 100644 --- a/t/ldapimport/group-rename.t +++ b/t/ldapimport/group-rename.t @@ -1,5 +1,6 @@ @@ -293,7 +293,7 @@ $ldap->add("dc=bestpractical,dc=com"); diff --git a/t/ldapimport/user-import-cfs.t b/t/ldapimport/user-import-cfs.t -index a0c723ee..d7f47854 100644 +index a0c723ee04..d7f478548c 100644 --- a/t/ldapimport/user-import-cfs.t +++ b/t/ldapimport/user-import-cfs.t @@ -1,5 +1,6 @@ @@ -323,7 +323,7 @@ $ldap->add("ou=foo,dc=bestpractical,dc=com"); diff --git a/t/ldapimport/user-import-privileged.t b/t/ldapimport/user-import-privileged.t -index 4b155eea..28ee9463 100644 +index 4b155eea74..28ee946392 100644 --- a/t/ldapimport/user-import-privileged.t +++ b/t/ldapimport/user-import-privileged.t @@ -1,5 +1,6 @@ @@ -353,7 +353,7 @@ $ldap->add("ou=foo,dc=bestpractical,dc=com"); diff --git a/t/ldapimport/user-import.t b/t/ldapimport/user-import.t -index c4f6a593..7b8ab2d1 100644 +index c4f6a5934c..7b8ab2d1b7 100644 --- a/t/ldapimport/user-import.t +++ b/t/ldapimport/user-import.t @@ -1,5 +1,6 @@ diff -Nru request-tracker4-4.4.6+dfsg/debian/patches/fonts_use_noto_sans.diff request-tracker4-4.4.6+dfsg/debian/patches/fonts_use_noto_sans.diff --- request-tracker4-4.4.6+dfsg/debian/patches/fonts_use_noto_sans.diff 2025-10-10 10:44:30.000000000 +0000 +++ request-tracker4-4.4.6+dfsg/debian/patches/fonts_use_noto_sans.diff 2026-06-05 08:53:01.000000000 +0000 @@ -13,7 +13,7 @@ 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/etc/RT_Config.pm.in b/etc/RT_Config.pm.in -index 84dc725d..6b0284dd 100644 +index 84dc725d56..6b0284dd40 100644 --- a/etc/RT_Config.pm.in +++ b/etc/RT_Config.pm.in @@ -1247,7 +1247,7 @@ Set( diff -Nru request-tracker4-4.4.6+dfsg/debian/patches/layout.diff request-tracker4-4.4.6+dfsg/debian/patches/layout.diff --- request-tracker4-4.4.6+dfsg/debian/patches/layout.diff 2025-10-10 10:44:30.000000000 +0000 +++ request-tracker4-4.4.6+dfsg/debian/patches/layout.diff 2026-06-05 08:53:01.000000000 +0000 @@ -11,7 +11,7 @@ 1 file changed, 29 insertions(+) diff --git a/config.layout b/config.layout -index 15fcf083..fa0c6c44 100644 +index 15fcf0833d..fa0c6c44da 100644 --- a/config.layout +++ b/config.layout @@ -214,3 +214,32 @@ diff -Nru request-tracker4-4.4.6+dfsg/debian/patches/load_rt_generated.diff request-tracker4-4.4.6+dfsg/debian/patches/load_rt_generated.diff --- request-tracker4-4.4.6+dfsg/debian/patches/load_rt_generated.diff 2025-10-10 10:44:30.000000000 +0000 +++ request-tracker4-4.4.6+dfsg/debian/patches/load_rt_generated.diff 2026-06-05 08:53:01.000000000 +0000 @@ -12,7 +12,7 @@ 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/lib/RT.pm b/lib/RT.pm -index ae028e2c..c6925bf2 100644 +index ae028e2cc0..c6925bf20d 100644 --- a/lib/RT.pm +++ b/lib/RT.pm @@ -859,10 +859,8 @@ sub InstallMode { diff -Nru request-tracker4-4.4.6+dfsg/debian/patches/no_test_web_installer.diff request-tracker4-4.4.6+dfsg/debian/patches/no_test_web_installer.diff --- request-tracker4-4.4.6+dfsg/debian/patches/no_test_web_installer.diff 2025-10-10 10:44:30.000000000 +0000 +++ request-tracker4-4.4.6+dfsg/debian/patches/no_test_web_installer.diff 2026-06-05 08:53:01.000000000 +0000 @@ -24,7 +24,7 @@ 1 file changed, 2 