========================================================================= Ubuntu Security Notice USN-7692-1 August 13, 2025 request-tracker5 vulnerabilities ========================================================================= A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 25.04 - Ubuntu 24.04 LTS - Ubuntu 22.04 LTS Summary: Several security issues were fixed in Request Tracker. Software Description: - request-tracker5: An open source, enterprise-grade issue and ticket tracking system. Details: It was discovered that Request Tracker was susceptible to timing attacks. An attacker could possibly use this issue to access sensitive information. This issue only affected Ubuntu 22.04 LTS. (CVE-2021-38562) It was discovered that Request Tracker was susceptible to cross-site scripting attacks when malicious attachments were supplied. An attacker could possibly use this issue to execute arbitrary code. This issue only affected Ubuntu 22.04 LTS. (CVE-2022-25802) It was discovered that Request Tracker would incorrectly redirect users in certain instances. An attacker could possibly use this issue to cause a denial of service. This issue only affected Ubuntu 22.04 LTS. (CVE-2022-25803) Tom Wolters discovered that Request Tracker could leak information when malicious email headers were supplied. An attacker could possibly use this issue to access sensitive information. This issue only affected Ubuntu 22.04 LTS. (CVE-2023-41259, CVE-2023-41260) It was discovered that Request Tracker could leak information through its transaction search. An attacker with access to the transaction query builder of Request Tracker could possibly use this issue to access sensitive information. This issue only affected Ubuntu 22.04 LTS. (CVE-2023-45024) It was discovered that Request Tracker erroneously stored ticket information in a web browser's cache. An attacker with direct access to a system could possibly use this issue to access sensitive information. This issue only affected Ubuntu 22.04 LTS and Ubuntu 24.04 LTS. (CVE-2024-3262) It was discovered that Request Tracker made use of an obsolete cryptographic algorithm for emails sent with S/MIME encryption. An attacker could possibly use this issue to access sensitive information. (CVE-2025-2545) It was discovered that Request Tracker was susceptible to cross-site scripting attacks when malicious parameters were included in a search URL. An attacker could possibly use this issue to execute arbitrary code. (CVE-2025-30087) It was discovered that Request Tracker was susceptible to cross-site scripting attacks when malicious permalinks or assets were provided. An attacker could possibly use this issue to execute arbitrary code. (CVE-2025-31500, CVE-2025-31501) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 25.04 request-tracker5 5.0.7+dfsg-2ubuntu0.1 rt5-fcgi 5.0.7+dfsg-2ubuntu0.1 rt5-standalone 5.0.7+dfsg-2ubuntu0.1 Ubuntu 24.04 LTS request-tracker5 5.0.5+dfsg-2ubuntu0.1~esm1 Available with Ubuntu Pro rt5-fcgi 5.0.5+dfsg-2ubuntu0.1~esm1 Available with Ubuntu Pro rt5-standalone 5.0.5+dfsg-2ubuntu0.1~esm1 Available with Ubuntu Pro Ubuntu 22.04 LTS request-tracker5 5.0.1+dfsg-1ubuntu1+esm1 Available with Ubuntu Pro rt5-fcgi 5.0.1+dfsg-1ubuntu1+esm1 Available with Ubuntu Pro rt5-standalone 5.0.1+dfsg-1ubuntu1+esm1 Available with Ubuntu Pro After a standard system update you need to restart Request Tracker to make all the necessary changes. References: https://ubuntu.com/security/notices/USN-7692-1 CVE-2021-38562, CVE-2022-25802, CVE-2022-25803, CVE-2023-41259, CVE-2023-41260, CVE-2023-45024, CVE-2024-3262, CVE-2025-2545, CVE-2025-30087, CVE-2025-31500, CVE-2025-31501 Package Information: https://launchpad.net/ubuntu/+source/request-tracker5/5.0.7+dfsg-2ubuntu0.1