-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 01 Jun 2026 13:10:19 +1200
Source: request-tracker5
Architecture: source
Version: 5.0.3+dfsg-3~deb12u6
Distribution: bookworm-security
Urgency: medium
Maintainer: Andrew Ruthven <andrew@etc.gen.nz>
Changed-By: Andrew Ruthven <andrew@etc.gen.nz>
Changes:
request-tracker5 (5.0.3+dfsg-3~deb12u6) bookworm-security; urgency=medium
.
* Include missing default configuration items for security vulnerability
fixes included in 5.0.3+dfsg-3~deb12u3. Namely: RestrictLinkDomains and
Cipher in %SMIME.
* Apply upstream patch which fixes several security vulnerabilities:
- [CVE-2026-6841] Reflected cross-site scripting via the search "Page" URL
parameter.
- [CVE-2026-41073] Spreadsheet (CSV/formula) injection via ticket values
that are exported to a spreadsheet from search results. User-controlled
data is not sanitized before being written to the output file, which can
cause spreadsheet applications such as Microsoft Excel to interpret
crafted values as formulas or macros when the file is opened.
- [CVE-2026-41075] SQL injection via the entry_aggregator parameter in JSON
search. An authenticated user can craft input that is incorporated into
database queries without proper validation, potentially allowing them to
read or modify data in the RT database.
- [CVE-2026-41076] LDAP authentication bypass when RT is configured to
authenticate users against an LDAP or Active Directory server. Under
certain LDAP server configurations, an attacker may be able to
authenticate as any LDAP-backed RT user without supplying valid
credentials.
- [CVE-2026-44229] Cross-site scripting via uploaded content that is served
inline rather than as an attachment.
- [CVE-2026-44231] Privilege escalation and information disclosure via the
REST 2.0 user collection endpoint. A Privileged RT user can obtain
authentication credentials belonging to other users, including
administrators, and use those credentials to read data via RT's RSS and
iCal feed endpoints. The same request that exposes the credentials also
rotates them, which invalidates previously-distributed feed URLs across
the instance.
Checksums-Sha1:
f03a9b9d1e5f9339755dd2196a8e208632c45016 6209 request-tracker5_5.0.3+dfsg-3~deb12u6.dsc
a71d925da35e21f8e7024a6d7e5335dfa76f26cd 173804 request-tracker5_5.0.3+dfsg-3~deb12u6.debian.tar.xz
f659c90f0a5b14b909cc23492b1eca13ea3cb7b1 24453 request-tracker5_5.0.3+dfsg-3~deb12u6_amd64.buildinfo
Checksums-Sha256:
6a119288f5fb389e8587a1ad1a6c8b1ea2051613241d5867b77138ad08698f81 6209 request-tracker5_5.0.3+dfsg-3~deb12u6.dsc
c709246e079a88b7e91e7748f96c8cee0c6dd187243032791eb86b90c15e4d7f 173804 request-tracker5_5.0.3+dfsg-3~deb12u6.debian.tar.xz
4154881a25ee51dcdeb54a29fda087d609bc97c1f0ba4ed8b649a1124bd27d51 24453 request-tracker5_5.0.3+dfsg-3~deb12u6_amd64.buildinfo
Files:
450f257ab2f44ddb2250b162570fb3f4 6209 misc optional request-tracker5_5.0.3+dfsg-3~deb12u6.dsc
52476f7d9733afc3b8b440cea42ea5d0 173804 misc optional request-tracker5_5.0.3+dfsg-3~deb12u6.debian.tar.xz
1c506283f2f34a3500d05e46b29d2a4b 24453 misc optional request-tracker5_5.0.3+dfsg-3~deb12u6_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEExgP8TmAPHOzRyNl8S1PZMeTT6GMFAmoj9cgACgkQS1PZMeTT
6GM/xQ/+MLE+axjSNLvhHjMQLxUCJ9h+Czebm968W+ocEaH806ZFNdqThFlIa/Jn
ri8Au08MZ13F1BZYiOcZCji8Y9fcJLakjHke//kfXYBxhkTqYDy0GIJqXlprQGlo
cbJD+TdQLHaxSoBH5gAk6goWYKOkTqqsDvxq4nLBFLmW/C7AifB7F6py/9jQraa5
ukDWqMBCMWBNAJEeR0kMb8TwVLoWrB/eJM3BTrItWAaDmUvIJBlG5JebLez9vbv3
wGuejA+NV2qYHedkTAW3rrXSLTv3vcTFXBKxUbkd2ZxZ+XI3b5Zi5YipcVu3dCOx
bxAr9F7Z0MDv44r4EdyaTTze8hv7wQQI/V2oZ8FgGiWmmw0ky+Abzf7PH7sKQZV9
WcofNrBMFX1n7+LEhMsT3tqDEUTbYclyCazoMJw/4w3qzfpAeVwgvlK+OsCFLOA/
QQd6ix1o5gQHtIcj28JA5jJKQXoIutQ8SkaoAOf9Ejtl3f1X1AoUsO+84+nXaMr5
bZz97NpUAcbagTg5qW5/4UijhnF+lwpp8eC2SKRNDYZT0mihn18XPlpOM2sLndcw
fzNwZK2BxUK1w+gTBJXeXu4RZfyyU/EO3D07ZEY+SWeRpWf+tapNVVAYhEayJl6I
1mOmoUUeTpIHFWZCdDL40KAIZ0bjADTi6iIJ8tY5P3Zm9DPNzuw=
=kBdw
-----END PGP SIGNATURE-----