insertions(+) diff --git a/t/web/installer.t b/t/web/installer.t -index 900a4d71..8f490842 100644 +index 900a4d715d..8f490842d7 100644 --- a/t/web/installer.t +++ b/t/web/installer.t @@ -7,6 +7,8 @@ use RT::Test diff -Nru request-tracker4-4.4.6+dfsg/debian/patches/no_testdeps.diff request-tracker4-4.4.6+dfsg/debian/patches/no_testdeps.diff --- request-tracker4-4.4.6+dfsg/debian/patches/no_testdeps.diff 2025-10-10 10:44:30.000000000 +0000 +++ request-tracker4-4.4.6+dfsg/debian/patches/no_testdeps.diff 2026-06-05 08:53:01.000000000 +0000 @@ -12,7 +12,7 @@ 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Makefile.in b/Makefile.in -index 27650d2c..30967251 100644 +index 27650d2ccf..309672510b 100644 --- a/Makefile.in +++ b/Makefile.in @@ -362,7 +362,7 @@ clean-mason-cache: diff -Nru request-tracker4-4.4.6+dfsg/debian/patches/rt_setup_database_upgrade_basedir.diff request-tracker4-4.4.6+dfsg/debian/patches/rt_setup_database_upgrade_basedir.diff --- request-tracker4-4.4.6+dfsg/debian/patches/rt_setup_database_upgrade_basedir.diff 2025-10-10 10:44:30.000000000 +0000 +++ request-tracker4-4.4.6+dfsg/debian/patches/rt_setup_database_upgrade_basedir.diff 2026-06-05 08:53:01.000000000 +0000 @@ -13,7 +13,7 @@ 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sbin/rt-setup-database.in b/sbin/rt-setup-database.in -index 7ec29fc9..0b0ec148 100644 +index 7ec29fc92e..0b0ec148b9 100644 --- a/sbin/rt-setup-database.in +++ b/sbin/rt-setup-database.in @@ -421,7 +421,7 @@ sub action_insert { diff -Nru request-tracker4-4.4.6+dfsg/debian/patches/rt_test_db_type.diff request-tracker4-4.4.6+dfsg/debian/patches/rt_test_db_type.diff --- request-tracker4-4.4.6+dfsg/debian/patches/rt_test_db_type.diff 2025-10-10 10:44:30.000000000 +0000 +++ request-tracker4-4.4.6+dfsg/debian/patches/rt_test_db_type.diff 2026-06-05 08:53:01.000000000 +0000 @@ -9,7 +9,7 @@ 1 file changed, 3 insertions(+) diff --git a/lib/RT/Test.pm b/lib/RT/Test.pm -index 32cd6e18..0218ad33 100644 +index 32cd6e18f2..0218ad336a 100644 --- a/lib/RT/Test.pm +++ b/lib/RT/Test.pm @@ -314,6 +314,9 @@ Set( \@LexiconLanguages, qw(en zh_TW zh_CN fr ja)); diff -Nru request-tracker4-4.4.6+dfsg/debian/patches/series request-tracker4-4.4.6+dfsg/debian/patches/series --- request-tracker4-4.4.6+dfsg/debian/patches/series 2025-10-10 10:44:30.000000000 +0000 +++ request-tracker4-4.4.6+dfsg/debian/patches/series 2026-06-05 08:53:01.000000000 +0000 @@ -30,3 +30,16 @@ fix_CVE-2024-3262.diff fix_CVE-2024-3262_2.diff upstream_4.4.6_cve:_patchset_2025-10-07.diff +fix_CVE-2026-41073.diff +fix_AuthToken_1.diff +fix_AuthToken_2.diff +fix_AuthToken_3.diff +fix_AuthToken_4.diff +fix_CVE-2026-6841.diff +fix_Attachement_Download.diff +fix_Disable_RSS_and_iCal.diff +fix_AuthToken_5.diff +fix_CVE-2026-41076.diff +fix_CVE-2026-41075.diff +upstream_4.4.6_cve:_patchset_2025-04-08-RT_Config.diff +fix_Disable_RSS_and_iCal_menu.diff diff -Nru request-tracker4-4.4.6+dfsg/debian/patches/sitemodules.diff request-tracker4-4.4.6+dfsg/debian/patches/sitemodules.diff --- request-tracker4-4.4.6+dfsg/debian/patches/sitemodules.diff 2025-10-10 10:44:30.000000000 +0000 +++ request-tracker4-4.4.6+dfsg/debian/patches/sitemodules.diff 