diff --git a/www/rt44/Makefile b/www/rt44/Makefile
index f97351728c68..ed8f906e7f7b 100644
--- a/www/rt44/Makefile
+++ b/www/rt44/Makefile
@@ -1,174 +1,175 @@
 PORTNAME=	rt
 DISTVERSION=	4.4.6
+PORTREVISION=	1
 CATEGORIES=	www
 MASTER_SITES=	http://download.bestpractical.com/pub/rt/release/
 PKGNAMESUFFIX=	44
 
 MAINTAINER=	mikael@FreeBSD.org
 COMMENT=	Industrial-grade ticketing system written in Perl
 WWW=		https://www.bestpractical.com/rt/
 
 LICENSE=	GPLv2
 LICENSE_FILE=	${WRKSRC}/COPYING
 
 CONFLICTS_INSTALL=	rt42-4.2* brlcad
 
 NO_ARCH=	yes
 
 # See docs/web_deployment.pod for info on the choices of webserver /
 # webapp combinations.  Note: if using apache, apache-2.4+ is
 # recommended.  For deployment with nginx, use the SPAWN_FCGI method
 # or the builtin webserver with a FCGI handler.
 #
 # The builtin standalone PSGI based webserver is always available, no
 # matter what choice of web deployment platform, or none, that you
 # make.  Best Practical state that this is really only suitable for
 # development usage, although I have heard reports of people using it
 # successfully for medium sized deployments.  If you only want the
 # builtin webserver, simply deselect all of the web options.
 #
 # See docs/full_text_indexing.pod if you need to set up full text
 # indexes on your ticket database.  PostgreSQL is
 # recommended in this case: the MYSQL / SphinxSearch combination
 # mentioned in the docs is currently unsupported in the ports, but see
 # http://www.infracaninophile.co.uk/articles/sphinxse.html
 
 OPTIONS_DEFINE=		DEVELOPER GD GPG GRAPHVIZ SMIME DOCS
 OPTIONS_SINGLE=		DB
 OPTIONS_SINGLE_DB=	MYSQL PGSQL SQLITE
 OPTIONS_RADIO=		WEB
 OPTIONS_RADIO_WEB=	AP_MODFASTCGI AP_MODPERL LIGHTTPD SPAWN_FCGI
 
 OPTIONS_DEFAULT=	AP_MODFASTCGI GD GPG MYSQL
 
 USERS?=		www
 GROUPS?=	rt www
 
 .include "${.CURDIR}/Makefile.cpan"
 
 RUN_DEPENDS+=	${CLI_DEPS}        \
 		${CORE_DEPS}       \
 		${DASHBOARDS_DEPS} \
 		${ICAL_DEPS}       \
 		${MAILGATE_DEPS}   \
 		${USERLOGO_DEPS}   \
 		${HTML_DOC_DEPS}
 
 USES=		cpe perl5
 CPE_VENDOR=	bestpractical
 
 RT_LAYOUT=	FreeBSD
 RT_ETC_DIR?=	etc/${PORTNAME}${PKGNAMESUFFIX}
 DOCSDIR=	${PREFIX}/share/doc/${PORTNAME}${PKGNAMESUFFIX}
 DATADIR=	${PREFIX}/share/${PORTNAME}${PKGNAMESUFFIX}
 RT_ETC_PATH=	${PREFIX}/${RT_ETC_DIR}
 
 AP_MODPERL_DESC=		Deploy with apache and mod_perl
 AP_MODPERL_RUN_DEPENDS=		${MODPERL2_DEPS}
 
 AP_MODFASTCGI_DESC=		Deploy with apache and mod_fastcgi
 AP_MODFASTCGI_USES=		apache:run
 AP_MODFASTCGI_RUN_DEPENDS=	${LOCALBASE}/${APACHEMODDIR}/mod_fastcgi.so:www/mod_fastcgi \
 				${FASTCGI_DEPS}
 
 LIGHTTPD_DESC=			Deploy with lighttpd and mod_fastcgi
 LIGHTTPD_RUN_DEPENDS=		${LOCALBASE}/sbin/lighttpd:www/lighttpd \
 				${FASTCGI_DEPS}
 
 SPAWN_FCGI_DESC=		Deploy with spawn_fcgi
 SPAWN_FCGI_RUN_DEPENDS=		${LOCALBASE}/bin/spawn-fcgi:www/spawn-fcgi \
 				${FASTCGI_DEPS}
 
 MYSQL_RUN_DEPENDS=		${MYSQL_DEPS}
 MYSQL_VARS=			DB_TYPE=mysql DB_DBA_USER=root
 
 PGSQL_RUN_DEPENDS=		${PGSQL_DEPS}
 PGSQL_VARS=			DB_TYPE=Pg DB_DBA_USER=pgsql
 
 SQLITE_RUN_DEPENDS=		${SQLITE_DEPS}
 SQLITE_VARS=			DB_TYPE=SQLite DB_DBA_USER=root
 
 DEVELOPER_DESC=			Configure for Developers
 DEVELOPER_RUN_DEPENDS=		${DEVELOPER_DEPS}
 DEVELOPER_CONFIGURE_ENABLE=	developer
 
