[From nobody Thu May 21 13:21:08 2026
Received: (at 1109102-close) by bugs.debian.org; 21 May 2026 12:18:54 +0000
X-Spam-Checker-Version: SpamAssassin 4.0.1-bugs.debian.org_2005_01_02
 (2024-03-25) on buxtehude.debian.org
X-Spam-Level: 
X-Spam-Status: No, score=-112.8 required=4.0 tests=BAYES_00,DKIM_SIGNED,
 DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FOURLA,FVGT_m_MULTI_ODD,
 HAS_BUG_NUMBER,MD5_SHA1_SUM,MURPHY_DRUGS_REL6,PGPSIGNATURE,
 RCVD_IN_DNSWL_MED,SPF_HELO_PASS,SPF_PASS,USER_IN_DKIM_WELCOMELIST
 autolearn=ham autolearn_force=no
 version=4.0.1-bugs.debian.org_2005_01_02
X-Spam-Bayes: score:0.0000 Tokens: new, 143; hammy, 150; neutral, 225; spammy,
 0. spammytokens: hammytokens:0.000-+--HX-Debian:DAK,
 0.000-+--H*rp:D*ftp-master.debian.org, 0.000-+--HX-DAK:process-upload,
 0.000-+--UD:debian.tar.xz, 0.000-+--H*r:sk:fasolo.
Return-path: &lt;envelope@ftp-master.debian.org&gt;
Received: from mitropoulos.debian.org
 ([2001:648:2ffc:deb:216:61ff:fe9d:958d]:39414)
 by buxtehude.debian.org with esmtps
 (TLS1.3:ECDHE_SECP256R1__RSA_PSS_RSAE_SHA256__AES_256_GCM:256)
 (Exim 4.96) (envelope-from &lt;envelope@ftp-master.debian.org&gt;)
 id 1wQ2MX-00CtwR-36 for 1109102-close@bugs.debian.org;
 Thu, 21 May 2026 12:18:54 +0000
Received: via submission
 from C=NA, ST=NA, L=Ankh Morpork, O=Debian SMTP, OU=Debian SMTP CA,
 CN=fasolo.debian.org, EMAIL=hostmaster@fasolo.debian.org (verified)
 by mitropoulos.debian.org with esmtps
 (TLS1.3:ECDHE_SECP256R1__RSA_PSS_RSAE_SHA256__AES_256_GCM:256)
 (Exim 4.96) (envelope-from &lt;envelope@ftp-master.debian.org&gt;)
 id 1wQ2MU-0058HX-04 for 1109102-close@bugs.debian.org;
 Thu, 21 May 2026 12:18:50 +0000
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
 d=ftp-master.debian.org; s=smtpauto.fasolo; h=Date:Message-Id:Content-Type:
 Subject:MIME-Version:To:Reply-To:From:Cc:Content-Transfer-Encoding:Content-ID
 :Content-Description:In-Reply-To:References;
 bh=UBBUEOw1rvGSdTQLg/K/R/4Re+7h7MnoxpgkQ7b8ovo=; b=o2jAGOHMbrZrWSToTrQVx65gCE
 /r7CdEI7PUDNGteQRnirUsHy/4Dk5IwzJEmOKsg/d9APdPf9wcSbNHYpt1D1Qz1xvx1n1ijtU5Twk
 bHJtvkv1h1prLuDhUdz06WWQxXem+jWGhvJLQPcfBskBrlJL8wg2PvbpoADmKKggj8eE9UUvEzPTi
 Rl7SbUp1T6rQq2z6EVz60/RlfQ8F2sbKE9AQy9RKHfgpsPJkwfSbVMxGD4w8TWyXDeSZWozLXXnef
 iI2THLsGwVTbrUaaegmPqdD6doQkYLxICrbjer/L1045VwWeiEZHfL6f7wjnTHgJsb22n1HtE/iiL
 ulJ1rs6g==;
Received: from dak by fasolo.debian.org with local (Exim 4.98.2)
 (envelope-from &lt;envelope@ftp-master.debian.org&gt;)
 id 1wQ2MS-00000002as8-30rb; Thu, 21 May 2026 12:18:48 +0000
From: Debian FTP Masters &lt;ftpmaster@ftp-master.debian.org&gt;
Reply-To: Andrew Ruthven &lt;andrew@etc.gen.nz&gt;
To: 1109102-close@bugs.debian.org
X-DAK: dak process-upload
X-Debian: DAK
X-Debian-Package: request-tracker5
Debian: DAK
Debian-Changes: request-tracker5_5.0.10+dfsg-1_source.changes
Debian-Source: request-tracker5
Debian-Version: 5.0.10+dfsg-1
Debian-Architecture: source
Debian-Suite: unstable
Debian-Archive-Action: accept
MIME-Version: 1.0
Subject: Bug#1109102: fixed in request-tracker5 5.0.10+dfsg-1
Content-Type: multipart/signed; micalg=&quot;pgp-sha256&quot;;
 protocol=&quot;application/pgp-signature&quot;;
 boundary=&quot;===============9189720477461489091==&quot;
Message-Id: &lt;E1wQ2MS-00000002as8-30rb@fasolo.debian.org&gt;
Date: Thu, 21 May 2026 12:18:48 +0000

