Bug 49420

Summary: Несколько CVE в RT 4.4.4+: CVE-2022-25802, CVE-2023-41259, CVE-2023-41260
Product: Sisyphus Reporter: Rostislav <ogldelphi>
Component: rtAssignee: viy <viy>
Status: RESOLVED FIXED QA Contact: qa-sisyphus
Severity: normal    
Priority: P5 CC: akv, amakeenk, lav, viy
Version: unstableKeywords: security
Hardware: all   
OS: Linux   

Description Rostislav 2024-02-14 20:44:48 MSK
В Request Tracker версий 4.4.4-4.4.5 существует уязвимость CVE-2022-25802 Уровень: 7.8 cross-site scripting (XSS), исправлена в 4.4.6

Также в версии 4.4.7 исправлены: CVE-2023-41259 Уровень: 7.5, CVE-2023-41260 Уровень: 7.5
Comment 1 Alexander Makeenkov 2024-02-15 09:42:14 MSK
Сначала нужно обновить в сизифе.
Comment 2 Repository Robot 2026-07-16 22:53:56 MSK
rt-4.4.7-alt1 -> sisyphus:

Wed Jul 15 2026 Vitaly Lipatov <lav@altlinux.ru> 4.4.7-alt1
- new version 4.4.7 (CVE-2022-25802, CVE-2023-41259, CVE-2023-41260) (closes: #49420)
- fix ftbfs: package builds again (closes: #39031)
- add BuildRequires: perl(Test/MockTime/HiRes.pm) (new 4.4.7 devel dependency)
- filter perl(GraphViz2) from requires; make rt-test-dependencies non-fatal
  (4.4.7 switched optional graph rendering to GraphViz2, not packaged in Sisyphus)
- add Patch6: drop redundant testdeps prerequisite from "make install"
  (the dep-check already runs non-fatally in %build)
- add Patch7: fix rt-setup-database upgrade dir (defaulted to relative
  "./etc/upgrade"; now uses $RT::EtcPath/upgrade -> /usr/share/rt/upgrade)