Upgrade roundup to version 1.4.6 in order to fix long-standing security

issues (CVE-2008-1474, CVE-2008-1475). Changes since 1.1.2:

 - Make URL matching code less matchy.
 - Try to clarify mail_domain config setting.
 - Add use of username/password stored in ~/.netrc in mailgw.
 - 'Make a Copy' failed with more than one person in nosy list.
 - xml-rpc security checks and tests across all backends.
 - Send a Precedence header in email so (well-written) autoresponders don't.
 - Fix mailgw total failure bounce message generation (thanks Bradley Dean).
 - Fix for postgres 8.3 compatibility (and bug).
 - Fix for translations.
 - Fire reactors after file storage is all done.
 - Allow negative ids other than -1 for item generation.
 - Better German translation for retiring users.
 - More improvements to German translation.
 - Add filter() to XML-RPC interface.
 - Fix IndexError when there are no messages to an issue.
 - Prevent broken pipe errors in csv export.
 - New session API and cleanup thanks anatoly t.
 - Make WSGI handler threadsafe.
 - Improved URL matching RE.
 - Allow binary file content submission via XML-RPC.
 - Don't run old code on newer database.
 - Fix HTML injection into page title
 - Fix indexer handling of indexed Link properties.
 - Security fixes (thanks Roland Meister).
 - New config option in mail section: ignore_alternatives allows to
   ignore alternatives besides the text/plain part used for the content
   of a message in multipart/alternative attachments.
 - Admin copy of error email from mailgw includes traceback (thanks Ulrik
   Mikaelsson).
 - Messages created through the web are now given an in-reply-to header
   when email out to nosy (thanks Martin v. L�wis).
 - Nosy messages now include more information about issues (all link
   properties with a "name" attribute) (thanks Martin v. L�wis).
 - Searching date range by supplying just a date as the filter spec.
 - Handle no time.tzset under Windows.
 - Fix race condition in file storage transaction commit.
 - Make user utils JS work with firstname/lastname again.
 - Fix ZRoundup to work with Zope 2.8.5.
 - Fix race condition for key properties in rdbms backends.
 - Handle Reject in mailgw final set/create.
 - Removed some metakit references.
 - Roundup has a new xmlrpc frontend that gives access to a tracker using
   XMLRPC.
 - Dates can now be in the year-range 1-9999.
 - The metakit backend has been removed.
 - Add simple anti-spam recipe to docs.
 - Allow customisation of regular expressions used in email parsing, thanks
   Bruno Damour.
 - Italian translation by Marco Ghidinelli.
 - Multilinks take any iterable.
 - config option: specify port and local hostname for SMTP connections.
 - Tracker index templating (i.e. when roundup_server is serving multiple
   trackers).
 - config option: Limit nosy attachments based on size (Philipp Gortan).
 - roundup_server supports SSL via pyopenssl.
 - templatable 404 not found messages.
 - Unauthorized email includes a link to the registration page for
   the tracker.
 - config options: control whether author info/email is included in email
   sent by roundup.
 - support for receiving OpenPGP MIME messages (signed or encrypted).
 - Handling of unset Link search in RDBMS backend.
 - Journal export of anydbm didn't correctly export previously empty values.
 - Fix handling of defaults for date fields.
 - Fix <form> name in user editing to allow multilink popups to work.
 - Fix form handling of editing existing hyperdb items from a new item page.
 - Added new rdbms-indexes for full-text index which will speed up
   reindexing.
 - Turning off indexing for content properties of FileClass instance
   (e.g., "file" and "msg") now works for SQL backends.
 - Enabled over-riding of content-type in web interface (thanks
   John Mitchell).
 - Validate user timezones to filter bad entries.
 - Classic template allows searching for issues with no topic set.
 - xapian_indexer uses current API for stemming (Rick Benavidez).
 - Ensure email addresses are unique.
 - roundup_admin tracks uncommitted changes in interactive mode
   for all backends.
 - add template search path for easy_install (Marek Kubica).
 - don't spam the roundup admin on client shutdowns (Ulrik Mikaelsson).