2026-06-05 08:53:01.000000000 +0000 @@ -11,7 +11,7 @@ 1 file changed, 1 insertion(+) diff --git a/lib/RT/Interface/Web/Handler.pm b/lib/RT/Interface/Web/Handler.pm -index acae2751..69ed46fd 100644 +index acae27518f..69ed46fdac 100644 --- a/lib/RT/Interface/Web/Handler.pm +++ b/lib/RT/Interface/Web/Handler.pm @@ -56,6 +56,7 @@ use Text::Wrapper; diff -Nru request-tracker4-4.4.6+dfsg/debian/patches/test_locale.diff request-tracker4-4.4.6+dfsg/debian/patches/test_locale.diff --- request-tracker4-4.4.6+dfsg/debian/patches/test_locale.diff 2025-10-10 10:44:30.000000000 +0000 +++ request-tracker4-4.4.6+dfsg/debian/patches/test_locale.diff 2026-06-05 08:53:01.000000000 +0000 @@ -15,7 +15,7 @@ 1 file changed, 1 insertion(+) diff --git a/lib/RT/Test.pm b/lib/RT/Test.pm -index 0218ad33..c46f7568 100644 +index 0218ad336a..c46f75681c 100644 --- a/lib/RT/Test.pm +++ b/lib/RT/Test.pm @@ -114,6 +114,7 @@ my @ports; # keep track of all the random ports we used diff -Nru request-tracker4-4.4.6+dfsg/debian/patches/upstream_4.4.6_cve:_patchset_2023-09-26-tests.diff request-tracker4-4.4.6+dfsg/debian/patches/upstream_4.4.6_cve:_patchset_2023-09-26-tests.diff --- request-tracker4-4.4.6+dfsg/debian/patches/upstream_4.4.6_cve:_patchset_2023-09-26-tests.diff 2025-10-10 10:44:30.000000000 +0000 +++ request-tracker4-4.4.6+dfsg/debian/patches/upstream_4.4.6_cve:_patchset_2023-09-26-tests.diff 2026-06-05 08:53:01.000000000 +0000 @@ -17,7 +17,7 @@ 5 files changed, 5 insertions(+), 5 deletions(-) diff --git a/t/mail/gateway.t b/t/mail/gateway.t -index c51daa90..8f9e941c 100644 +index c51daa9092..8f9e941c40 100644 --- a/t/mail/gateway.t +++ b/t/mail/gateway.t @@ -2,7 +2,7 @@ use strict; @@ -30,7 +30,7 @@ use RT::Tickets; diff --git a/t/mail/han-encodings.t b/t/mail/han-encodings.t -index ba1acc0c..d2dc5238 100644 +index ba1acc0cd4..d2dc523802 100644 --- a/t/mail/han-encodings.t +++ b/t/mail/han-encodings.t @@ -1,7 +1,7 @@ @@ -43,7 +43,7 @@ # we can't simply call Encode::HanExtra->require here because we are testing # if Encode::HanExtra could be automatically loaded. diff --git a/t/mail/sendmail-plaintext.t b/t/mail/sendmail-plaintext.t -index b9eb7195..14103924 100644 +index b9eb719516..141039244c 100644 --- a/t/mail/sendmail-plaintext.t +++ b/t/mail/sendmail-plaintext.t @@ -132,7 +132,7 @@ for my $encoding ('ISO-8859-1', 'UTF-8') { @@ -56,7 +56,7 @@ { diff --git a/t/mail/sendmail.t b/t/mail/sendmail.t -index 4ef32061..d6ead4d8 100644 +index 4ef320611b..d6ead4d802 100644 --- a/t/mail/sendmail.t +++ b/t/mail/sendmail.t @@ -157,7 +157,7 @@ for my $encoding ('ISO-8859-1', 'UTF-8') { @@ -69,7 +69,7 @@ { diff --git a/t/ticket/interface.t b/t/ticket/interface.t -index fd3ee581..71013d16 100644 +index fd3ee581bb..71013d1697 100644 --- a/t/ticket/interface.t +++ b/t/ticket/interface.t @@ -1,7 +1,7 @@ diff -Nru request-tracker4-4.4.6+dfsg/debian/patches/upstream_4.4.6_cve:_patchset_2023-09-26.diff request-tracker4-4.4.6+dfsg/debian/patches/upstream_4.4.6_cve:_patchset_2023-09-26.diff --- request-tracker4-4.4.6+dfsg/debian/patches/upstream_4.4.6_cve:_patchset_2023-09-26.diff 2025-10-10 10:44:30.000000000 +0000 +++ request-tracker4-4.4.6+dfsg/debian/patches/upstream_4.4.6_cve:_patchset_2023-09-26.diff 2026-06-05 08:53:01.000000000 +0000 @@ -21,7 +21,7 @@ 4 files changed, 43 insertions(+), 3 deletions(-) diff --git a/docs/web_deployment.pod b/docs/web_deployment.pod -index d4d6a431..3177d2ab 100644 +index d4d6a43122..3177d2abfd 100644 --- a/docs/web_deployment.pod +++ b/docs/web_deployment.pod @@ -171,6 +171,30 @@ B @@ -56,7 +56,7 @@ =head2 nginx diff --git a/lib/RT/Interface/Email.pm b/lib/RT/Interface/Email.pm -index 159e7758..7ded8b73 100644 +index 159e7758a3..7ded8b7310 100644 --- a/lib/RT/Interface/Email.pm +++ b/lib/RT/Interface/Email.pm @@ -159,6 +159,10 @@ sub Gateway { @@ -71,7 +71,7 @@ my $SystemQueueObj = RT::Queue->new( RT->SystemUser ); $SystemQueueObj->Load( $args{'queue'} ); diff --git a/lib/RT/Interface/Email/Crypt.pm b/lib/RT/Interface/Email/Crypt.pm -index f4eab019..a8b0ea3f 100644 +index f4eab01935..a8b0ea3f19 100644 --- a/lib/RT/Interface/Email/Crypt.pm +++ b/lib/RT/Interface/Email/Crypt.pm @@ -73,13 +73,14 @@ sub VerifyDecrypt { @@ -92,7 +92,7 @@ $p->head->delete($_) for @headers; } diff --git a/share/html/REST/1.0/NoAuth/mail-gateway b/share/html/REST/1.0/NoAuth/mail-gateway -index 328be91b..107d7858 100644 +index 328be91bc6..107d7858c7 100644 --- a/share/html/REST/1.0/NoAuth/mail-gateway +++ b/share/html/REST/1.0/NoAuth/mail-gateway @@ -59,9 +59,18 @@ use RT::Interface::Email; diff -Nru request-tracker4-4.4.6+dfsg/debian/patches/upstream_4.4.6_cve:_patchset_2025-04-08-RT_Config.diff request-tracker4-4.4.6+dfsg/debian/patches/upstream_4.4.6_cve:_patchset_2025-04-08-RT_Config.diff --- request-tracker4-4.4.6+dfsg/debian/patches/upstream_4.4.6_cve:_patchset_2025-04-08-RT_Config.diff 1970-01-01 00:00:00.000000000 +0000 +++ request-tracker4-4.4.6+dfsg/debian/patches/upstream_4.4.6_cve:_patchset_2025-04-08-RT_Config.diff 2026-06-05 08:53:01.000000000 +0000 @@ -0,0 +1,73 @@ +From 1dc07c38d2519c82ac1ff3c77ba8e5139499a82a Mon Sep 17 00:00:00 2001 +From: Andrew Ruthven +Date: Wed, 27 May 2026 20:47:49 +1200 +Subject: Config settings for RestrictLinkDomains, and Cipher in SMIME. + +Add the new configuration options to RT_Config.pm.in as we regenerate the +RT_Config.pm file. + +Patch-Name: upstream_4.4.6_cve:_patchset_2025-04-08-RT_Config.diff +Author: Andrew Ruthven +Forwarded: not-needed +Applied: 4.4.8 +--- + etc/RT_Config.pm.in | 25 ++++++++++++++++++++++++- + 1 file changed, 24 insertions(+), 1 deletion(-) + +diff --git a/etc/RT_Config.pm.in b/etc/RT_Config.pm.in +index 7147149eea..6db9b44558 100644 +--- a/etc/RT_Config.pm.in ++++ b/etc/RT_Config.pm.in +@@ -901,7 +901,6 @@ Set(@MailParams, ()); + + =back + +- + =head1 Web interface + + =over 4 +@@ -2632,6 +2631,26 @@ higher numbers denoting greater effort. + + Set($BcryptCost, 12); + ++=item C<@RestrictLinkDomains> ++ ++This sets a list of external domains that RT is allowed to link to. If this ++setting is empty, no external domains are allowed. ++ ++Currently, this restriction only applies to links in Format parameter for ++search results. All external links whose domains are not in the list will ++be removed. ++ ++E.g. ++ ++ Set(@RestrictLinkDomains, ("example.com", "*.trusted.com")); ++ ++ example.com # Allow links to "example.com" ++ *.trusted.com # Allow links to any one-level subdomain of "trusted.com" ++ ++=cut ++ ++Set(@RestrictLinkDomains, ()); ++ + =back + + +@@ -3157,6 +3176,9 @@ Set C to the timeout in seconds for + downloading a CRL or an issuer certificate (the latter is used when + checking against OCSP). The default timeout is 30 seconds. + ++Set C to the encryption algorithm to use. By default, it's ++C. ++ + See L for details. + + =back +@@ -3174,6 +3196,7 @@ Set( %SMIME, + CheckCRL => 0, + CheckOCSP => 0, + CheckRevocationDownloadTimeout => 30, ++ Cipher => 'aes-128-cbc', + ); + + =head2 GnuPG configuration diff -Nru request-tracker4-4.4.6+dfsg/debian/patches/upstream_4.4.6_cve:_patchset_2025-04-08.diff request-tracker4-4.4.6+dfsg/debian/patches/upstream_4.4.6_cve:_patchset_2025-04-08.diff --- request-tracker4-4.4.6+dfsg/debian/patches/upstream_4.4.6_cve:_patchset_2025-04-08.diff 2025-10-10 10:44:30.000000000 +0000 +++ request-tracker4-4.4.6+dfsg/debian/patches/upstream_4.4.6_cve:_patchset_2025-04-08.diff 2026-06-05 08:53:01.000000000 +0000 @@ -28,7 +28,7 @@ 9 files changed, 80 insertions(+), 11 deletions(-) diff --git a/etc/RT_Config.pm b/etc/RT_Config.pm -index 9ae33228..6ff1681e 100644 +index 9ae3322807..6ff1681e8a 100644 --- a/etc/RT_Config.pm +++ b/etc/RT_Config.pm @@ -2612,6 +2612,26 @@ higher numbers denoting greater effort. @@ -77,7 +77,7 @@ =head2 GnuPG configuration diff --git a/lib/RT/Crypt/SMIME.pm b/lib/RT/Crypt/SMIME.pm -index 67764d55..c98cecc1 100644 +index 67764d55da..c98cecc118 100644 --- a/lib/RT/Crypt/SMIME.pm +++ b/lib/RT/Crypt/SMIME.pm @@ -425,7 +425,7 @@ sub _SignEncrypt { @@ -90,7 +90,7 @@ ]; } diff --git a/lib/RT/Interface/Web.pm b/lib/RT/Interface/Web.pm -index 87102028..ea11a90d 100644 +index 87102028d2..ea11a90db6 100644 --- a/lib/RT/Interface/Web.pm +++ b/lib/RT/Interface/Web.pm @@ -4615,12 +4615,20 @@ Removes unsafe and undesired HTML from the passed content @@ -171,7 +171,7 @@ # Scrubbing comments is vital since IE conditional comments can contain # arbitrary HTML and we'd pass it right on through. diff --git a/share/html/Asset/Elements/TSVExport b/share/html/Asset/Elements/TSVExport -index 660a19eb..646adb1a 100644 +index 660a19eb60..646adb1a27 100644 --- a/share/html/Asset/Elements/TSVExport +++ b/share/html/Asset/Elements/TSVExport @@ -58,7 +58,7 @@ require HTML::Entities; @@ -184,7 +184,7 @@ my @Format = $m->comp('/Elements/CollectionAsTable/ParseFormat', Format => $DisplayFormat); diff --git a/share/html/Elements/CollectionList b/share/html/Elements/CollectionList -index fff3c7d8..499442de 100644 +index fff3c7d8f2..499442dec0 100644 --- a/share/html/Elements/CollectionList +++ b/share/html/Elements/CollectionList @@ -93,8 +93,8 @@ $Collection->GotoPage( $Page - 1 ); # SB uses page 0 as the first page @@ -199,7 +199,7 @@ my @Format = $m->comp('/Elements/CollectionAsTable/ParseFormat', Format => $DisplayFormat); diff --git a/share/html/Elements/ScrubHTML b/share/html/Elements/ScrubHTML -index 2a1c7f60..84636070 100644 +index 2a1c7f6032..84636070ca 100644 --- a/share/html/Elements/ScrubHTML +++ b/share/html/Elements/ScrubHTML @@ -46,7 +46,7 @@ @@ -212,7 +212,7 @@ <%args> $Content => undef diff --git a/share/html/Elements/TSVExport b/share/html/Elements/TSVExport -index 5f9427f9..5a13fecb 100644 +index 5f9427f90b..5a13fecbcd 100644 --- a/share/html/Elements/TSVExport +++ b/share/html/Elements/TSVExport @@ -62,7 +62,7 @@ $Class ||= $Collection->ColumnMapClassName; @@ -225,7 +225,7 @@ my @Format = $m->comp('/Elements/CollectionAsTable/ParseFormat', Format => $DisplayFormat); diff --git a/share/html/Search/Build.html b/share/html/Search/Build.html -index 7b134f57..f80459c5 100644 +index 7b134f577d..f80459c5d9 100644 --- a/share/html/Search/Build.html +++ b/share/html/Search/Build.html @@ -159,7 +159,7 @@ if ( $NewQuery ) { @@ -238,7 +238,7 @@ } diff --git a/share/html/Search/Edit.html b/share/html/Search/Edit.html -index cdb7c1c4..f4e42e9d 100644 +index cdb7c1c4bb..f4e42e9d98 100644 --- a/share/html/Search/Edit.html +++ b/share/html/Search/Edit.html @@ -64,7 +64,7 @@ diff -Nru request-tracker4-4.4.6+dfsg/debian/patches/upstream_4.4.6_cve:_patchset_2025-04-11.diff request-tracker4-4.4.6+dfsg/debian/patches/upstream_4.4.6_cve:_patchset_2025-04-11.diff --- request-tracker4-4.4.6+dfsg/debian/patches/upstream_4.4.6_cve:_patchset_2025-04-11.diff 2025-10-10 10:44:30.000000000 +0000 +++ request-tracker4-4.4.6+dfsg/debian/patches/upstream_4.4.6_cve:_patchset_2025-04-11.diff 2026-06-05 08:53:01.000000000 +0000 @@ -17,7 +17,7 @@ 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/lib/RT/Interface/Web.pm b/lib/RT/Interface/Web.pm -index ea11a90d..45ae4f1c 100644 +index ea11a90db6..45ae4f1c9d 100644 --- a/lib/RT/Interface/Web.pm +++ b/lib/RT/Interface/Web.pm @@ -4712,12 +4712,13 @@ if (RT->Config->Get('ShowTransactionImages') or RT->Config->Get('ShowRemoteImage diff -Nru request-tracker4-4.4.6+dfsg/debian/patches/upstream_4.4.6_cve:_patchset_2025-10-07.diff request-tracker4-4.4.6+dfsg/debian/patches/upstream_4.4.6_cve:_patchset_2025-10-07.diff --- request-tracker4-4.4.6+dfsg/debian/patches/upstream_4.4.6_cve:_patchset_2025-10-07.diff 2025-10-10 10:44:30.000000000 +0000 +++ request-tracker4-4.4.6+dfsg/debian/patches/upstream_4.4.6_cve:_patchset_2025-10-07.diff 2026-06-05 08:53:01.000000000 +0000 @@ -15,7 +15,7 @@ 1 file changed, 2 insertions(+) diff --git a/share/html/Elements/TSVExport b/share/html/Elements/TSVExport -index 5a13fecb..13f03ccd 100644 +index 5a13fecbcd..13f03ccd5b 100644 --- a/share/html/Elements/TSVExport +++ b/share/html/Elements/TSVExport @@ -122,6 +122,8 @@ while (my $row = $Collection->Next) { diff -Nru request-tracker4-4.4.6+dfsg/debian/patches/use_cpanel_json_xs.diff request-tracker4-4.4.6+dfsg/debian/patches/use_cpanel_json_xs.diff --- request-tracker4-4.4.6+dfsg/debian/patches/use_cpanel_json_xs.diff 2025-10-10 10:44:30.000000000 +0000 +++ request-tracker4-4.4.6+dfsg/debian/patches/use_cpanel_json_xs.diff 2026-06-05 08:53:01.000000000 +0000 @@ -14,7 +14,7 @@ 1 file changed, 4 insertions(+) diff --git a/lib/RT/Interface/Web.pm b/lib/RT/Interface/Web.pm -index a5a0f6e6..87102028 100644 +index a5a0f6e64d..87102028d2 100644 --- a/lib/RT/Interface/Web.pm +++ b/lib/RT/Interface/Web.pm @@ -63,6 +63,10 @@ use warnings;