-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Thu, 17 Apr 2025 15:57:24 +1200 Source: request-tracker5 Binary: request-tracker5 rt5-apache2 rt5-clients rt5-db-mysql rt5-db-postgresql rt5-db-sqlite rt5-doc-html rt5-fcgi rt5-standalone Architecture: all Version: 5.0.3+dfsg-3~deb12u3 Distribution: bookworm-security Urgency: medium Maintainer: all Build Daemon (x86-grnet-02) Changed-By: Andrew Ruthven Description: request-tracker5 - extensible trouble-ticket tracking system rt5-apache2 - Apache 2 specific files for request-tracker5 rt5-clients - mail gateway and command-line interface to request-tracker5 rt5-db-mysql - MySQL database backend for request-tracker5 rt5-db-postgresql - PostgreSQL database backend for request-tracker5 rt5-db-sqlite - SQLite database backend for request-tracker5 rt5-doc-html - HTML documentation for request-tracker5 rt5-fcgi - External FastCGI support for request-tracker5 rt5-standalone - Standalone web server support for request-tracker5 Closes: 1055128 1068453 Changes: request-tracker5 (5.0.3+dfsg-3~deb12u3) bookworm-security; urgency=medium . * Correct CVE-2023-41260 number in previous entry (Closes: #1055128). * Add patches from 5.0.6 to resolve CVE-2024-3262. Information exposure vulnerability due to browser cache usage. If you have sensitive information enable the $WebStrictBrowserCache option (Closes: #1068453). * Apply upstream patches which fix several security vulnerabilities. - [CVE-2025-30087] Vulnerable to Cross Site Scripting via injection of malicious parameters in a search URL. - [CVE-2025-2545] RT uses the default OpenSSL cipher, 3DES (des3), for encrypting SMIME email. This is an outdated cipher algorithm, so the default is changed to aes-128-cbc. In addition, this is now configurable so you can pick an alternate cipher now or in the future, or revert to des3 if needed for compatibility. - [CVE-2025-31501] Vulnerable to Cross Site Scripting via JavaScript injection in an Asset name. - [CVE-2025-31500] Vulnerable to Cross Site Scripting via JavaScript injection in an RT permalink. Checksums-Sha1: 11a0f3637cb4ee32d04e85d7f21ae458a061005b 23927 request-tracker5_5.0.3+dfsg-3~deb12u3_all-buildd.buildinfo 7c6deee50785c67e7413be38d544c71e0a4e68a7 12053052 request-tracker5_5.0.3+dfsg-3~deb12u3_all.deb c06162af6018e47c1b3bef526cee193f472c6d42 20968 rt5-apache2_5.0.3+dfsg-3~deb12u3_all.deb a1fc9f5518a4bbb92a6ef9c24d60b854d10806ed 53300 rt5-clients_5.0.3+dfsg-3~deb12u3_all.deb b447a84b37076ebf40d9ab0964a69aea9ad3d049 20260 rt5-db-mysql_5.0.3+dfsg-3~deb12u3_all.deb 1e6fd1147220a88d3a9f542be5392e2ec406b54a 20244 rt5-db-postgresql_5.0.3+dfsg-3~deb12u3_all.deb 52f76921a13586ec2de92e4834a2aa13d8b6cd75 20352 rt5-db-sqlite_5.0.3+dfsg-3~deb12u3_all.deb 335e2e29decc6bf4f17d27a91a64a67fab7e1ca2 4438460 rt5-doc-html_5.0.3+dfsg-3~deb12u3_all.deb e55eb224c51e40fdb32dc994387c19bd413d4167 23028 rt5-fcgi_5.0.3+dfsg-3~deb12u3_all.deb ac9b10cba8212679a3fa13ab4c1c5f746d5c414e 19724 rt5-standalone_5.0.3+dfsg-3~deb12u3_all.deb