-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Thu, 21 May 2026 20:44:52 +1200 Source: request-tracker5 Architecture: source Version: 5.0.10+dfsg-1 Distribution: unstable Urgency: medium Maintainer: Andrew Ruthven <andrew@etc.gen.nz> Changed-By: Andrew Ruthven <andrew@etc.gen.nz> Closes: 1109102 Changes: request-tracker5 (5.0.10+dfsg-1) unstable; urgency=medium . * New upstream release. - [CVE-2026-41075] Fix SQL injection via the entry_aggregator parameter in JSON search. An authenticated user can craft input that is incorporated into database queries without proper validation, potentially allowing them to read or modify data in the RT database. - [CVE-2026-41076] Fix an LDAP authentication bypass when RT is configured to authenticate users against an LDAP or Active Directory server. Under certain LDAP server configurations, an attacker may be able to authenticate as any LDAP-backed RT user without supplying valid credentials. - [CVE-2026-6841] Fix a reflected cross-site scripting via the search "Page" URL parameter. - [CVE-2026-44227] Fix a reflected cross-site scripting via additional URL parameters on search pages. - [CVE-2026-44230] Fix a reflected cross-site scripting on search-results chart pages. - [CVE-2026-44229] Fix a cross-site scripting via uploaded content that is served inline rather than as an attachment. - [CVE-2026-41073] Fix a spreadsheet (CSV/formula) injection via ticket values that are exported to a spreadsheet from search results. User-controlled data is not sanitized before being written to the output file, which can cause spreadsheet applications such as Microsoft Excel to interpret crafted values as formulas or macros when the file is opened. * Drop patches no longer needed: - fix-WWW::Mechanize_v2.20_in_tests.diff - add-missing-rt-base-require.diff - fix-gnupg-2.4.9.diff * Drop redundant lintian overrides for rt5-doc-html. * Add missing ".service" to ordering lines in request-tracker5.service (Closes: #1109102). Checksums-Sha1: e5093bb25b63de927f3ad8ee45c63a71cb5bd479 6043 request-tracker5_5.0.10+dfsg-1.dsc 9d52e5a1ac16031ff980255d305111b92a460ecd 3272041 request-tracker5_5.0.10+dfsg.orig-third-party-source.tar.gz 25af636b934a4d4b4b5c7a463ca86ca0da8396e9 20421256 request-tracker5_5.0.10+dfsg.orig.tar.gz 29b447d29b111c8e7188fc42dce0c30da1a1e377 127216 request-tracker5_5.0.10+dfsg-1.debian.tar.xz b768f634f97b20fffd99b8dcc32df9603da8e9cf 24544 request-tracker5_5.0.10+dfsg-1_amd64.buildinfo Checksums-Sha256: d5bb01744f4f339fbe581ec9f89c2c21d857c2eb025add8ec2245c47a72585fe 6043 request-tracker5_5.0.10+dfsg-1.dsc 27d55bce87baa6ab475e18c5edfa2f7b2f5e0ce12e1c28ef3f8a1d71d793d41b 3272041 request-tracker5_5.0.10+dfsg.orig-third-party-source.tar.gz 508b8d401273da4fe1c47e642ecb6017939ef560e9cfdfeb8d18ef41e4dbc5e6 20421256 request-tracker5_5.0.10+dfsg.orig.tar.gz 3ebe256c6f8771255dce30d7f198f8c757bc7f815e0f9cc22693df31529a1281 127216 request-tracker5_5.0.10+dfsg-1.debian.tar.xz b31b4d5c1e2d53274e4ef4eaedc87d81aec303c561af3885b7481b36d988a7fb 24544 request-tracker5_5.0.10+dfsg-1_amd64.buildinfo Files: 2739defaabd822a4a7419cd9fd0c180d 6043 misc optional request-tracker5_5.0.10+dfsg-1.dsc faabbe44f7ed2bac50d69295184cb285 3272041 misc optional request-tracker5_5.0.10+dfsg.orig-third-party-source.tar.gz c9bf647dd3fbd8d949c1c036e3f64042 20421256 misc optional request-tracker5_5.0.10+dfsg.orig.tar.gz ecfd60ee3fd6cd1ac6e10cf88c3e1fa2 127216 misc optional request-tracker5_5.0.10+dfsg-1.debian.tar.xz 924b08fc6451dc3d338caa3d9a0a5f39 24544 misc optional request-tracker5_5.0.10+dfsg-1_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEExgP8TmAPHOzRyNl8S1PZMeTT6GMFAmoO8XwACgkQS1PZMeTT 6GMguQ//ZvGtSyWciJmd/ndegMN+bPOBKuhmQg/qyGfRA+pA5TAfk1ftnNPHeIrK 8FTZ170/Fm7frF27BqrkumVFnhjVjkzX3LzZvaAr+bQQSANjl76S2xmjrAFkbLUn jgmdxyIprEv5Vod4rx34odpYpfFxPmZcBz3tHI5VXJvsTD/UI6Kb2ogDnFBXMaHh 7EgiYMCNIYvmWwdc21pbkgEu/s6ItBMcfRIH4b8tLnVBk331KpC6rO5yETvXqNCL 7xurAxVp3L8YvKqfyHFa4llX8b7hnAU8hogIuoUjeAkZ041Vc5yJUPbXbKXuD4cw PIVaVchTTgIt4MJzyvqwkX1RPbAm6DIJCM4yMA4StP41zp0piq+2iv/Z1u0Mj2Ol mWOO3J5MtXgTZKwle9cX/OdEn5AJSgvi0RIv8oGtqly0lwSUtzNHg3sJbmwNiWSr Fw2kNA0Anigh808zdWL902zTTl2m6euEgmFhfaZcQBH2c6/AXpj7uBlr6qL3bwnS P5bYLrq6D2XuOQIj0qWIVRjHBrBpwxNx0pQwVR7bdWDVCv65g3Rl+9BeatdyrGhn KC18fFd0d1pq6Y87v7CyYcASJUZKtoqjU2pJwcUpOK57YBB1XzTxv0fNIqZxbFxg iZI6kIzKEqJwj/50b4rOq3wkcllANc2qObCp+HoUNTzulxS1D8E= =eUdl -----END PGP SIGNATURE-----
