Debian alert DSA-6031-1 (request-tracker5)
| From: | Salvatore Bonaccorso <carnil@debian.org> | |
| To: | debian-security-announce@lists.debian.org | |
| Subject: | [SECURITY] [DSA 6031-1] request-tracker5 security update | |
| Date: | Wed, 22 Oct 2025 20:43:59 +0000 | |
| Message-ID: | <E1vBfgd-00EXqh-0R@seger.debian.org> |
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - ------------------------------------------------------------------------- Debian Security Advisory DSA-6031-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso October 22, 2025 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : request-tracker5 CVE ID : CVE-2025-9158 CVE-2025-61873 Multiple vulnerabilities have been discovered in Request Tracker, an extensible trouble-ticket tracking system, which could result in CSV injection via ticket values with special characters, or cross-site scripting via calendar invitations added to a ticket. For the oldstable distribution (bookworm), these problems have been fixed in version 5.0.3+dfsg-3~deb12u4. The oldstable distribution (bookworm) is only affected by CVE-2025-61873. For the stable distribution (trixie), these problems have been fixed in version 5.0.7+dfsg-4+deb13u1. We recommend that you upgrade your request-tracker5 packages. For the detailed security status of request-tracker5 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/request-tracker5 Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE----- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmj5QdxfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0Ssow//aQKLanjazSu5Wd6bXnIDBhFDJyKro0ZB5ZHrl6VRRpQH1k10a0Mtu3js OTq8gYwbiTJJ9pV+YnzGtmDvVc22VhzuhZ+C10l96bjzjC1FCUHY4o8s7PbEFRjh 0Ntw6IMlESdZwLND33B0W9dWGuh4tgRvlVCw+bbXEgdEegvmc1Fj1QNrDoDaFAQ6 c3ZN0UDvCyNiIP3Ad+yLzlVpHiq29Cw150fadPjBU10YwkQLmr+zy9ygtfQXa7Mo Mg5DK9rkb2nx7hwRTXofLyYDccR7Ox/xZrnDx6yh4mUZPoeaLFePgiS0thGMWL0Z ti6XNtpnUVVg0xOerGawdp84lWHzLbbsbh/mCxW+TN1onpG9w9PthLVl/4oEYrDU c6IIAZxVZTX+4CFUwIaGmbtBKL6td1COVkUmEAauTAgwnB8XI4znF/xhIHn9IiDg /v2gTa0CV+K2BgFHSDzXu9xWiRNua6PRlZIk0SgQFIocqrqDvfthZOOPeFl3fkSZ exrEnON0crC6JMm4tKbYnirw5LRnt2GRaqZFrtAdN8xFtt/sCb8MJYj1Ai1W9ls8 NONf+dL/VZCUVO+uD+/YgsOvyz940ilM1MQ2k81aSTqve+i4zlL11eDGbaL09L+F OJswdsXV2iltKy4aavT+xf7DJketa1lpXqJMhWZVxtM1d/t7nts= =OM1p -----END PGP SIGNATURE-----