Source: request-tracker5 Version: 5.0.7+dfsg-2 Severity: grave Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi, The following vulnerabilities were published for request-tracker5. These should be fixed for the trixie release before release, so making them RC level. CVE-2025-31500[0]: | Cross Site Scripting via JavaScript injection in an RT permalink CVE-2025-31501[1]: | Cross Site Scripting via JavaScript injection in an Asset name CVE-2025-2545[2]: | Uses the default OpenSSL cipher, 3DES (des3), for encrypting SMIME email CVE-2025-30087[3]: | Cross Site Scripting via injection of malicious parameters in a search URL If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2025-31500 https://www.cve.org/CVERecord?id=CVE-2025-31500 [1] https://security-tracker.debian.org/tracker/CVE-2025-31501 https://www.cve.org/CVERecord?id=CVE-2025-31501 [2] https://security-tracker.debian.org/tracker/CVE-2025-2545 https://www.cve.org/CVERecord?id=CVE-2025-2545 [3] https://security-tracker.debian.org/tracker/CVE-2025-30087 https://www.cve.org/CVERecord?id=CVE-2025-30087 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
