Accepted request-tracker4 4.4.6+dfsg-1.1+deb12u4 (source) into oldstable-proposed-updates

Debian FTP Masters Mon, 08 Jun 2026 12:50:54 -0700
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 05 Jun 2026 20:53:01 +1200
Source: request-tracker4
Architecture: source
Version: 4.4.6+dfsg-1.1+deb12u4
Distribution: bookworm-security
Urgency: medium
Maintainer: Andrew Ruthven <[email protected]>
Changed-By: Andrew Ruthven <[email protected]>
Changes:
 request-tracker4 (4.4.6+dfsg-1.1+deb12u4) bookworm-security; urgency=medium
 .
   * Include missing default configuration items for security vulnerability
     fixes included in 4.4.6+dfsg-1.1+deb12u2. Namely: RestrictLinkDomains and
     Cipher in %SMIME.
   * Apply upstream patch which fixes several security vulnerabilities:
     - [CVE-2026-6841] Reflected cross-site scripting via the search "Page" URL
       parameter.
     - [CVE-2026-41073] Spreadsheet (CSV/formula) injection via ticket values
       that are exported to a spreadsheet from search results.  User-controlled
       data is not sanitized before being written to the output file, which can
       cause spreadsheet applications such as Microsoft Excel to interpret
       crafted values as formulas or macros when the file is opened.
     - [CVE-2026-41075] SQL injection via the entry_aggregator parameter in JSON
       search. An authenticated user can craft input that is incorporated into
       database queries without proper validation, potentially allowing them to
       read or modify data in the RT database.
     - [CVE-2026-41076] LDAP authentication bypass when RT is configured to
       authenticate users against an LDAP or Active Directory server. Under
       certain LDAP server configurations, an attacker may be able to
       authenticate as any LDAP-backed RT user without supplying valid
       credentials.
     - [CVE-2026-44229] Cross-site scripting via uploaded content that is served
       inline rather than as an attachment.
     - [CVE-2026-44231] Privilege escalation and information disclosure via the
       REST 2.0 user collection endpoint. A Privileged RT user can obtain
       authentication credentials belonging to other users, including
       administrators, and use those credentials to read data via RT's RSS and
       iCal feed endpoints. The same request that exposes the credentials also
       rotates them, which invalidates previously-distributed feed URLs across
       the instance.
       This vulnerability is likely only possible in RT4 if the
       RT::Extension::REST2 extension is installed.
Checksums-Sha1:
 a385fcd31f6d0be5c09caba2db06c280ad85c219 5978 
request-tracker4_4.4.6+dfsg-1.1+deb12u4.dsc
 ffc7e05a4b24583a1ec0a8d53eb0651d3b48a8e0 161100 
request-tracker4_4.4.6+dfsg-1.1+deb12u4.debian.tar.xz
 e8d15668b3b26ff3ff720555c9cd1b77e3f0cdba 21217 
request-tracker4_4.4.6+dfsg-1.1+deb12u4_amd64.buildinfo
Checksums-Sha256:
 30d0b1e7213214ed8384fc2947c664efcaa0a2da0d22a5092ceddbb81ff10031 5978 
request-tracker4_4.4.6+dfsg-1.1+deb12u4.dsc
 990278094ab72e367f9b328fc52c22c3240eb6b56a5f248ab4b3f3d229496da6 161100 
request-tracker4_4.4.6+dfsg-1.1+deb12u4.debian.tar.xz
 a770d91f1ada64cdcfeb779588d9a0284c7c8ec1d316b098f6ddc96e9a65bc10 21217 
request-tracker4_4.4.6+dfsg-1.1+deb12u4_amd64.buildinfo
Files:
 f8edb88ae30786292ea71a470ac692dc 5978 misc optional 
request-tracker4_4.4.6+dfsg-1.1+deb12u4.dsc
 5e211927df988f5cce55985fbe4d44c1 161100 misc optional 
request-tracker4_4.4.6+dfsg-1.1+deb12u4.debian.tar.xz
 5d7ff718758008f68c9ee658e920b6db 21217 misc optional 
request-tracker4_4.4.6+dfsg-1.1+deb12u4_amd64.buildinfo
pgpe463x_q15I.pgp
Description: PGP signature
Accepted request-tracker4 4.4.6+dfsg-1.1+deb12u4 (source) into oldstable-proposed-updates

Reply via email to
