-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Mon, 01 Jun 2026 13:10:39 +1200
Source: request-tracker5
Binary: request-tracker5 rt5-apache2 rt5-clients rt5-db-mysql rt5-db-postgresql rt5-db-sqlite rt5-doc-html rt5-fcgi rt5-standalone
Architecture: all
Version: 5.0.7+dfsg-4+deb13u3
Distribution: trixie-security
Urgency: high
Maintainer: all / amd64 / i386 Build Daemon (x86-conova-02) <buildd_amd64-x86-conova-02@buildd.debian.org>
Changed-By: Andrew Ruthven <andrew@etc.gen.nz>
Description:
 request-tracker5 - extensible trouble-ticket tracking system
 rt5-apache2 - Apache 2 specific files for request-tracker5
 rt5-clients - mail gateway and command-line interface to request-tracker5
 rt5-db-mysql - MySQL database backend for request-tracker5
 rt5-db-postgresql - PostgreSQL database backend for request-tracker5
 rt5-db-sqlite - SQLite database backend for request-tracker5
 rt5-doc-html - HTML documentation for request-tracker5
 rt5-fcgi   - External FastCGI support for request-tracker5
 rt5-standalone - Standalone web server support for request-tracker5
Changes:
 request-tracker5 (5.0.7+dfsg-4+deb13u3) trixie-security; urgency=high
 .
   * Include missing default configuration items for security vulnerability
     fixes included in 5.0.7+dfsg-3. Namely: RestrictLinkDomains and Cipher
     in %SMIME.
   * Apply upstream patch which fixes several security vulnerabilities:
     - [CVE-2026-6841] Reflected cross-site scripting via the search "Page" URL
       parameter.
     - [CVE-2026-41073] Spreadsheet (CSV/formula) injection via ticket values
       that are exported to a spreadsheet from search results.  User-controlled
       data is not sanitized before being written to the output file, which can
       cause spreadsheet applications such as Microsoft Excel to interpret
       crafted values as formulas or macros when the file is opened.
     - [CVE-2026-41075] SQL injection via the entry_aggregator parameter in JSON
       search. An authenticated user can craft input that is incorporated into
       database queries without proper validation, potentially allowing them to
       read or modify data in the RT database.
     - [CVE-2026-41076] LDAP authentication bypass when RT is configured to
       authenticate users against an LDAP or Active Directory server. Under
       certain LDAP server configurations, an attacker may be able to
       authenticate as any LDAP-backed RT user without supplying valid
       credentials.
     - [CVE-2026-44229] Cross-site scripting via uploaded content that is served
       inline rather than as an attachment.
     - [CVE-2026-44230] Reflected cross-site scripting on search-results chart
       pages.
     - [CVE-2026-44231] Privilege escalation and information disclosure via the
       REST 2.0 user collection endpoint. A Privileged RT user can obtain
       authentication credentials belonging to other users, including
       administrators, and use those credentials to read data via RT's RSS and
       iCal feed endpoints. The same request that exposes the credentials also
       rotates them, which invalidates previously-distributed feed URLs across
       the instance.
Checksums-Sha1:
 60602b45ba797b59d784d0f41bb46a8f7c894177 25034 request-tracker5_5.0.7+dfsg-4+deb13u3_all-buildd.buildinfo
 fc7f2372a5ee38e12d0e8292553f29e86e6799f4 12955540 request-tracker5_5.0.7+dfsg-4+deb13u3_all.deb
 e4e2145112b41448a853ad14f89a7c9cfa73f6ba 21324 rt5-apache2_5.0.7+dfsg-4+deb13u3_all.deb
 aad61ba2aa4f4dc6977b893c5bd9450c77a2462a 51716 rt5-clients_5.0.7+dfsg-4+deb13u3_all.deb