--===============9189720477461489091==
Content-Type: text/plain; charset=&quot;utf-8&quot;
Content-Transfer-Encoding: quoted-printable

Source: request-tracker5
Source-Version: 5.0.10+dfsg-1
Done: Andrew Ruthven &lt;andrew@etc.gen.nz&gt;

We believe that the bug you reported is fixed in the latest version of
request-tracker5, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1109102@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Andrew Ruthven &lt;andrew@etc.gen.nz&gt; (supplier of updated request-tracker5 pack=
age)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Thu, 21 May 2026 20:44:52 +1200
Source: request-tracker5
Architecture: source
Version: 5.0.10+dfsg-1
Distribution: unstable
Urgency: medium
Maintainer: Andrew Ruthven &lt;andrew@etc.gen.nz&gt;
Changed-By: Andrew Ruthven &lt;andrew@etc.gen.nz&gt;
Closes: 1109102
Changes:
 request-tracker5 (5.0.10+dfsg-1) unstable; urgency=3Dmedium
 .
   * New upstream release.
     - [CVE-2026-41075] Fix SQL injection via the entry_aggregator parameter =
in
       JSON search. An authenticated user can craft input that is incorporated
       into database queries without proper validation, potentially allowing
       them to read or modify data in the RT database.
     - [CVE-2026-41076] Fix an LDAP authentication bypass when RT is configur=
ed
       to authenticate users against an LDAP or Active Directory server. Under
       certain LDAP server configurations, an attacker may be able to
       authenticate as any LDAP-backed RT user without supplying valid
       credentials.
     - [CVE-2026-6841] Fix a reflected cross-site scripting via the search &quot;P=
age&quot;
       URL parameter.
     - [CVE-2026-44227] Fix a reflected cross-site scripting via additional U=
RL
       parameters on search pages.
     - [CVE-2026-44230] Fix a reflected cross-site scripting on search-results
       chart pages.
     - [CVE-2026-44229] Fix a cross-site scripting via uploaded content that =
is
       served inline rather than as an attachment.
     - [CVE-2026-41073] Fix a spreadsheet (CSV/formula) injection via ticket
       values that are exported to a spreadsheet from search results.
       User-controlled data is not sanitized before being written to the outp=
ut
       file, which can cause spreadsheet applications such as Microsoft Excel=
 to
       interpret crafted values as formulas or macros when the file is opened.
   * Drop patches no longer needed:
     - fix-WWW::Mechanize_v2.20_in_tests.diff
     - add-missing-rt-base-require.diff
     - fix-gnupg-2.4.9.diff
   * Drop redundant lintian overrides for rt5-doc-html.
   * Add missing &quot;.service&quot; to ordering lines in request-tracker5.service
     (Closes: #1109102).
Checksums-Sha1:
