Bug#1104422: marked as done (request-tracker5: CVE-2025-31500 CVE-2025-31501 CVE-2025-2545 CVE-2025-30087)

[Debian Bug Tracking System]

Your message dated Wed, 07 May 2025 21:20:26 +1200
with message-id <61406041911a9fd4d18970ebb92aa2df2da08449.ca...@etc.gen.nz>
and subject line Fixed CVEs
has caused the Debian Bug report #1104422,
regarding request-tracker5: CVE-2025-31500 CVE-2025-31501 CVE-2025-2545 
CVE-2025-30087
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1104422: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1104422
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Source: request-tracker5
Version: 5.0.7+dfsg-2
Severity: grave
Tags: security upstream
X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>

Hi,

The following vulnerabilities were published for request-tracker5.

These should be fixed for the trixie release before release, so making
them RC level.

CVE-2025-31500[0]:
| Cross Site Scripting via JavaScript injection in an RT permalink


CVE-2025-31501[1]:
| Cross Site Scripting via JavaScript injection in an Asset name


CVE-2025-2545[2]:
| Uses the default OpenSSL cipher, 3DES (des3), for encrypting SMIME email


CVE-2025-30087[3]:
| Cross Site Scripting via injection of malicious parameters in a search URL


If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2025-31500
    https://www.cve.org/CVERecord?id=CVE-2025-31500
[1] https://security-tracker.debian.org/tracker/CVE-2025-31501
    https://www.cve.org/CVERecord?id=CVE-2025-31501
[2] https://security-tracker.debian.org/tracker/CVE-2025-2545
    https://www.cve.org/CVERecord?id=CVE-2025-2545
[3] https://security-tracker.debian.org/tracker/CVE-2025-30087
    https://www.cve.org/CVERecord?id=CVE-2025-30087

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

--- End Message ---

--- Begin Message ---

Control: fixed -1 5.0.7+dfsg-3
Control: fixed -1 5.0.3+dfsg-3~deb12u3

Thank you Salvatore, I missed that this bug had been created - I blame
timezones.

Fixed as noted, and Closing tags have been added to d/changelog for future
uploads.

-- 
Andrew Ruthven, Wellington, New Zealand
and...@etc.gen.nz |
Catalyst Cloud: | This space intentionally left blank
https://catalystcloud.nz |

--- End Message ---