-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Thu, 17 Apr 2025 15:57:24 +1200 Source: request-tracker5 Architecture: source Version: 5.0.3+dfsg-3~deb12u3 Distribution: bookworm-security Urgency: medium Maintainer: Andrew Ruthven <andrew@etc.gen.nz> Changed-By: Andrew Ruthven <andrew@etc.gen.nz> Closes: 1055128 1068453 Changes: request-tracker5 (5.0.3+dfsg-3~deb12u3) bookworm-security; urgency=medium . * Correct CVE-2023-41260 number in previous entry (Closes: #1055128). * Add patches from 5.0.6 to resolve CVE-2024-3262. Information exposure vulnerability due to browser cache usage. If you have sensitive information enable the $WebStrictBrowserCache option (Closes: #1068453). * Apply upstream patches which fix several security vulnerabilities. - [CVE-2025-30087] Vulnerable to Cross Site Scripting via injection of malicious parameters in a search URL. - [CVE-2025-2545] RT uses the default OpenSSL cipher, 3DES (des3), for encrypting SMIME email. This is an outdated cipher algorithm, so the default is changed to aes-128-cbc. In addition, this is now configurable so you can pick an alternate cipher now or in the future, or revert to des3 if needed for compatibility. - [CVE-2025-31501] Vulnerable to Cross Site Scripting via JavaScript injection in an Asset name. - [CVE-2025-31500] Vulnerable to Cross Site Scripting via JavaScript injection in an RT permalink. Checksums-Sha1: 94fe2ed81772e6cda1dc88216b808263219cb279 6209 request-tracker5_5.0.3+dfsg-3~deb12u3.dsc d0ce29f6c497f0dfd6e31a5a888bc8f0a66c2ed7 168988 request-tracker5_5.0.3+dfsg-3~deb12u3.debian.tar.xz 5b450d2df723212aba79e5af889f0df2575f8c87 24090 request-tracker5_5.0.3+dfsg-3~deb12u3_amd64.buildinfo Checksums-Sha256: d31abc36b961a4616069ee7387c4900ae8d99e909ec0f7fe260df0b495ba6e1b 6209 request-tracker5_5.0.3+dfsg-3~deb12u3.dsc c7697b1372c0d4c87485506ecfb5962e11dfa81cfb8b829a5ca5940ed8155f7a 168988 request-tracker5_5.0.3+dfsg-3~deb12u3.debian.tar.xz c0605236e9063ec02c91d54ddf8fc86c0a8a4bf434b32f9033ee2a88fd0c0526 24090 request-tracker5_5.0.3+dfsg-3~deb12u3_amd64.buildinfo Files: 74306ffc6d272cc96a43707ab3520b10 6209 misc optional request-tracker5_5.0.3+dfsg-3~deb12u3.dsc 5968625eb6273798491ab4f7d9ea2de4 168988 misc optional request-tracker5_5.0.3+dfsg-3~deb12u3.debian.tar.xz 0bd0f7f48b15258f9c42089e748a33f0 24090 misc optional request-tracker5_5.0.3+dfsg-3~deb12u3_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEExgP8TmAPHOzRyNl8S1PZMeTT6GMFAmgC7ZkACgkQS1PZMeTT 6GPcEhAAqyFty7bdbU5hKjaY+k2+ZRvh1A4Wn7MWqye6tIL/YLN/Kd/luk+M2Far HMlrhSnr8WBeW3jUJBB+LM68yx/3keJ8z9zoDfGnWqjQ3FxNyFT70zq6B5LiHORe NjE+4lQXWWJ/yV2iWOSfpiDzAqI42YIhrUA5wlsw7AEYL5CPfhYxOXowrAZKOBG+ grsKHKv2In52zwtWMQPCddUUS+SmC/7RvhMu6KZlmDi772NqDl5GX0gPqMxcksny nhPcVO3N+Vlfl6+UO1v6SLbFiBdgUjSHJxNS6ybkqithSKUFhOSEYku1TxvrTIdh sxPIztA9/4k/aoIHq6GppF/y4XwwKvFRJLCc2T9/7BFa6rdShQ2gNZOQE0J7t00Q qLny0tAWg4fRY2kFvoxVmGBRnYTHtV51N4TlJ1tFiwUGMMocbnYSmfpbLkA09lCP C0ZgLGzrSGl8mCzkJxef8thfyjbtP4KIJzM4GIA2xTjwsfm0BQUCTbos2C/DFx9U BoyBZSwRwUFNj6kbxbhB5sOMI5VCZop15KHrga35QpqGyybBniyfmdqulRKNr5TA LiP8i/joQvkFaj65Ok5rZrmO4FCoBA53e11I5YrCgdebyYuQ0vSh60Y9QWwqeEcg QF0jPIQHNj2Uv9ZBnLhfmVOwNdijL9Ztb1PIfdtdWGaSkMckfMg= =TupH -----END PGP SIGNATURE-----