 e5093bb25b63de927f3ad8ee45c63a71cb5bd479 6043 request-tracker5_5.0.10+dfsg-1=
.dsc
 9d52e5a1ac16031ff980255d305111b92a460ecd 3272041 request-tracker5_5.0.10+dfs=
g.orig-third-party-source.tar.gz
 25af636b934a4d4b4b5c7a463ca86ca0da8396e9 20421256 request-tracker5_5.0.10+df=
sg.orig.tar.gz
 29b447d29b111c8e7188fc42dce0c30da1a1e377 127216 request-tracker5_5.0.10+dfsg=
-1.debian.tar.xz
 b768f634f97b20fffd99b8dcc32df9603da8e9cf 24544 request-tracker5_5.0.10+dfsg-=
1_amd64.buildinfo
Checksums-Sha256:
 d5bb01744f4f339fbe581ec9f89c2c21d857c2eb025add8ec2245c47a72585fe 6043 reques=
t-tracker5_5.0.10+dfsg-1.dsc
 27d55bce87baa6ab475e18c5edfa2f7b2f5e0ce12e1c28ef3f8a1d71d793d41b 3272041 req=
uest-tracker5_5.0.10+dfsg.orig-third-party-source.tar.gz
 508b8d401273da4fe1c47e642ecb6017939ef560e9cfdfeb8d18ef41e4dbc5e6 20421256 re=
quest-tracker5_5.0.10+dfsg.orig.tar.gz
 3ebe256c6f8771255dce30d7f198f8c757bc7f815e0f9cc22693df31529a1281 127216 requ=
est-tracker5_5.0.10+dfsg-1.debian.tar.xz
 b31b4d5c1e2d53274e4ef4eaedc87d81aec303c561af3885b7481b36d988a7fb 24544 reque=
st-tracker5_5.0.10+dfsg-1_amd64.buildinfo
Files:
 2739defaabd822a4a7419cd9fd0c180d 6043 misc optional request-tracker5_5.0.10+=
dfsg-1.dsc
 faabbe44f7ed2bac50d69295184cb285 3272041 misc optional request-tracker5_5.0.=
10+dfsg.orig-third-party-source.tar.gz
 c9bf647dd3fbd8d949c1c036e3f64042 20421256 misc optional request-tracker5_5.0=
.10+dfsg.orig.tar.gz
 ecfd60ee3fd6cd1ac6e10cf88c3e1fa2 127216 misc optional request-tracker5_5.0.1=
0+dfsg-1.debian.tar.xz
 924b08fc6451dc3d338caa3d9a0a5f39 24544 misc optional request-tracker5_5.0.10=
+dfsg-1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEExgP8TmAPHOzRyNl8S1PZMeTT6GMFAmoO8XwACgkQS1PZMeTT
6GMguQ//ZvGtSyWciJmd/ndegMN+bPOBKuhmQg/qyGfRA+pA5TAfk1ftnNPHeIrK
8FTZ170/Fm7frF27BqrkumVFnhjVjkzX3LzZvaAr+bQQSANjl76S2xmjrAFkbLUn
jgmdxyIprEv5Vod4rx34odpYpfFxPmZcBz3tHI5VXJvsTD/UI6Kb2ogDnFBXMaHh
7EgiYMCNIYvmWwdc21pbkgEu/s6ItBMcfRIH4b8tLnVBk331KpC6rO5yETvXqNCL
7xurAxVp3L8YvKqfyHFa4llX8b7hnAU8hogIuoUjeAkZ041Vc5yJUPbXbKXuD4cw
PIVaVchTTgIt4MJzyvqwkX1RPbAm6DIJCM4yMA4StP41zp0piq+2iv/Z1u0Mj2Ol
mWOO3J5MtXgTZKwle9cX/OdEn5AJSgvi0RIv8oGtqly0lwSUtzNHg3sJbmwNiWSr
Fw2kNA0Anigh808zdWL902zTTl2m6euEgmFhfaZcQBH2c6/AXpj7uBlr6qL3bwnS
P5bYLrq6D2XuOQIj0qWIVRjHBrBpwxNx0pQwVR7bdWDVCv65g3Rl+9BeatdyrGhn
KC18fFd0d1pq6Y87v7CyYcASJUZKtoqjU2pJwcUpOK57YBB1XzTxv0fNIqZxbFxg
iZI6kIzKEqJwj/50b4rOq3wkcllANc2qObCp+HoUNTzulxS1D8E=3D
=3DeUdl
-----END PGP SIGNATURE-----


--===============9189720477461489091==
Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----

iHUEABYIAB0WIQTziqJOuF8J+ZI8pJSb9qggYcy5IQUCag74KAAKCRCb9qggYcy5
Iap4AP4scs1xG4ZLKy4UICADxB7QjNGfTxasT1OG5R+ZMVF6NgD7BcJZIxZaWzk5
GltSC0AinvGCSOqeQGRBqo7SfQ6a0wk=
=bo98
-----END PGP SIGNATURE-----

--===============9189720477461489091==--
]