-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Thu, 17 Apr 2025 15:57:24 +1200
Source: request-tracker5
Architecture: source
Version: 5.0.3+dfsg-3~deb12u3
Distribution: bookworm-security
Urgency: medium
Maintainer: Andrew Ruthven <andrew@etc.gen.nz>
Changed-By: Andrew Ruthven <andrew@etc.gen.nz>
Closes: 1055128 1068453
Changes:
 request-tracker5 (5.0.3+dfsg-3~deb12u3) bookworm-security; urgency=medium
 .
   * Correct CVE-2023-41260 number in previous entry (Closes: #1055128).
   * Add patches from 5.0.6 to resolve CVE-2024-3262. Information exposure
     vulnerability due to browser cache usage. If you have sensitive
     information enable the $WebStrictBrowserCache option (Closes: #1068453).
   * Apply upstream patches which fix several security vulnerabilities.
     - [CVE-2025-30087] Vulnerable to Cross Site Scripting via injection of
       malicious parameters in a search URL.
     - [CVE-2025-2545] RT uses the default OpenSSL cipher, 3DES (des3), for
       encrypting SMIME email. This is an outdated cipher algorithm, so the
       default is changed to aes-128-cbc. In addition, this is now configurable
       so you can pick an alternate cipher now or in the future, or revert to
       des3 if needed for compatibility.
     - [CVE-2025-31501] Vulnerable to Cross Site Scripting via JavaScript
       injection in an Asset name.
     - [CVE-2025-31500] Vulnerable to Cross Site Scripting via JavaScript
       injection in an RT permalink.
Checksums-Sha1:
 94fe2ed81772e6cda1dc88216b808263219cb279 6209 request-tracker5_5.0.3+dfsg-3~deb12u3.dsc
 d0ce29f6c497f0dfd6e31a5a888bc8f0a66c2ed7 168988 request-tracker5_5.0.3+dfsg-3~deb12u3.debian.tar.xz
 5b450d2df723212aba79e5af889f0df2575f8c87 24090 request-tracker5_5.0.3+dfsg-3~deb12u3_amd64.buildinfo
Checksums-Sha256:
 d31abc36b961a4616069ee7387c4900ae8d99e909ec0f7fe260df0b495ba6e1b 6209 request-tracker5_5.0.3+dfsg-3~deb12u3.dsc
 c7697b1372c0d4c87485506ecfb5962e11dfa81cfb8b829a5ca5940ed8155f7a 168988 request-tracker5_5.0.3+dfsg-3~deb12u3.debian.tar.xz
 c0605236e9063ec02c91d54ddf8fc86c0a8a4bf434b32f9033ee2a88fd0c0526 24090 request-tracker5_5.0.3+dfsg-3~deb12u3_amd64.buildinfo
Files:
 74306ffc6d272cc96a43707ab3520b10 6209 misc optional request-tracker5_5.0.3+dfsg-3~deb12u3.dsc
 5968625eb6273798491ab4f7d9ea2de4 168988 misc optional request-tracker5_5.0.3+dfsg-3~deb12u3.debian.tar.xz
 0bd0f7f48b15258f9c42089e748a33f0 24090 misc optional request-tracker5_5.0.3+dfsg-3~deb12u3_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEExgP8TmAPHOzRyNl8S1PZMeTT6GMFAmgC7ZkACgkQS1PZMeTT
6GPcEhAAqyFty7bdbU5hKjaY+k2+ZRvh1A4Wn7MWqye6tIL/YLN/Kd/luk+M2Far
HMlrhSnr8WBeW3jUJBB+LM68yx/3keJ8z9zoDfGnWqjQ3FxNyFT70zq6B5LiHORe
NjE+4lQXWWJ/yV2iWOSfpiDzAqI42YIhrUA5wlsw7AEYL5CPfhYxOXowrAZKOBG+
grsKHKv2In52zwtWMQPCddUUS+SmC/7RvhMu6KZlmDi772NqDl5GX0gPqMxcksny
nhPcVO3N+Vlfl6+UO1v6SLbFiBdgUjSHJxNS6ybkqithSKUFhOSEYku1TxvrTIdh
sxPIztA9/4k/aoIHq6GppF/y4XwwKvFRJLCc2T9/7BFa6rdShQ2gNZOQE0J7t00Q
qLny0tAWg4fRY2kFvoxVmGBRnYTHtV51N4TlJ1tFiwUGMMocbnYSmfpbLkA09lCP
C0ZgLGzrSGl8mCzkJxef8thfyjbtP4KIJzM4GIA2xTjwsfm0BQUCTbos2C/DFx9U
BoyBZSwRwUFNj6kbxbhB5sOMI5VCZop15KHrga35QpqGyybBniyfmdqulRKNr5TA
LiP8i/joQvkFaj65Ok5rZrmO4FCoBA53e11I5YrCgdebyYuQ0vSh60Y9QWwqeEcg
QF0jPIQHNj2Uv9ZBnLhfmVOwNdijL9Ztb1PIfdtdWGaSkMckfMg=
=TupH
-----END PGP SIGNATURE-----