-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 05 Jun 2026 20:53:01 +1200
Source: request-tracker4
Binary: request-tracker4 rt4-apache2 rt4-clients rt4-db-mysql rt4-db-postgresql rt4-db-sqlite rt4-doc-html rt4-fcgi rt4-standalone
Architecture: all
Version: 4.4.6+dfsg-1.1+deb12u4
Distribution: bookworm-security
Urgency: medium
Maintainer: all / amd64 / i386 Build Daemon (x86-conova-02) <buildd_amd64-x86-conova-02@buildd.debian.org>
Changed-By: Andrew Ruthven <andrew@etc.gen.nz>
Description:
 request-tracker4 - extensible trouble-ticket tracking system
 rt4-apache2 - Apache 2 specific files for request-tracker4
 rt4-clients - mail gateway and command-line interface to request-tracker4
 rt4-db-mysql - MySQL database backend for request-tracker4
 rt4-db-postgresql - PostgreSQL database backend for request-tracker4
 rt4-db-sqlite - SQLite database backend for request-tracker4
 rt4-doc-html - HTML documentation for request-tracker4
 rt4-fcgi   - External FastCGI support for request-tracker4
 rt4-standalone - Standalone web server support for request-tracker4
Changes:
 request-tracker4 (4.4.6+dfsg-1.1+deb12u4) bookworm-security; urgency=medium
 .
   * Include missing default configuration items for security vulnerability
     fixes included in 4.4.6+dfsg-1.1+deb12u2. Namely: RestrictLinkDomains and
     Cipher in %SMIME.
   * Apply upstream patch which fixes several security vulnerabilities:
     - [CVE-2026-6841] Reflected cross-site scripting via the search "Page" URL
       parameter.
     - [CVE-2026-41073] Spreadsheet (CSV/formula) injection via ticket values
       that are exported to a spreadsheet from search results.  User-controlled
       data is not sanitized before being written to the output file, which can
       cause spreadsheet applications such as Microsoft Excel to interpret
       crafted values as formulas or macros when the file is opened.
     - [CVE-2026-41075] SQL injection via the entry_aggregator parameter in JSON
       search. An authenticated user can craft input that is incorporated into
       database queries without proper validation, potentially allowing them to
       read or modify data in the RT database.
     - [CVE-2026-41076] LDAP authentication bypass when RT is configured to
       authenticate users against an LDAP or Active Directory server. Under
       certain LDAP server configurations, an attacker may be able to
       authenticate as any LDAP-backed RT user without supplying valid
       credentials.
     - [CVE-2026-44229] Cross-site scripting via uploaded content that is served
       inline rather than as an attachment.
     - [CVE-2026-44231] Privilege escalation and information disclosure via the
       REST 2.0 user collection endpoint. A Privileged RT user can obtain
       authentication credentials belonging to other users, including
       administrators, and use those credentials to read data via RT's RSS and
       iCal feed endpoints. The same request that exposes the credentials also
       rotates them, which invalidates previously-distributed feed URLs across
       the instance.
       This vulnerability is likely only possible in RT4 if the
       RT::Extension::REST2 extension is installed.
Checksums-Sha1:
 fb06fb7c7bcef99859af1329287f57465a608e59 21018 request-tracker4_4.4.6+dfsg-1.1+deb12u4_all-buildd.buildinfo
 f0db0a5495911f8767899897632c7c4c5dfbd61e 5553852 request-tracker4_4.4.6+dfsg-1.1+deb12u4_all.deb
 79e6a0a31e0f360bb7d5c5379b6ba4d3c98956ab 17644 rt4-apache2_4.4.6+dfsg-1.1+deb12u4_all.deb
 941246c3e67a0fd1afe800764e744f216da13469 50044 rt4-clients_4.4.6+dfsg-1.1+deb12u4_all.deb