 - respect umask on filestorage backends (Ulrik Mikaelsson).
 - cope with spam robots posting multiple instances of the same form.
 - include the author of property-only changes in generated messages.
 - fuller email validation in templates.
 - cope with bad cookies from other apps on same domain.
 - updated Spanish translation from Ramiro Morales.
 - clean up query display of "Private to you items".
 - use local timezone for mail date header.
 - allow CSV export of queries on selected issues.
 - remove blobfiles on destroy.
 - handle postgres exceptions during session cleanup.
 - update Xapian indexer to use current API.
 - handle export and import of old trackers that have data attached to
   journal "create" events.
 - fix a couple more old instances of "type" instead of "ENGINE" for mysql
   backend.
 - make LinkHTMLProperty handle non-existing keys.
 - If-Modified-Since handling was broken.
 - Updated documentation for customising hard-coded searches in page.html.
 - Updated Windows installation docs (thanks Bo Berglund).
 - Handle rounding of seconds generating invalid date values.
 - Handle 8-bit untranslateable messages from database properties.
 - Fix scripts/roundup-reminder date calculation.
 - Improved due_date and timelog customisation docs.
 - relax rules for required fields in form_parser.py.
 - documentation cleanup from Luke Ross.
 - updated Spanish translation from Ramiro Morales.
 - handle 8-bit untranslateable messages in tracker templates.
 - handling of required for boolean False and numeric 0.
 - removed bogus args attr of ConfigurationError.
 - implemented start_response in roundup.cgi.
 - clarified windows service documentation.
 - HTMLClass fixed to work with new item permissions check.
 - support POP over SSL.
 - clean up input field generation and quoting of values.
 - allow use of roundup-server pidfile without forking.
 - allow translation of status/priority menu options.
 - setup.py had broken reference to roundup.cgi.
 - full-text search wasn't coping with multiple multilinks to the same class.
 - unicode / sqlite 3 problem.
 - WSGI support via roundup.cgi.wsgi_handler.
 - sqlite module detection was broken for python 2.5 compiled without sqlite
   support.
 - fixed support for pysqlite2 (version 2.1.0 is the minimum version
   supported).
 - roundup-server called setuid when run by non-root user.
 - fix sort/group direction checkbox in issue.index.html.
 - fix error detection for non-EN locales of postgres.
 - fix email change note rendering of multiline properties.
 - fix sidebar search links.
 - nicer "permission required" messages.
 - fix unstable ordering of detectors.
 - E-mail subject line prefix delimiter configuration was being ignored.
 - Password confirm field in user editing.
 - supports Python 2.5, including the sqlite3 module.
 - full timezone support.
 - handle connection loss when responding to web requests.
 - match incoming mail In-Reply-To against existing messages when no issue
   id is specified in the Subject.
 - added StringHTMLProperty wrapped() method to wrap long lines in issue
   display.
 - include the popcal in Date field editing and search fields by default.
 - @required in forms may now specify properties of linked items.
 - update for latest version of pysqlite.
 - update for latest version of psycopg2.
 - new "exporttables" command in roundup-admin.
 - roundup-admin "export" may specify classes to exclude.
 - sorting and grouping by multiple properties is now supported by the
   backends *and* the classic template.
 - sorting, grouping, and searching by transitive properties (e.g.,
   messages.author.supervisor) is now supported in all backends.
 - added filter_sql to SQL backends which takes an arbitrary SQL statement
   and returns a list of item ids.
 - Verbose option for import and export.
 - -c option for roundup-mailgw won't accept parameter.
 - '?' in rfc2822-encoded header isn't quoted.
 - fix error message in form parser.
 - updated ZRoundup for Zope 2.9.
 - fix timelog example in customisation doc to mention permissions.
 - nicer listing of Superseder links.
 - include roundup-server.ini.example.
 - dumb bug in cgi templating utils.
 - handle unicode in query names.
 - fix error during mailgw bouncing message.
 - hyperdb handling of empty raw values for Multilink and Password.
 - don't int() ids.
 - fix importing into anydbm backend.