Checksums-Sha256: 5cee89dfed1c084f2199a4baa58d213595c9a9b858694ecb620ceb06624e9631 23927 request-tracker5_5.0.3+dfsg-3~deb12u3_all-buildd.buildinfo ec70228eb5e30062341b5807c115fe076dcb16d5219ef9e4a3421608828b46d6 12053052 request-tracker5_5.0.3+dfsg-3~deb12u3_all.deb ad34da0f2e70fb0b4c0948f1d8461543f2b5119b770008fde4a8b28a7af9cc23 20968 rt5-apache2_5.0.3+dfsg-3~deb12u3_all.deb 3126c771578c4416c0e59c8260e9f004c28c06330b1a9417d17f24467bd0204d 53300 rt5-clients_5.0.3+dfsg-3~deb12u3_all.deb ef903dafe70d69d92eb44d9638a49a2799698850a94a93091ea54ea63a61db27 20260 rt5-db-mysql_5.0.3+dfsg-3~deb12u3_all.deb d247bf5eefd4fc3747fbf733c33539687f697991a8f9b47cc0f0487f0ff825d7 20244 rt5-db-postgresql_5.0.3+dfsg-3~deb12u3_all.deb a66d55d0bda6183fede3e4d261f0b8797e44e966423b9ab2565dd2473a226919 20352 rt5-db-sqlite_5.0.3+dfsg-3~deb12u3_all.deb 1a81d509126cc19b68d47bfc2c915c4506b8308944d2f1790a5d32c16851f1dc 4438460 rt5-doc-html_5.0.3+dfsg-3~deb12u3_all.deb 322ed21814c7f87d98e3e400f7648034fc9a22a3a76ef4fdf572281cea7f9faa 23028 rt5-fcgi_5.0.3+dfsg-3~deb12u3_all.deb 17cae1060228b1f8464d9c0ef35f2deaf98304ca512103ef94b15fc60e3a550b 19724 rt5-standalone_5.0.3+dfsg-3~deb12u3_all.deb Files: 0894e6926184821854e6c0365e309fde 23927 misc optional request-tracker5_5.0.3+dfsg-3~deb12u3_all-buildd.buildinfo 5dd8da4d4f513e78d268f674a0c9eab3 12053052 misc optional request-tracker5_5.0.3+dfsg-3~deb12u3_all.deb a28d9bd5d43b988f02c9c2a24aed87da 20968 misc optional rt5-apache2_5.0.3+dfsg-3~deb12u3_all.deb c82fd6d8c53e5ee599a8b0ef0d0631aa 53300 misc optional rt5-clients_5.0.3+dfsg-3~deb12u3_all.deb 0ea51e30fef92d3152ff8740b1f8bc50 20260 misc optional rt5-db-mysql_5.0.3+dfsg-3~deb12u3_all.deb fdc4904b2ee0f751780b81cd932c2044 20244 misc optional rt5-db-postgresql_5.0.3+dfsg-3~deb12u3_all.deb 6985158cd1df49c7db459ea29a2f7085 20352 misc optional rt5-db-sqlite_5.0.3+dfsg-3~deb12u3_all.deb 531d955831e02c15034c46985560700a 4438460 doc optional rt5-doc-html_5.0.3+dfsg-3~deb12u3_all.deb e47ee8c2f025f2db445110950aecd62b 23028 misc optional rt5-fcgi_5.0.3+dfsg-3~deb12u3_all.deb e0b98150d3b841335aaa7d04d6326a39 19724 misc optional rt5-standalone_5.0.3+dfsg-3~deb12u3_all.deb -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEj4Fym5GgeZdPqKhrJm69HxMTN+oFAmgC9oMACgkQJm69HxMT N+rSJxAAk6NT1FZLXUSBVX6sUOc+19Bikao1MzgC6ArlxXXU+xDMMpDQzg4+F+Nn qPkDQMYkNr6tjw26xsoIcRgAcqM45woLp65y7BowEMPaJTNX8qvgR3ZEZTw/eMK0 rb3iPttU8grxX2kpS06Qrf/2v+lGy+QvRVVGikBZlYbQWbxmDh+EQX3qz0ggTwJ/ Iptw0MG8egJk28e8WUXikRNph7+B9cNXsEJGUglTmiMV/S+Wft01p7ziPMv/fT0f ehyi6Had8XQrPcIKMtW/7M9JOk9CB8rV11NP1CKqmWvtRfL2YDPlqQSJVEEZZ7Qm /vmRrMFVejz1Ntkv1h7cgoBxEgKJ9O9dCtrtfm+i4CDADCPtP5FIEvku3fxe8MxY qagcN/ZzDRNnF6ngiJju7U9gebEocnFMhiYJQcpcZUPErMzJ49kRKpnBu00JbrCL vyNJaWEDgRhXkr7++jm2cqkJHJX1ghc+rXFc8CnYeb6b8+DiDsUq4xjOqZsAkpom khp6IHDaElPoMLCKN49tGi9OoQVBHyNWcz0/92u+8o1rwsdoULyqlCVkHPVauVB3 kSghpFUzvDKWNr22inISndvlq05PnianiCQn2LDFkY0f7qig00+/UW1C3hhnashU VuqkB3eo68evppfITAl2hPz47jfu3jfMKh/BeHeK8xEu8+C5aB8= =bL31 -----END PGP SIGNATURE-----