Source: request-tracker5
Version: 5.0.7+dfsg-2
Severity: grave
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>

Hi,

The following vulnerabilities were published for request-tracker5.

These should be fixed for the trixie release before release, so making
them RC level.

CVE-2025-31500[0]:
| Cross Site Scripting via JavaScript injection in an RT permalink


CVE-2025-31501[1]:
| Cross Site Scripting via JavaScript injection in an Asset name


CVE-2025-2545[2]:
| Uses the default OpenSSL cipher, 3DES (des3), for encrypting SMIME email


CVE-2025-30087[3]:
| Cross Site Scripting via injection of malicious parameters in a search URL


If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2025-31500
https://www.cve.org/CVERecord?id=CVE-2025-31500
[1] https://security-tracker.debian.org/tracker/CVE-2025-31501
https://www.cve.org/CVERecord?id=CVE-2025-31501
[2] https://security-tracker.debian.org/tracker/CVE-2025-2545
https://www.cve.org/CVERecord?id=CVE-2025-2545
[3] https://security-tracker.debian.org/tracker/CVE-2025-30087
https://www.cve.org/CVERecord?id=CVE-2025-30087

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)