==========================================================================
Ubuntu Security Notice USN-7692-1
August 13, 2025
request-tracker5 vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 25.04
- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS
Summary:
Several security issues were fixed in Request Tracker.
Software Description:
- request-tracker5: An open source, enterprise-grade issue and ticket tracking system.
Details:
It was discovered that Request Tracker was susceptible to timing
attacks. An attacker could possibly use this issue to access sensitive
information. This issue only affected Ubuntu 22.04 LTS. (CVE-2021-38562)
It was discovered that Request Tracker was susceptible to cross-site
scripting attacks when malicious attachments were supplied. An attacker
could possibly use this issue to execute arbitrary code. This issue
only affected Ubuntu 22.04 LTS. (CVE-2022-25802)
It was discovered that Request Tracker would incorrectly redirect users
in certain instances. An attacker could possibly use this issue to
cause a denial of service. This issue only affected Ubuntu 22.04 LTS.
(CVE-2022-25803)
Tom Wolters discovered that Request Tracker could leak information when
malicious email headers were supplied. An attacker could possibly
use this issue to access sensitive information. This issue only
affected Ubuntu 22.04 LTS. (CVE-2023-41259, CVE-2023-41260)
It was discovered that Request Tracker could leak information through
its transaction search. An attacker with access to the transaction
query builder of Request Tracker could possibly use this issue to
access sensitive information. This issue only affected Ubuntu 22.04
LTS. (CVE-2023-45024)
It was discovered that Request Tracker erroneously stored ticket
information in a web browser's cache. An attacker with direct access to
a system could possibly use this issue to access sensitive information.
This issue only affected Ubuntu 22.04 LTS and Ubuntu 24.04 LTS.
(CVE-2024-3262)
It was discovered that Request Tracker made use of an obsolete
cryptographic algorithm for emails sent with S/MIME encryption. An
attacker could possibly use this issue to access sensitive information.
(CVE-2025-2545)
It was discovered that Request Tracker was susceptible to cross-site
scripting attacks when malicious parameters were included in a search
URL. An attacker could possibly use this issue to execute arbitrary
code. (CVE-2025-30087)
It was discovered that Request Tracker was susceptible to cross-site
scripting attacks when malicious permalinks or assets were provided.
An attacker could possibly use this issue to execute arbitrary code.
(CVE-2025-31500, CVE-2025-31501)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 25.04
request-tracker5 5.0.7+dfsg-2ubuntu0.1
rt5-fcgi 5.0.7+dfsg-2ubuntu0.1
rt5-standalone 5.0.7+dfsg-2ubuntu0.1
Ubuntu 24.04 LTS
request-tracker5 5.0.5+dfsg-2ubuntu0.1~esm1
Available with Ubuntu Pro
rt5-fcgi 5.0.5+dfsg-2ubuntu0.1~esm1
Available with Ubuntu Pro
rt5-standalone 5.0.5+dfsg-2ubuntu0.1~esm1
Available with Ubuntu Pro
Ubuntu 22.04 LTS
request-tracker5 5.0.1+dfsg-1ubuntu1+esm1
Available with Ubuntu Pro
rt5-fcgi 5.0.1+dfsg-1ubuntu1+esm1
Available with Ubuntu Pro
rt5-standalone 5.0.1+dfsg-1ubuntu1+esm1
Available with Ubuntu Pro
After a standard system update you need to restart Request Tracker to make
all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-7692-1
CVE-2021-38562, CVE-2022-25802, CVE-2022-25803, CVE-2023-41259,
CVE-2023-41260, CVE-2023-45024, CVE-2024-3262, CVE-2025-2545,
CVE-2025-30087, CVE-2025-31500, CVE-2025-31501
Package Information:
https://launchpad.net/ubuntu/+source/request-tracker5/5.0.7+dfsg-2ubuntu0.1
No comments:
Post a Comment