==========================================================================
Ubuntu Security Notice USN-8506-1
July 06, 2026

request-tracker5 vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 26.04 LTS
- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS

Summary:

Several security issues were fixed in Request Tracker.

Software Description:
- request-tracker5: extensible trouble-ticket tracking system

Details:

Aleksander Iwicki discovered that Request Tracker did not properly sanitize
the search "Page" URL parameter. A remote attacker could possibly use this
issue to conduct a reflected cross-site scripting attack. (CVE-2026-6841)

It was discovered that Request Tracker did not properly sanitize user-
controlled data written to spreadsheet exports of search results. A remote
attacker could possibly use this issue to conduct a spreadsheet
(CSV/formula) injection attack, causing spreadsheet applications to
interpret crafted values as formulas or macros when the file is opened.
(CVE-2026-41073)

It was discovered that Request Tracker did not properly validate input
incorporated into database queries via the entry_aggregator parameter in
JSON search. An authenticated user could possibly use this issue to perform
SQL injection attacks and read or modify data in the RT database.
(CVE-2026-41075)

It was discovered that Request Tracker contained an authentication bypass
when configured to authenticate users against an LDAP or Active Directory
server. Under certain LDAP server configurations, a remote attacker could
possibly use this issue to authenticate as any LDAP-backed RT user without
supplying valid credentials. (CVE-2026-41076)

It was discovered that Request Tracker served certain uploaded content
inline rather than as an attachment. A remote attacker could possibly use
this issue to conduct a cross-site scripting attack. (CVE-2026-44229)

It was discovered that Request Tracker did not properly sanitize input on
search-results chart pages. A remote attacker could possibly use this issue
to conduct a reflected cross-site scripting attack. (CVE-2026-44230)

Jeroen Gui discovered that Request Tracker did not properly restrict access
to the REST 2.0 user collection endpoint. A privileged user could possibly
use this issue to obtain authentication credentials belonging to other
users, including administrators, resulting in privilege escalation and
information disclosure. (CVE-2026-44231)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 26.04 LTS
  request-tracker5                5.0.7+dfsg-6ubuntu0.1~esm1
                                  Available with Ubuntu Pro
  rt5-apache2                     5.0.7+dfsg-6ubuntu0.1~esm1
                                  Available with Ubuntu Pro
  rt5-clients                     5.0.7+dfsg-6ubuntu0.1~esm1
                                  Available with Ubuntu Pro
  rt5-db-mysql                    5.0.7+dfsg-6ubuntu0.1~esm1
                                  Available with Ubuntu Pro
  rt5-db-postgresql               5.0.7+dfsg-6ubuntu0.1~esm1
                                  Available with Ubuntu Pro
  rt5-db-sqlite                   5.0.7+dfsg-6ubuntu0.1~esm1
                                  Available with Ubuntu Pro
  rt5-fcgi                        5.0.7+dfsg-6ubuntu0.1~esm1
                                  Available with Ubuntu Pro
  rt5-standalone                  5.0.7+dfsg-6ubuntu0.1~esm1
                                  Available with Ubuntu Pro

Ubuntu 24.04 LTS
  request-tracker5                5.0.5+dfsg-2ubuntu0.1~esm2
                                  Available with Ubuntu Pro
  rt5-apache2                     5.0.5+dfsg-2ubuntu0.1~esm2
                                  Available with Ubuntu Pro
  rt5-clients                     5.0.5+dfsg-2ubuntu0.1~esm2
                                  Available with Ubuntu Pro
  rt5-db-mysql                    5.0.5+dfsg-2ubuntu0.1~esm2
                                  Available with Ubuntu Pro
  rt5-db-postgresql               5.0.5+dfsg-2ubuntu0.1~esm2
                                  Available with Ubuntu Pro
  rt5-db-sqlite                   5.0.5+dfsg-2ubuntu0.1~esm2
                                  Available with Ubuntu Pro
  rt5-fcgi                        5.0.5+dfsg-2ubuntu0.1~esm2
                                  Available with Ubuntu Pro
  rt5-standalone                  5.0.5+dfsg-2ubuntu0.1~esm2
                                  Available with Ubuntu Pro

Ubuntu 22.04 LTS
  request-tracker5                5.0.1+dfsg-1ubuntu1+esm2
                                  Available with Ubuntu Pro
  rt5-apache2                     5.0.1+dfsg-1ubuntu1+esm2
                                  Available with Ubuntu Pro
  rt5-clients                     5.0.1+dfsg-1ubuntu1+esm2
                                  Available with Ubuntu Pro
  rt5-db-mysql                    5.0.1+dfsg-1ubuntu1+esm2
                                  Available with Ubuntu Pro
  rt5-db-postgresql               5.0.1+dfsg-1ubuntu1+esm2
                                  Available with Ubuntu Pro
  rt5-db-sqlite                   5.0.1+dfsg-1ubuntu1+esm2
                                  Available with Ubuntu Pro
  rt5-fcgi                        5.0.1+dfsg-1ubuntu1+esm2
                                  Available with Ubuntu Pro
  rt5-standalone                  5.0.1+dfsg-1ubuntu1+esm2
                                  Available with Ubuntu Pro

After a standard system update you need to restart request-tracker5 to make
all the necessary changes.

References:
  https://ubuntu.com/security/notices/USN-8506-1
  CVE-2026-41073, CVE-2026-41075, CVE-2026-41076, CVE-2026-44229,
  CVE-2026-44230, CVE-2026-44231, CVE-2026-6841

Attachment: signature.asc
Description: OpenPGP digital signature

Reply via email to