 SMIME_DESC=			Enable Secure MIME support
 SMIME_RUN_DEPENDS=		${SMIME_DEPS}
 SMIME_CONFIGURE_ENABLE=		smime
 
 GRAPHVIZ_RUN_DEPENDS=		${GRAPHVIZ_DEPS}
 GRAPHVIZ_CONFIGURE_ENABLE=	graphviz
 
 GPG_DESC=			Enable GnuPG support
 GPG_RUN_DEPENDS=		${GPG_DEPS}
 GPG_CONFIGURE_ENABLE=		gpg
 
 GD_DESC=			Enable GD Graphs and Charts
 GD_RUN_DEPENDS=			${GD_DEPS}
 GD_CONFIGURE_ENABLE=		gd
 
 BUILD_DEPENDS+=	${RUN_DEPENDS}
 
 DB_DBA_PASSWORD?=
 DB_USER?=	rt_user
 DB_PASSWORD?=	rt_pass
 DB_HOST?=	localhost
 DB_DATABASE?=	rt4
 
 WEB_USER?=	${WWWOWN}
 WEB_GROUP?=	${WWWGRP}
 LIBS_GROUP?=	wheel
 
 HAS_CONFIGURE=	yes
 NO_BUILD=	yes
 
 CONFIGURE_ARGS+=	--enable-layout=${RT_LAYOUT} \
 	--with-web-user=${WEB_USER} \
 	--with-web-group=${WEB_GROUP} \
 	--with-libs-group=${LIBS_GROUP} \
 	--with-db-host=${DB_HOST} \
 	--with-db-port=${DB_PORT} \
 	--with-db-type=${DB_TYPE} \
 	--with-db-rt-user=${DB_USER} \
 	--with-db-rt-pass=${DB_PASSWORD} \
 	--with-db-database=${DB_DATABASE} \
 	--with-db-dba=${DB_DBA_USER}
 
 CONFIGURE_ENV+=	PERL=${LOCALBASE}/bin/perl
 
 SUB_FILES=	pkg-message
 SUB_LIST=	RT_ETC_PATH=${RT_ETC_PATH}
 PLIST_SUB=	RT_ETC_DIR=${RT_ETC_DIR}
 
 pre-fetch:
 	@${ECHO} ""
 	@${ECHO} "Additional database related settings you can use:"
 	@${ECHO} "      DB_HOST=hostname                The database host (localhost)"
 	@${ECHO} "      DB_PORT=port                    The database port"
 	@${ECHO} "      DB_DATABASE=dbname              The database name (rt4)"
 	@${ECHO} ""
 	@${ECHO} "      DB_DBA_USER=username            Name of database administrator (root)"
 	@${ECHO} "      DB_DBA_PASSWORD=password        Password of database administrator"
 	@${ECHO} "      DB_USER=username                Name of database user for RT (rt_user)"
 	@${ECHO} "      DB_PASSWORD=password            Name of database password for RT (rt_pass)"
 
 pre-fetch-SQLITE-on:
 	@${ECHO} ""
 	@${ECHO} "SQLITE is not recommended for production use"
 
 post-patch:
 	@${RM} ${WRKSRC}/lib/RT.pm.in.orig
 	@${REINPLACE_CMD} -e 's!%%PREFIX%%!${PREFIX}!g' ${WRKSRC}/config.layout
 	@${REINPLACE_CMD} -e 's!%%SITE_PERL%%!${PREFIX}/${SITE_PERL_REL}!g' ${WRKSRC}/config.layout
 	@${REINPLACE_CMD} -e 's!/path/to/your/etc!${RT_ETC_PATH}!g' ${WRKSRC}/etc/RT_SiteConfig.pm
 
 pre-install:
 	@${RM} ${WRKSRC}/lib/RT.pm.in
 
 post-install:
 	@${RM} -r ${STAGEDIR}/${WWWDIR}${PKGNAMESUFFIX}
 	${MKDIR} ${STAGEDIR}${DOCSDIR}/upgrade
 	(cd ${WRKSRC}/etc && \
 	    ${COPYTREE_SHARE} upgrade ${STAGEDIR}${DOCSDIR} "! -name *\.in")
 
