-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Fri, 05 Jun 2026 20:53:01 +1200 Source: request-tracker4 Architecture: source Version: 4.4.6+dfsg-1.1+deb12u4 Distribution: bookworm-security Urgency: medium Maintainer: Andrew Ruthven Changed-By: Andrew Ruthven Changes: request-tracker4 (4.4.6+dfsg-1.1+deb12u4) bookworm-security; urgency=medium . * Include missing default configuration items for security vulnerability fixes included in 4.4.6+dfsg-1.1+deb12u2. Namely: RestrictLinkDomains and Cipher in %SMIME. * Apply upstream patch which fixes several security vulnerabilities: - [CVE-2026-6841] Reflected cross-site scripting via the search "Page" URL parameter. - [CVE-2026-41073] Spreadsheet (CSV/formula) injection via ticket values that are exported to a spreadsheet from search results. User-controlled data is not sanitized before being written to the output file, which can cause spreadsheet applications such as Microsoft Excel to interpret crafted values as formulas or macros when the file is opened. - [CVE-2026-41075] SQL injection via the entry_aggregator parameter in JSON search. An authenticated user can craft input that is incorporated into database queries without proper validation, potentially allowing them to read or modify data in the RT database. - [CVE-2026-41076] LDAP authentication bypass when RT is configured to authenticate users against an LDAP or Active Directory server. Under certain LDAP server configurations, an attacker may be able to authenticate as any LDAP-backed RT user without supplying valid credentials. - [CVE-2026-44229] Cross-site scripting via uploaded content that is served inline rather than as an attachment. - [CVE-2026-44231] Privilege escalation and information disclosure via the REST 2.0 user collection endpoint. A Privileged RT user can obtain authentication credentials belonging to other users, including administrators, and use those credentials to read data via RT's RSS and iCal feed endpoints. The same request that exposes the credentials also rotates them, which invalidates previously-distributed feed URLs across the instance. This vulnerability is likely only possible in RT4 if the RT::Extension::REST2 extension is installed. Checksums-Sha1: a385fcd31f6d0be5c09caba2db06c280ad85c219 5978 request-tracker4_4.4.6+dfsg-1.1+deb12u4.dsc ffc7e05a4b24583a1ec0a8d53eb0651d3b48a8e0 161100 request-tracker4_4.4.6+dfsg-1.1+deb12u4.debian.tar.xz e8d15668b3b26ff3ff720555c9cd1b77e3f0cdba 21217 request-tracker4_4.4.6+dfsg-1.1+deb12u4_amd64.buildinfo Checksums-Sha256: 30d0b1e7213214ed8384fc2947c664efcaa0a2da0d22a5092ceddbb81ff10031 5978 request-tracker4_4.4.6+dfsg-1.1+deb12u4.dsc 990278094ab72e367f9b328fc52c22c3240eb6b56a5f248ab4b3f3d229496da6 161100 request-tracker4_4.4.6+dfsg-1.1+deb12u4.debian.tar.xz a770d91f1ada64cdcfeb779588d9a0284c7c8ec1d316b098f6ddc96e9a65bc10 21217 request-tracker4_4.4.6+dfsg-1.1+deb12u4_amd64.buildinfo Files: f8edb88ae30786292ea71a470ac692dc 5978 misc optional request-tracker4_4.4.6+dfsg-1.1+deb12u4.dsc 5e211927df988f5cce55985fbe4d44c1 161100 misc optional request-tracker4_4.4.6+dfsg-1.1+deb12u4.debian.tar.xz 5d7ff718758008f68c9ee658e920b6db 21217 misc optional request-tracker4_4.4.6+dfsg-1.1+deb12u4_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEExgP8TmAPHOzRyNl8S1PZMeTT6GMFAmok+xUACgkQS1PZMeTT 6GPjvg/9F2xedsRYRrOG4ZFwYRu0TQRDG9Gbp/0wOnOeqJPyJKcKAG9aRi9taV92 7mA83Xlh6AR49miZXxSishUKpY0BZoGrGLdlFFUjY7d//UoouiCzpsOdp8CLKyu2 nguNj3n/Rm4bKGfi1bHe1jzGU5847K1fHzdhZ+523R29octBbqnJzHueGyW0KjGT 70p+IxVLj0sSZkDqVU3u1Q5nuXuS6gZp8ZNDo401uVoLwDHax1DAiniS0HFCNURO jnpeQ7JchiYVdTkqJGQvp6WH3wtDoHoyD6u4YDytVe1ET9HMbZD/DyXcf/2qqwTR sP/VdfSNHVXSOczKo0NtoEz18BdjBB/Qp8R+Hf3mcSckEwWnn42m8QR/24Gjw/ZD N6rMSIKDYmphd8Iwp89udo4KT5VYAUTR2rnfrlcr1W260HeKDFklA8WR4LKIcD8b 20k6fgktGSbuXtgsk6/SZ4SMtPQw+vzAUK6v7SprQrCHBybRRygb6JE0l6VGvdem wYQG3Yzd/cRcCtuJ/Jeyx9tU9HAaR1vpj9KXJylKZFQIof/2CuVAm8HAZaw1gcxj CE4txwhpUVmW118AwuTTWrpiDEuEUWKBe0uS4IycNSx4yEms6MdRffutdSLA4Ulc 8JkoobPgfO2AqABQlgNOfyu3y0BN+zX6nmo7veqdiSir65jS2vY= =vGbw -----END PGP SIGNATURE-----