-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Mon, 01 Jun 2026 13:10:39 +1200 Source: request-tracker5 Architecture: source Version: 5.0.7+dfsg-4+deb13u3 Distribution: trixie-security Urgency: high Maintainer: Andrew Ruthven Changed-By: Andrew Ruthven Changes: request-tracker5 (5.0.7+dfsg-4+deb13u3) trixie-security; urgency=high . * Include missing default configuration items for security vulnerability fixes included in 5.0.7+dfsg-3. Namely: RestrictLinkDomains and Cipher in %SMIME. * Apply upstream patch which fixes several security vulnerabilities: - [CVE-2026-6841] Reflected cross-site scripting via the search "Page" URL parameter. - [CVE-2026-41073] Spreadsheet (CSV/formula) injection via ticket values that are exported to a spreadsheet from search results. User-controlled data is not sanitized before being written to the output file, which can cause spreadsheet applications such as Microsoft Excel to interpret crafted values as formulas or macros when the file is opened. - [CVE-2026-41075] SQL injection via the entry_aggregator parameter in JSON search. An authenticated user can craft input that is incorporated into database queries without proper validation, potentially allowing them to read or modify data in the RT database. - [CVE-2026-41076] LDAP authentication bypass when RT is configured to authenticate users against an LDAP or Active Directory server. Under certain LDAP server configurations, an attacker may be able to authenticate as any LDAP-backed RT user without supplying valid credentials. - [CVE-2026-44229] Cross-site scripting via uploaded content that is served inline rather than as an attachment. - [CVE-2026-44230] Reflected cross-site scripting on search-results chart pages. - [CVE-2026-44231] Privilege escalation and information disclosure via the REST 2.0 user collection endpoint. A Privileged RT user can obtain authentication credentials belonging to other users, including administrators, and use those credentials to read data via RT's RSS and iCal feed endpoints. The same request that exposes the credentials also rotates them, which invalidates previously-distributed feed URLs across the instance. Checksums-Sha1: 6186d5d0ff42c2897ce5590ebd407e3b75c31d92 6044 request-tracker5_5.0.7+dfsg-4+deb13u3.dsc 3a56fb5d1f787d3f4b957003a3851cffcc44bde0 137108 request-tracker5_5.0.7+dfsg-4+deb13u3.debian.tar.xz 655f651e7cd57480b67401572780a40ed290cfdd 25034 request-tracker5_5.0.7+dfsg-4+deb13u3_amd64.buildinfo Checksums-Sha256: 5bad08a8208c96a196add245d58f2ccef116d33cca13cb7981161ecf5219a05c 6044 request-tracker5_5.0.7+dfsg-4+deb13u3.dsc ac6a18c81fab5c044f6649780fd4883705cd71edc7340a3a60128a1704a62095 137108 request-tracker5_5.0.7+dfsg-4+deb13u3.debian.tar.xz 263f00f84f846d10bdac5646429a0b8fcdd88557c0997954dc7b1a1aedbfee26 25034 request-tracker5_5.0.7+dfsg-4+deb13u3_amd64.buildinfo Files: c74292d0e9251a226184685b8f437269 6044 misc optional request-tracker5_5.0.7+dfsg-4+deb13u3.dsc 44420d134af2f050fd025bbf4da073f6 137108 misc optional request-tracker5_5.0.7+dfsg-4+deb13u3.debian.tar.xz 95c31e7d4e33339b68ee04530bd3030d 25034 misc optional request-tracker5_5.0.7+dfsg-4+deb13u3_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEExgP8TmAPHOzRyNl8S1PZMeTT6GMFAmoj9dMACgkQS1PZMeTT 6GPjtQ/7BCmBTSOk7hKo8U4hAyoriUSpDRdFydiGdVYR033aTV6K4XdgtyYJqhUB Ad3vtPC+TWK4qQzFoWUa2bX/qPbKnEZyZgaHWKpoPku+D+ev6TI+R5g18CL+yW1U 09GGyci0mRY7qUXvAM2prxNbS4P3xjWrCZ3rg4E2n7QrYQ48zCtt0Ha2zX8ulIMq 6sYjXOVVluoZZGa9F8Ft0jUX3XKtBo+7roLz9O05NewjMViSEtI5EjXKkPeLuJCu rmZztOcx7ho4lPm1JXve38pc/GGkY+999SjZuq/5+AmyeHIxXvetOfCsayyB1kHd enPHQkG+SfIwBIDJJqc9f4QSV6O1UJAYkizZ9invREUWhEDlfZY5uo/KwwxXVX5/ jusP+bOofO+N7QYZ4ffm19n/8xvyvHfr6cEY7wgiVGJJ68GkUyXEDiNFcI88Pqc/ YXPldMkEE7O1oH3vfe/iuFX4/JtkftW4r+BzMFVtff4KVuDnJWu6n5Za8D+gatxc 74JERh2QOg19OsesYr/Mqly20tSmGd6Bxyn93E8vOHYHQGTWmvWoA0spkVfwqWhu oh8ldSyRKbf9q3qB2bk944UsUKKq6a2DMgM9j6YCHxoO6MV1MRF1YlHkCUobp77U ArfTsYXKKo+fMQ5uef+yq0reLbw+Th+KHNXwKrkvYy3Rphp8RM8= =6op4 -----END PGP SIGNATURE-----