 8a57fcd67bf293e30bdcb0f6b92cef3e66c7f106 16912 rt4-db-mysql_4.4.6+dfsg-1.1+deb12u4_all.deb
 9d519ab8bea6d68f68938e15c8c2105d4bfb7787 16916 rt4-db-postgresql_4.4.6+dfsg-1.1+deb12u4_all.deb
 d889e66dca5087d97ccb862fb10ac1b369451bcf 17016 rt4-db-sqlite_4.4.6+dfsg-1.1+deb12u4_all.deb
 0b11882b73c722023776bb0aa076fc445f1c23cf 3126840 rt4-doc-html_4.4.6+dfsg-1.1+deb12u4_all.deb
 5040847338ea5f67a60f2aa48eb3b144db9c653e 19380 rt4-fcgi_4.4.6+dfsg-1.1+deb12u4_all.deb
 ff3cc3c395c1c8f87b98edceeeb3417cd42075f6 16380 rt4-standalone_4.4.6+dfsg-1.1+deb12u4_all.deb
Checksums-Sha256:
 d83d89566752ba910f920f4c9817c3a4dcd8a200b7423a46f42c45a6a69acc44 21018 request-tracker4_4.4.6+dfsg-1.1+deb12u4_all-buildd.buildinfo
 90b4881b82e5619c1b7f955379535e58b3c2b4cfd1177fb593ecc4f85f594db8 5553852 request-tracker4_4.4.6+dfsg-1.1+deb12u4_all.deb
 71d19ae610f73d7ee1e79e3e4f64898b2032862782802739c0838c7fb95d823c 17644 rt4-apache2_4.4.6+dfsg-1.1+deb12u4_all.deb
 a42b58e6d8cf966e3afdbdb260a2b9e387709d2e798eb45f17e5e22e1d07df76 50044 rt4-clients_4.4.6+dfsg-1.1+deb12u4_all.deb
 911e83958991eaefab442aa9cc7720ace4cb2cf4dddde98debed295b00eac7a2 16912 rt4-db-mysql_4.4.6+dfsg-1.1+deb12u4_all.deb
 98c9b1b52434d022ed069e64072d431b2351d1f679accb55035848d394afdfcc 16916 rt4-db-postgresql_4.4.6+dfsg-1.1+deb12u4_all.deb
 bb36b69ed8022836bcb1507f952635b6d3eeaf3dd843c8fbb5333d46664527b3 17016 rt4-db-sqlite_4.4.6+dfsg-1.1+deb12u4_all.deb
 bce9449ef62ad0efcc2ca594115e466950447eda234373d4cf38f782200509f1 3126840 rt4-doc-html_4.4.6+dfsg-1.1+deb12u4_all.deb
 a1ee9a4a0c7247c4cce469b94a79f2b277d51b6437a9f8f9399acec17c43deae 19380 rt4-fcgi_4.4.6+dfsg-1.1+deb12u4_all.deb
 bef016633cd0183536e8e07d2b61f05188a18d337fc242d8439e1b71b3393426 16380 rt4-standalone_4.4.6+dfsg-1.1+deb12u4_all.deb
Files:
 cda326c5321bf74c632531a5f1baf1ea 21018 misc optional request-tracker4_4.4.6+dfsg-1.1+deb12u4_all-buildd.buildinfo
 a55da530cf7f9eb0e8a565bc7002e8ee 5553852 misc optional request-tracker4_4.4.6+dfsg-1.1+deb12u4_all.deb
 5ec03e678b60b69d870adaba478cb8d4 17644 misc optional rt4-apache2_4.4.6+dfsg-1.1+deb12u4_all.deb
 076074489b576e100b669e1731d59af7 50044 misc optional rt4-clients_4.4.6+dfsg-1.1+deb12u4_all.deb
 22b370912fc18440cce4a7b60b80ae64 16912 misc optional rt4-db-mysql_4.4.6+dfsg-1.1+deb12u4_all.deb
 6605b1a3d7c7e3719c70e893ce9994ab 16916 misc optional rt4-db-postgresql_4.4.6+dfsg-1.1+deb12u4_all.deb
 2e22fdb6991eabaed4002b5b9ef77e68 17016 misc optional rt4-db-sqlite_4.4.6+dfsg-1.1+deb12u4_all.deb
 a71f2c463b2aa6194828ccf14eac56a1 3126840 doc optional rt4-doc-html_4.4.6+dfsg-1.1+deb12u4_all.deb
 4ac34df12c10687965c7b589dfe596e4 19380 misc optional rt4-fcgi_4.4.6+dfsg-1.1+deb12u4_all.deb
 235fcbb3069fdbf3769066ab37e0a18b 16380 misc optional rt4-standalone_4.4.6+dfsg-1.1+deb12u4_all.deb

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE+i/sCsF3puL4e7qIGNGWmfrqILEFAmolQ6MACgkQGNGWmfrq
ILE2BA/8DaFwqEcc04aUaP20mzgOa20eu+HyKwctJux0zCTOSX7pd70zSqD2Un7k
6OeWSfRRSpj0E8GbvhztupUVfzH4I66toHoDsdGy3O7Zsmpnt1IgpSNZcBD2rFHr
WcfWJBhMmERCPu0ZoqofZLhYDJSrcTdH7L3uM7P91w/MfkPSIHwiNsklcchylOQf
UPGD9gjEj3+WMyfUE9iMR2EY8mbXHf86OeYAKMSBUDY/neqH8d6zpIQtHyNZfktG
EEen8+lINuarpDNNb52BY7oeithq+7JNq+n4I2gGoAxJp+3mE6eAvOPvf+3ah1ZR
hi89g7C93K0LOFS8DyioHK6WfW2Qz4gxLykRtfWrt9TJ3MVM+H3qUUf3Jc0HzNxw
8/ori+0HQCHCehsZX9iweV8P/SfGPnlRaaa+qCg7WHnAUzzLA1cTvYxayGK0ze45
9TTegNIGg4q5G2t1phYMk/TVGER/YIxmayW3v7wZYxO+3dys47rumWHdInM6WPin
BwmhcsSVUexWJvehKQKu9s6zIjvzt3B6Vm8/B8ZqmKcK5nLpg0fYZO/YKNjKU3Rj
zToZWpcGe0iREiNa7rfh95eSA8bX13e4AXaSdy9PiwBpJIqLETYSbbeoRJfHw8QJ
3VoV9/a8bKP87G1PBDLL5q0D8O+RbjTwDRKAroD/Y2RH/QRIP4Y=
=6gAT
-----END PGP SIGNATURE-----