 - fix help message for roundup-admin install.
 - removed traceback with OTK is used multiple times.
 - metakit backend was indexing FileClass content even when asked not to.
 - anydbm backend will finally sort numerically by ID.
 - problem with string sorting in anydbm backend fixed: If a string was
   fully numeric it was sorted as a number.
 - Multilink-sorting now sorts by orderprop not by ID and works for all
   backends.
 - Bug with name-collisions in sorted classes when sorting by Link
   properties in metakit backend fixed.
 - Postgres backend allows transaction collisions to be ignored when
   committing cleanup in the sessions database.
 - translate titles of "show all" and "unassigned" issue lists
   in classic template.
 - "as" is a keyword in Python 2.6.
 - "from __future__" statments need to be first line of file in Python 2.6.
 - better conflict retry in postgresql backend.
 - fix time log example.

3 files changed, 55 insertions, 11 deletions

diff --git a/devel/roundup/Makefile b/devel/roundup/Makefile
index 7a1ba05206f..87c0fdd32c4 100644
--- a/devel/roundup/Makefile
+++ b/devel/roundup/Makefile
@@ -1,6 +1,6 @@
-# $NetBSD: Makefile,v 1.32 2008/05/26 02:13:18 joerg Exp $
+# $NetBSD: Makefile,v 1.33 2008/09/28 02:47:46 tonnerre Exp $
 
-DISTNAME=	roundup-1.1.2
+DISTNAME=	roundup-1.4.6
 CATEGORIES=	devel
 MASTER_SITES=	http://cheeseshop.python.org/packages/source/r/roundup/
 
diff --git a/devel/roundup/PLIST b/devel/roundup/PLIST
index c4def21140e..d8520a6cca1 100644
--- a/devel/roundup/PLIST
+++ b/devel/roundup/PLIST
@@ -1,9 +1,10 @@
-@comment $NetBSD: PLIST,v 1.13 2006/07/15 11:39:17 recht Exp $
+@comment $NetBSD: PLIST,v 1.14 2008/09/28 02:47:46 tonnerre Exp $
 bin/roundup-admin
 bin/roundup-demo
 bin/roundup-gettext
 bin/roundup-mailgw
 bin/roundup-server
+bin/roundup-xmlrpc-server
 ${PYSITELIB}/roundup/__init__.py
 ${PYSITELIB}/roundup/__init__.pyc
 ${PYSITELIB}/roundup/__init__.pyo
@@ -16,9 +17,6 @@ ${PYSITELIB}/roundup/backends/__init__.pyo
 ${PYSITELIB}/roundup/backends/back_anydbm.py
 ${PYSITELIB}/roundup/backends/back_anydbm.pyc
 ${PYSITELIB}/roundup/backends/back_anydbm.pyo
-${PYSITELIB}/roundup/backends/back_metakit.py
-${PYSITELIB}/roundup/backends/back_metakit.pyc
-${PYSITELIB}/roundup/backends/back_metakit.pyo
 ${PYSITELIB}/roundup/backends/back_mysql.py
 ${PYSITELIB}/roundup/backends/back_mysql.pyc
 ${PYSITELIB}/roundup/backends/back_mysql.pyo
@@ -166,6 +164,9 @@ ${PYSITELIB}/roundup/cgi/form_parser.pyo
 ${PYSITELIB}/roundup/cgi/templating.py
 ${PYSITELIB}/roundup/cgi/templating.pyc
 ${PYSITELIB}/roundup/cgi/templating.pyo
+${PYSITELIB}/roundup/cgi/wsgi_handler.py
+${PYSITELIB}/roundup/cgi/wsgi_handler.pyc
+${PYSITELIB}/roundup/cgi/wsgi_handler.pyo
 ${PYSITELIB}/roundup/cgi/zLOG.py
 ${PYSITELIB}/roundup/cgi/zLOG.pyc
 ${PYSITELIB}/roundup/cgi/zLOG.pyo
@@ -232,6 +233,9 @@ ${PYSITELIB}/roundup/scripts/roundup_mailgw.pyo
 ${PYSITELIB}/roundup/scripts/roundup_server.py
 ${PYSITELIB}/roundup/scripts/roundup_server.pyc
 ${PYSITELIB}/roundup/scripts/roundup_server.pyo
+${PYSITELIB}/roundup/scripts/roundup_xmlrpc_server.py
