<?xml version="1.0" encoding="UTF-8" ?>

<bugzilla version="5.2"
          urlbase="https://bugzilla.altlinux.org/"
          
          maintainer="jenya@basealt.ru"
>

    <bug>
          <bug_id>49420</bug_id>
          
          <creation_ts>2024-02-14 20:44:48 +0300</creation_ts>
          <short_desc>Несколько CVE в RT 4.4.4+: CVE-2022-25802, CVE-2023-41259, CVE-2023-41260</short_desc>
          <delta_ts>2026-07-16 22:53:56 +0300</delta_ts>
          <reporter_accessible>1</reporter_accessible>
          <cclist_accessible>1</cclist_accessible>
          <classification_id>4</classification_id>
          <classification>Development</classification>
          <product>Sisyphus</product>
          <component>rt</component>
          <version>unstable</version>
          <rep_platform>all</rep_platform>
          <op_sys>Linux</op_sys>
          <bug_status>RESOLVED</bug_status>
          <resolution>FIXED</resolution>
          
          
          <bug_file_loc></bug_file_loc>
          <status_whiteboard></status_whiteboard>
          <keywords>security</keywords>
          <priority>P5</priority>
          <bug_severity>normal</bug_severity>
          <target_milestone>---</target_milestone>
          
          
          <everconfirmed>1</everconfirmed>
          <reporter name="Rostislav">ogldelphi</reporter>
          <assigned_to name="viy">viy</assigned_to>
          <cc>akv</cc>
    
    <cc>amakeenk</cc>
    
    <cc>lav</cc>
    
    <cc>viy</cc>
          
          <qa_contact>qa-sisyphus</qa_contact>

      

      

      

          <comment_sort_order>oldest_to_newest</comment_sort_order>  
          <long_desc isprivate="0" >
    <commentid>241673</commentid>
    <comment_count>0</comment_count>
    <who name="Rostislav">ogldelphi</who>
    <bug_when>2024-02-14 20:44:48 +0300</bug_when>
    <thetext>В Request Tracker версий 4.4.4-4.4.5 существует уязвимость CVE-2022-25802 Уровень: 7.8 cross-site scripting (XSS), исправлена в 4.4.6

Также в версии 4.4.7 исправлены: CVE-2023-41259 Уровень: 7.5, CVE-2023-41260 Уровень: 7.5</thetext>
  </long_desc><long_desc isprivate="0" >
    <commentid>241680</commentid>
    <comment_count>1</comment_count>
    <who name="Alexander Makeenkov">amakeenk</who>
    <bug_when>2024-02-15 09:42:14 +0300</bug_when>
    <thetext>Сначала нужно обновить в сизифе.</thetext>
  </long_desc><long_desc isprivate="0" >
    <commentid>291209</commentid>
    <comment_count>2</comment_count>
    <who name="Repository Robot">repository-robot</who>
    <bug_when>2026-07-16 22:53:56 +0300</bug_when>
    <thetext>rt-4.4.7-alt1 -&gt; sisyphus:

Wed Jul 15 2026 Vitaly Lipatov &lt;lav@altlinux.ru&gt; 4.4.7-alt1
- new version 4.4.7 (CVE-2022-25802, CVE-2023-41259, CVE-2023-41260) (closes: #49420)
- fix ftbfs: package builds again (closes: #39031)
- add BuildRequires: perl(Test/MockTime/HiRes.pm) (new 4.4.7 devel dependency)
- filter perl(GraphViz2) from requires; make rt-test-dependencies non-fatal
  (4.4.7 switched optional graph rendering to GraphViz2, not packaged in Sisyphus)
- add Patch6: drop redundant testdeps prerequisite from &quot;make install&quot;
  (the dep-check already runs non-fatally in %build)
- add Patch7: fix rt-setup-database upgrade dir (defaulted to relative
  &quot;./etc/upgrade&quot;; now uses $RT::EtcPath/upgrade -&gt; /usr/share/rt/upgrade)</thetext>
  </long_desc>
      
      

    </bug>

</bugzilla>