 .include <bsd.port.mk>
diff --git a/www/rt44/files/patch-vuln-2023-09-26 b/www/rt44/files/patch-vuln-2023-09-26
new file mode 100644
index 000000000000..6772187d9342
--- /dev/null
+++ b/www/rt44/files/patch-vuln-2023-09-26
@@ -0,0 +1,107 @@
+diff --git a/docs/web_deployment.pod b/docs/web_deployment.pod
+index d4d6a43122..3177d2abfd 100644
+--- docs/web_deployment.pod
++++ docs/web_deployment.pod
+@@ -171,6 +171,30 @@ B<WARNING: mod_perl 1.99_xx is not supported.>
+ To run RT using mod_perl 1.xx please see L<Plack::Handler::Apache1> for
+ configuration examples.
+ 
++=head3 Restricting the REST 1.0 mail-gateway
++
++RT processes email via a REST 1.0 endpoint. If you accept email on the same
++server as your running RT, you can restrict this endpoint to localhost only
++with a configuration like the following:
++
++    # Accept requests only from localhost
++    <Location /REST/1.0/NoAuth/mail-gateway>
++        Require local
++    </Location>
++
++If you run C<bin/rt-mailgate> on a separate server, you can update
++the above to allow additional IP addresses.
++
++    <Location /REST/1.0/NoAuth/mail-gateway>
++        Require ip 127.0.0.1 ::1 192.0.2.0  # Add you actual IPs
++    </Location>
++
++See the L<Apache documentation|https://httpd.apache.org/docs/2.4/mod/mod_authz_host.html>
++for additional configuration options.
++
++After adding this configuration, test receiving email and confirm
++your C<bin/rt-mailgate> utility and C</etc/aliases> configurations
++can successfully submit email to RT.
+ 
+ =head2 nginx
+ 
+diff --git a/lib/RT/Interface/Email.pm b/lib/RT/Interface/Email.pm
+index 159e7758a3..7ded8b7310 100644
+--- lib/RT/Interface/Email.pm
++++ lib/RT/Interface/Email.pm
+@@ -159,6 +159,10 @@ sub Gateway {
+         );
+     }
+ 
++    # Clean up sensitive headers. Crypt related headers are cleaned up in RT::Interface::Email::Crypt::VerifyDecrypt
++    my @headers = qw( RT-Attach RT-Send-Cc RT-Send-Bcc RT-Message-ID RT-DetectedAutoGenerated RT-Squelch-Replies-To );
++    $Message->head->delete($_) for @headers;
++
+     #Set up a queue object
+     my $SystemQueueObj = RT::Queue->new( RT->SystemUser );
+     $SystemQueueObj->Load( $args{'queue'} );
+diff --git a/lib/RT/Interface/Email/Crypt.pm b/lib/RT/Interface/Email/Crypt.pm
+index f4eab01935..a8b0ea3f19 100644
+--- lib/RT/Interface/Email/Crypt.pm
++++ lib/RT/Interface/Email/Crypt.pm
+@@ -73,13 +73,14 @@ sub VerifyDecrypt {
+     );
+ 
+     # we clean all possible headers
+-    my @headers =
++    my @headers = (
+         qw(
+             X-RT-Incoming-Encryption
+             X-RT-Incoming-Signature X-RT-Privacy
+             X-RT-Sign X-RT-Encrypt
+         ),
+-        map "X-RT-$_-Status", RT::Crypt->Protocols;
++        map "X-RT-$_-Status", RT::Crypt->Protocols
++    );
+     foreach my $p ( $args{'Message'}->parts_DFS ) {
+         $p->head->delete($_) for @headers;
+     }
+diff --git a/share/html/REST/1.0/NoAuth/mail-gateway b/share/html/REST/1.0/NoAuth/mail-gateway
+index 328be91bc6..107d7858c7 100644
+--- share/html/REST/1.0/NoAuth/mail-gateway
++++ share/html/REST/1.0/NoAuth/mail-gateway
+@@ -59,9 +59,18 @@ use RT::Interface::Email;
+ $r->content_type('text/plain; charset=utf-8');
+ $m->error_format('text');
+ my ( $status, $error, $Ticket ) = RT::Interface::Email::Gateway( \%ARGS );
++
++# Obscure the message to avoid any information disclosure unless
++# in DevelMode.
++my $log_error;
++unless ( RT->Config->Get('DevelMode') ) {
++    $log_error = $error;
++    $error = 'operation unsuccessful';
++}
++
+ if ( $status == 1 ) {
+   $m->out("ok\n");
+-  if ( $Ticket && $Ticket->Id ) {
++  if ( $Ticket && $Ticket->Id && RT->Config->Get('DevelMode') ) {
+     $m->out( 'Ticket: '  . ($Ticket->Id             || '') . "\n" );
+     $m->out( 'Queue: '   . ($Ticket->QueueObj->Name || '') . "\n" );
+     $m->out( 'Owner: '   . ($Ticket->OwnerObj->Name || '') . "\n" );
+@@ -73,9 +82,11 @@ if ( $status == 1 ) {
+ }
+ else {
+   if ( $status == -75 ) {
++    RT->Logger->error("mail-gateway returned status -75: $log_error") if $log_error;
+     $m->out( "temporary failure - $error\n" );
+   }
+   else {
++    RT->Logger->error("mail-gateway error: $log_error") if $log_error;
+     $m->out( "not ok - $error\n" );
+   }
+ }