Debian alert DLA-4349-1 (request-tracker4)


From:
               Thorsten Alteholz <debian@alteholz.de>
To:
               debian-lts-announce@lists.debian.org
Subject:
               [SECURITY] [DLA 4349-1] request-tracker4 security update
Date:
               Sun, 26 Oct 2025 11:55:31 +0000
Message-ID:
               <b14d1a6-6b13-a4d4-94aa-f1352c154d51@alteholz.de>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4349-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/                    Thorsten Alteholz
October 26, 2025                              https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package        : request-tracker4
Version        : 4.4.4+dfsg-2+deb11u5
CVE ID         : CVE-2025-61873


It was discovered that Request Tracker, an extensible trouble-ticket
tracking system, is prone to a CSV injection via ticket values with
special characters that are exported to a TSV from search results.


For Debian 11 bullseye, this problem has been fixed in version
4.4.4+dfsg-2+deb11u5.

We recommend that you upgrade your request-tracker4 packages.

For the detailed security status of request-tracker4 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/request-tracker4

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEEYgH7/9u94Hgi6ruWlvysDTh7WEcFAmj+DDNfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDYy
MDFGQkZGREJCREUwNzgyMkVBQkI5Njk2RkNBQzBEMzg3QjU4NDcACgkQlvysDTh7
WEfGrQ//VdIaSrl6vB2alpF3GwNzbsOpIQH89ol5OA/3UEaF9LZl1YHJ4AUVy0Qo
dZMPzkx5/8PhQt8d0vB3oHVcnmJBBw53bxHX7B11r8MvUeW2L55YDtXQor7l0xVd
2Cu+cWV8/6ClfarEf/v0yRv0D7sNXZqI0HwXk4TxIqtEmj3Vw8gaGwr1KYHoohFJ
surwiSewl93ZvDlhkhYE0PEq/1Mwfq5Flm/o4JmK53m5NzngK85YTyoPkWzSJ+DW
Fiiwtouumjyxrp4UH4MaftMDbETU339H+aW0qiGWjKeWZMB2xW0sfmPuRqopd9BI
ED4mOdCz10XUK8k4ymRnzwIUX3c4LXbB2HDP9jLTj5ugJre81v8RIJBh2ZgveTsz
yXcpZd+stIx9rsKupLBBZz7XY/fi/0pipllm56y9cR2bdf5rAUTnkWU/RTmR5o7x
H5riSwxeyClRjS7SjNwtBfwI3ejl6PqT2yAtR4dpd/HmH4wI9VsfoZoEcvuy/d/g
DS1ts2mIAfmSHUQC93iyMvbsY0G1bkdOrqwC5LBOY7DTQ7k3LY2q2B9LUQ5kmXzn
zLq9XAcreQ4TL67YmpxrzLY/wiVnwmBUU5IXJ6ERF48AT+uZ0TvMAbsZeanw4l4D
NgCXh3py70ECXD/lKjeb+g8Uz19B4OxZQ832U3OaTghSdnHZi30=
=uZpk
-----END PGP SIGNATURE-----

From:		Thorsten Alteholz <debian@alteholz.de>
To:		debian-lts-announce@lists.debian.org
Subject:		[SECURITY] [DLA 4349-1] request-tracker4 security update
Date:		Sun, 26 Oct 2025 11:55:31 +0000
Message-ID:		<b14d1a6-6b13-a4d4-94aa-f1352c154d51@alteholz.de>