-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 05 Jun 2026 20:53:01 +1200
Source: request-tracker4
Architecture: source
Version: 4.4.6+dfsg-1.1+deb12u4
Distribution: bookworm-security
Urgency: medium
Maintainer: Andrew Ruthven <andrew@etc.gen.nz>
Changed-By: Andrew Ruthven <andrew@etc.gen.nz>
Changes:
request-tracker4 (4.4.6+dfsg-1.1+deb12u4) bookworm-security; urgency=medium
.
* Include missing default configuration items for security vulnerability
fixes included in 4.4.6+dfsg-1.1+deb12u2. Namely: RestrictLinkDomains and
Cipher in %SMIME.
* Apply upstream patch which fixes several security vulnerabilities:
- [CVE-2026-6841] Reflected cross-site scripting via the search "Page" URL
parameter.
- [CVE-2026-41073] Spreadsheet (CSV/formula) injection via ticket values
that are exported to a spreadsheet from search results. User-controlled
data is not sanitized before being written to the output file, which can
cause spreadsheet applications such as Microsoft Excel to interpret
crafted values as formulas or macros when the file is opened.
- [CVE-2026-41075] SQL injection via the entry_aggregator parameter in JSON
search. An authenticated user can craft input that is incorporated into
database queries without proper validation, potentially allowing them to
read or modify data in the RT database.
- [CVE-2026-41076] LDAP authentication bypass when RT is configured to
authenticate users against an LDAP or Active Directory server. Under
certain LDAP server configurations, an attacker may be able to
authenticate as any LDAP-backed RT user without supplying valid
credentials.
- [CVE-2026-44229] Cross-site scripting via uploaded content that is served
inline rather than as an attachment.
- [CVE-2026-44231] Privilege escalation and information disclosure via the
REST 2.0 user collection endpoint. A Privileged RT user can obtain
authentication credentials belonging to other users, including
administrators, and use those credentials to read data via RT's RSS and
iCal feed endpoints. The same request that exposes the credentials also
rotates them, which invalidates previously-distributed feed URLs across
the instance.
This vulnerability is likely only possible in RT4 if the
RT::Extension::REST2 extension is installed.
Checksums-Sha1:
a385fcd31f6d0be5c09caba2db06c280ad85c219 5978 request-tracker4_4.4.6+dfsg-1.1+deb12u4.dsc
ffc7e05a4b24583a1ec0a8d53eb0651d3b48a8e0 161100 request-tracker4_4.4.6+dfsg-1.1+deb12u4.debian.tar.xz
e8d15668b3b26ff3ff720555c9cd1b77e3f0cdba 21217 request-tracker4_4.4.6+dfsg-1.1+deb12u4_amd64.buildinfo
Checksums-Sha256:
30d0b1e7213214ed8384fc2947c664efcaa0a2da0d22a5092ceddbb81ff10031 5978 request-tracker4_4.4.6+dfsg-1.1+deb12u4.dsc
990278094ab72e367f9b328fc52c22c3240eb6b56a5f248ab4b3f3d229496da6 161100 request-tracker4_4.4.6+dfsg-1.1+deb12u4.debian.tar.xz
a770d91f1ada64cdcfeb779588d9a0284c7c8ec1d316b098f6ddc96e9a65bc10 21217 request-tracker4_4.4.6+dfsg-1.1+deb12u4_amd64.buildinfo
Files:
f8edb88ae30786292ea71a470ac692dc 5978 misc optional request-tracker4_4.4.6+dfsg-1.1+deb12u4.dsc
5e211927df988f5cce55985fbe4d44c1 161100 misc optional request-tracker4_4.4.6+dfsg-1.1+deb12u4.debian.tar.xz
5d7ff718758008f68c9ee658e920b6db 21217 misc optional request-tracker4_4.4.6+dfsg-1.1+deb12u4_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEExgP8TmAPHOzRyNl8S1PZMeTT6GMFAmok+xUACgkQS1PZMeTT
6GPjvg/9F2xedsRYRrOG4ZFwYRu0TQRDG9Gbp/0wOnOeqJPyJKcKAG9aRi9taV92
7mA83Xlh6AR49miZXxSishUKpY0BZoGrGLdlFFUjY7d//UoouiCzpsOdp8CLKyu2
nguNj3n/Rm4bKGfi1bHe1jzGU5847K1fHzdhZ+523R29octBbqnJzHueGyW0KjGT
70p+IxVLj0sSZkDqVU3u1Q5nuXuS6gZp8ZNDo401uVoLwDHax1DAiniS0HFCNURO
jnpeQ7JchiYVdTkqJGQvp6WH3wtDoHoyD6u4YDytVe1ET9HMbZD/DyXcf/2qqwTR
sP/VdfSNHVXSOczKo0NtoEz18BdjBB/Qp8R+Hf3mcSckEwWnn42m8QR/24Gjw/ZD
N6rMSIKDYmphd8Iwp89udo4KT5VYAUTR2rnfrlcr1W260HeKDFklA8WR4LKIcD8b
20k6fgktGSbuXtgsk6/SZ4SMtPQw+vzAUK6v7SprQrCHBybRRygb6JE0l6VGvdem
wYQG3Yzd/cRcCtuJ/Jeyx9tU9HAaR1vpj9KXJylKZFQIof/2CuVAm8HAZaw1gcxj
CE4txwhpUVmW118AwuTTWrpiDEuEUWKBe0uS4IycNSx4yEms6MdRffutdSLA4Ulc
8JkoobPgfO2AqABQlgNOfyu3y0BN+zX6nmo7veqdiSir65jS2vY=
=vGbw
-----END PGP SIGNATURE-----
