[SECURITY] [DSA 6031-1] request-tracker5 security update

To: debian-security-announce@lists.debian.org
Subject: [SECURITY] [DSA 6031-1] request-tracker5 security update
From: Salvatore Bonaccorso <carnil@debian.org>
Date: Wed, 22 Oct 2025 20:43:59 +0000
Message-id: <[🔎] E1vBfgd-00EXqh-0R@seger.debian.org>
Reply-to: debian-security-announce-request@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- -------------------------------------------------------------------------
Debian Security Advisory DSA-6031-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
October 22, 2025                      https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : request-tracker5
CVE ID         : CVE-2025-9158 CVE-2025-61873

Multiple vulnerabilities have been discovered in Request Tracker, an
extensible trouble-ticket tracking system, which could result in CSV
injection via ticket values with special characters, or cross-site
scripting via calendar invitations added to a ticket.

For the oldstable distribution (bookworm), these problems have been
fixed in version 5.0.3+dfsg-3~deb12u4. The oldstable distribution
(bookworm) is only affected by CVE-2025-61873.

For the stable distribution (trixie), these problems have been fixed in
version 5.0.7+dfsg-4+deb13u1.

We recommend that you upgrade your request-tracker5 packages.

For the detailed security status of request-tracker5 please refer to its
security tracker page at:
https://security-tracker.debian.org/tracker/request-tracker5

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmj5QdxfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND
z0Ssow//aQKLanjazSu5Wd6bXnIDBhFDJyKro0ZB5ZHrl6VRRpQH1k10a0Mtu3js
OTq8gYwbiTJJ9pV+YnzGtmDvVc22VhzuhZ+C10l96bjzjC1FCUHY4o8s7PbEFRjh
0Ntw6IMlESdZwLND33B0W9dWGuh4tgRvlVCw+bbXEgdEegvmc1Fj1QNrDoDaFAQ6
c3ZN0UDvCyNiIP3Ad+yLzlVpHiq29Cw150fadPjBU10YwkQLmr+zy9ygtfQXa7Mo
Mg5DK9rkb2nx7hwRTXofLyYDccR7Ox/xZrnDx6yh4mUZPoeaLFePgiS0thGMWL0Z
ti6XNtpnUVVg0xOerGawdp84lWHzLbbsbh/mCxW+TN1onpG9w9PthLVl/4oEYrDU
c6IIAZxVZTX+4CFUwIaGmbtBKL6td1COVkUmEAauTAgwnB8XI4znF/xhIHn9IiDg
/v2gTa0CV+K2BgFHSDzXu9xWiRNua6PRlZIk0SgQFIocqrqDvfthZOOPeFl3fkSZ
exrEnON0crC6JMm4tKbYnirw5LRnt2GRaqZFrtAdN8xFtt/sCb8MJYj1Ai1W9ls8
NONf+dL/VZCUVO+uD+/YgsOvyz940ilM1MQ2k81aSTqve+i4zlL11eDGbaL09L+F
OJswdsXV2iltKy4aavT+xf7DJketa1lpXqJMhWZVxtM1d/t7nts=
=OM1p
-----END PGP SIGNATURE-----

Reply to:

Prev by Date: [SECURITY] [DSA 6030-1] intel-microcode security update
Next by Date: [SECURITY] [DSA 6032-1] request-tracker4 security update
Previous by thread: [SECURITY] [DSA 6030-1] intel-microcode security update
Next by thread: [SECURITY] [DSA 6032-1] request-tracker4 security update
Index(es):
- Date
- Thread