+${PYSITELIB}/roundup/scripts/roundup_xmlrpc_server.pyc
+${PYSITELIB}/roundup/scripts/roundup_xmlrpc_server.pyo
 ${PYSITELIB}/roundup/security.py
 ${PYSITELIB}/roundup/security.pyc
 ${PYSITELIB}/roundup/security.pyo
@@ -244,48 +248,78 @@ ${PYSITELIB}/roundup/token.pyo
 ${PYSITELIB}/roundup/version_check.py
 ${PYSITELIB}/roundup/version_check.pyc
 ${PYSITELIB}/roundup/version_check.pyo
+${PYSITELIB}/roundup/xmlrpc.py
+${PYSITELIB}/roundup/xmlrpc.pyc
+${PYSITELIB}/roundup/xmlrpc.pyo
 man/man1/roundup-admin.1
 man/man1/roundup-demo.1
 man/man1/roundup-mailgw.1
 man/man1/roundup-server.1
 share/doc/roundup/CHANGES.txt
 share/doc/roundup/COPYING.txt
+share/doc/roundup/FAQ.html
 share/doc/roundup/FAQ.txt
 share/doc/roundup/README.txt
 share/doc/roundup/ZPL.txt
+share/doc/roundup/admin_guide.html
 share/doc/roundup/admin_guide.txt
+share/doc/roundup/announcement.html
 share/doc/roundup/announcement.txt
+share/doc/roundup/customizing.html
 share/doc/roundup/customizing.txt
 share/doc/roundup/debugging.txt
 share/doc/roundup/default.css
+share/doc/roundup/design.html
 share/doc/roundup/design.txt
+share/doc/roundup/developers.html
 share/doc/roundup/developers.txt
+share/doc/roundup/features.html
 share/doc/roundup/features.txt
+share/doc/roundup/glossary.html
 share/doc/roundup/glossary.txt
+share/doc/roundup/images/edit_issue.png
 share/doc/roundup/images/edit.png
 share/doc/roundup/images/hyperdb.png
+share/doc/roundup/images/index_logged_in.png
+share/doc/roundup/images/index_logged_out.png
 share/doc/roundup/images/logo-acl-medium.png
 share/doc/roundup/images/logo-codesourcery-medium.png
 share/doc/roundup/images/logo-software-carpentry-standard.png
+share/doc/roundup/images/my_details.png
+share/doc/roundup/images/new_issue.png
+share/doc/roundup/images/registration.png
 share/doc/roundup/images/roundup-1.png
 share/doc/roundup/images/roundup.png
+share/doc/roundup/implementation.html
 share/doc/roundup/implementation.txt
+share/doc/roundup/index.html
 share/doc/roundup/index.txt
+share/doc/roundup/installation.html
 share/doc/roundup/installation.txt
+share/doc/roundup/mysql.html
 share/doc/roundup/mysql.txt
 share/doc/roundup/original_overview.html
 share/doc/roundup/overview.txt
+share/doc/roundup/postgresql.html
 share/doc/roundup/postgresql.txt
+share/doc/roundup/roundup-server.ini.example
 share/doc/roundup/spec.html
+share/doc/roundup/tracker_templates.html
 share/doc/roundup/tracker_templates.txt
+share/doc/roundup/upgrading.html
 share/doc/roundup/upgrading.txt
+share/doc/roundup/user_guide.html
 share/doc/roundup/user_guide.txt
 share/doc/roundup/whatsnew-0.7.txt
 share/doc/roundup/whatsnew-0.8.txt
+share/doc/roundup/xmlrpc.html
+share/doc/roundup/xmlrpc.txt
 share/locale/de/LC_MESSAGES/roundup.mo
 share/locale/en/LC_MESSAGES/roundup.mo
-share/locale/es_AR/LC_MESSAGES/roundup.mo
+share/locale/es/LC_MESSAGES/roundup.mo
 share/locale/fr/LC_MESSAGES/roundup.mo
+share/locale/hu/LC_MESSAGES/roundup.mo
+share/locale/it/LC_MESSAGES/roundup.mo
 share/locale/lt/LC_MESSAGES/roundup.mo
 share/locale/ru/LC_MESSAGES/roundup.mo