 72f434c343d09bd6d538971a20be91b17e1c511e 20680 rt5-db-mysql_5.0.7+dfsg-4+deb13u3_all.deb
 9ef10d37cfe1c14813784a5ab221e98556471cdf 20660 rt5-db-postgresql_5.0.7+dfsg-4+deb13u3_all.deb
 06317ae76dd93fcb70ed28926ae66dcf2ad62a0a 20772 rt5-db-sqlite_5.0.7+dfsg-4+deb13u3_all.deb
 a51408394210251eb64840b66daf947536751b29 5290100 rt5-doc-html_5.0.7+dfsg-4+deb13u3_all.deb
 6339108740f5e6e541509e299c2d4be1dded6ca5 23496 rt5-fcgi_5.0.7+dfsg-4+deb13u3_all.deb
 a9ee8e69ec9a1a1c1652868f0cfb7e90a202da5c 20136 rt5-standalone_5.0.7+dfsg-4+deb13u3_all.deb
Checksums-Sha256:
 05560da40ea745c21335c854577cc37d067e36327d8e6919cee403a049fd331f 25034 request-tracker5_5.0.7+dfsg-4+deb13u3_all-buildd.buildinfo
 1f4c0b19a0656c4bf1d790be4dd3d862bfb19a830dc359c1ca4d23298bca1d61 12955540 request-tracker5_5.0.7+dfsg-4+deb13u3_all.deb
 0886deff7504292e684bb5b6e74a7f723450fefe9ffbc6df975f7421bb98a983 21324 rt5-apache2_5.0.7+dfsg-4+deb13u3_all.deb
 2f97592eafdd02cf05c1ded0f7fd22d0d5961316cf05e910592553f5882384db 51716 rt5-clients_5.0.7+dfsg-4+deb13u3_all.deb
 1c5bb231f0cdf48e51a4af0191458d9c0a7b1fe596800528a7930ca6fb889ceb 20680 rt5-db-mysql_5.0.7+dfsg-4+deb13u3_all.deb
 ff188a5d98b9b8f2857c0e4df072c5c854ba78608458482900f285c5b08b7ea9 20660 rt5-db-postgresql_5.0.7+dfsg-4+deb13u3_all.deb
 35829c845b1223965f4fbad0feb01af6916486cdda41d64b71dd569629a45f2f 20772 rt5-db-sqlite_5.0.7+dfsg-4+deb13u3_all.deb
 d02a92090b9c4fcae5c9c66235265bfadeac4051503b1e4cbdf99222b6472d8a 5290100 rt5-doc-html_5.0.7+dfsg-4+deb13u3_all.deb
 72b7062af6924448d90382b5b428081ba0a29d278279c420e79023fc258d2fa9 23496 rt5-fcgi_5.0.7+dfsg-4+deb13u3_all.deb
 9a0ecfa3817efd5ad7bae8ed1b26eacde4e78b8836d0e7c4aef81bbd5c8a453d 20136 rt5-standalone_5.0.7+dfsg-4+deb13u3_all.deb
Files:
 0e9c1c09705b35f65a5f63800a528142 25034 misc optional request-tracker5_5.0.7+dfsg-4+deb13u3_all-buildd.buildinfo
 3298474b4582e59427ceeca9f1f5fd6f 12955540 misc optional request-tracker5_5.0.7+dfsg-4+deb13u3_all.deb
 810ed3583947c82a157531cdd9f9f7af 21324 misc optional rt5-apache2_5.0.7+dfsg-4+deb13u3_all.deb
 0e3302935bfa11deef8fa78656aba4b0 51716 misc optional rt5-clients_5.0.7+dfsg-4+deb13u3_all.deb
 d4b13970d8e3ec05b39a0e827a106980 20680 misc optional rt5-db-mysql_5.0.7+dfsg-4+deb13u3_all.deb
 0db214cdd3b9a5bcd8236199e3849479 20660 misc optional rt5-db-postgresql_5.0.7+dfsg-4+deb13u3_all.deb
 e534a8c814ee7ed4aa7233c527b7ac86 20772 misc optional rt5-db-sqlite_5.0.7+dfsg-4+deb13u3_all.deb
 4dc66b85d7d9f81cdfd5e9e868107a77 5290100 doc optional rt5-doc-html_5.0.7+dfsg-4+deb13u3_all.deb
 6c3b7663a02846e016568a61ddfc6056 23496 misc optional rt5-fcgi_5.0.7+dfsg-4+deb13u3_all.deb
 ee20a8d63ea6e7143fe566cbf1b45dcb 20136 misc optional rt5-standalone_5.0.7+dfsg-4+deb13u3_all.deb

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE+i/sCsF3puL4e7qIGNGWmfrqILEFAmoj/NoACgkQGNGWmfrq
ILEPig/+Kv9h+CLVOnr7JXlCgdcSf8Vq1ROu9hSKcN1Bo6lGTds4ctmhXUHLoWJm
rwiYGTrRYp9+j05aTtL+mxl38uDGsNAZyACu4p+jVPPXmn8GaMUJwB/3PUN8/Ws3
EdGqsX3q/VtyRsI9FcUiNuN8TIulM7E+jzqqqy60FdSHkgbpX6IF4gASRLao1koC
uab14mn5EGtUrHhN+/AdF3wuCRa5eus/0LEftrRrGEl2MUpdG6a9DOhfV7PdXXFY
hWwsJ76UhKLikWz7+ikzUzfLLCi8RP42Mui73SU9XbttAwcZSELb+edd0ZDJPH+N
VmDH6preAfeIi4mdJIy5P680R1W86BZV2XtrsWVBn1FDiBjIxB5LOrIfANJjU4N/
9wt9ut9nh4V9oZ2teSS9gdQXysrj7XbG7A+jU8mMxifg05QGMfIFGgqcBo3rovYU
Uuy6lqMcBMZDjjSDiIlbNPrPkUEQuK1LrLSjBOrf3BadN1iAXS6pnm14W2b6pbgG
Pj9TxBirlRISLXFOdFlx8LA3h+DtBwC17DO7an5Y1kwEHAOOR+y7hLhhZ6Lu2hc2
XbI0JRwLc5v2Qju4D/+Ra7RYbYVVml/UDplkO78pwKFuxiuBJoHdSN30jaKgYBQN
JZUbHywO1lrc1pU0HfzUKIQMFde7UYvfKNJHnjq3M7aFe4NlZ8w=
=mZi1
-----END PGP SIGNATURE-----