 share/locale/zh_CN/LC_MESSAGES/roundup.mo
@@ -297,14 +331,20 @@ share/roundup/templates/classic/detectors/nosyreaction.py
 share/roundup/templates/classic/detectors/statusauditor.py
 share/roundup/templates/classic/detectors/userauditor.py
 share/roundup/templates/classic/extensions/README.txt
+share/roundup/templates/classic/html/_generic.404.html
 share/roundup/templates/classic/html/_generic.calendar.html
 share/roundup/templates/classic/html/_generic.collision.html
+share/roundup/templates/classic/html/_generic.help-empty.html
+share/roundup/templates/classic/html/_generic.help-list.html
+share/roundup/templates/classic/html/_generic.help-search.html
+share/roundup/templates/classic/html/_generic.help-submit.html
 share/roundup/templates/classic/html/_generic.help.html
 share/roundup/templates/classic/html/_generic.index.html
 share/roundup/templates/classic/html/_generic.item.html
 share/roundup/templates/classic/html/file.index.html
 share/roundup/templates/classic/html/file.item.html
 share/roundup/templates/classic/html/help_controls.js
+share/roundup/templates/classic/html/help.html
 share/roundup/templates/classic/html/home.classlist.html
 share/roundup/templates/classic/html/home.html
 share/roundup/templates/classic/html/issue.index.html
@@ -318,15 +358,19 @@ share/roundup/templates/classic/html/query.edit.html
 share/roundup/templates/classic/html/query.item.html
 share/roundup/templates/classic/html/style.css
 share/roundup/templates/classic/html/user.forgotten.html
+share/roundup/templates/classic/html/user.help-search.html
+share/roundup/templates/classic/html/user.help.html
 share/roundup/templates/classic/html/user.index.html
 share/roundup/templates/classic/html/user.item.html
 share/roundup/templates/classic/html/user.register.html
 share/roundup/templates/classic/html/user.rego_progress.html
+share/roundup/templates/classic/html/user_utils.js
 share/roundup/templates/classic/initial_data.py
 share/roundup/templates/classic/schema.py
 share/roundup/templates/minimal/TEMPLATE-INFO.txt
 share/roundup/templates/minimal/detectors/userauditor.py
 share/roundup/templates/minimal/extensions/README.txt
+share/roundup/templates/minimal/html/_generic.404.html
 share/roundup/templates/minimal/html/_generic.calendar.html
 share/roundup/templates/minimal/html/_generic.collision.html
 share/roundup/templates/minimal/html/_generic.help.html
diff --git a/devel/roundup/distinfo b/devel/roundup/distinfo
index 818e6792109..2a923c5f646 100644
--- a/devel/roundup/distinfo
+++ b/devel/roundup/distinfo
@@ -1,5 +1,5 @@
-$NetBSD: distinfo,v 1.23 2006/07/15 11:39:17 recht Exp $
+$NetBSD: distinfo,v 1.24 2008/09/28 02:47:46 tonnerre Exp $
 
-SHA1 (roundup-1.1.2.tar.gz) = d1b686fbb5553b8776b8a15db364fc362254be8b
-RMD160 (roundup-1.1.2.tar.gz) = 9c68a7cc2d108eeffdbd9902b190ba32eaaac64c
-Size (roundup-1.1.2.tar.gz) = 876455 bytes
+SHA1 (roundup-1.4.6.tar.gz) = 5691718bc2454a11a39129518919da259fa4422b
+RMD160 (roundup-1.4.6.tar.gz) = 3b15b8e6a85dd6346ddc4faee6a5387b44ffc377
+Size (roundup-1.4.6.tar.gz) = 1370687 bytes