SEARCH
NEW RPMS
DIRECTORIES
ABOUT
FAQ
VARIOUS
BLOG

 
 
Changelog for otrs-itsm-6.0.30-190.68.noarch.rpm :

* Wed Nov 04 2020 chrisAATTcomputersalat.de- Update to 6.0.30 https://community.otrs.com/otrs-community-edition-6-patch-level-30/- fix for boo#1178434
* (CVE-2020-11022, CVE-2020-11023, OSA-2020-14) Vulnerability in third-party library - jquery OTRS uses jquery version 3.4.1, which is vulnerable to cross-site scripting (XSS). For more information, please read following article https://snyk.io/test/npm/jquery/3.4.1
* Mon Aug 03 2020 chrisAATTcomputersalat.de- Update to 6.0.29 https://community.otrs.com/otrs-community-edition-6-patch-level-29/- fix for boo#1174830
* (CVE-2020-1776, OSA-2020-13) Information disclosure When an agent user is renamed or set to invalid the session belonging to the user is keept active. The session can not be used to access ticket data in the case the agent is invalid.- Update to 6.0.28 https://community.otrs.com/otrs-community-edition-6-patch-level-28/- fix for boo#1170764
* (CVE-2020-1774, OSA-2020-11) Information disclosure When user downloads PGP or S/MIME keys/certificates, exported file has same name for private and public keys. Therefore it’s possible to mix them and to send private key to the third-party instead of public key.- rebase otrs-CheckModules.patch
* Sat Aug 01 2020 chrisAATTcomputersalat.de- fix deps
* add missing perl(Moo)- add otrs-CheckModules.patch
* Tue Apr 07 2020 chrisAATTcomputersalat.de- Update to 6.0.27 https://community.otrs.com/otrs-community-edition-6-patch-level-27/- fix for
* boo#1168029 (CVE-2020-1773, OSA-2020-10) Session / Password / Password token leak An attacker with the ability to generate session IDs or password reset tokens, either by being able to authenticate or by exploiting OSA-2020-09, may be able to predict other users session IDs, password reset tokens and automatically generated passwords.
* boo#1168029 (CVE-2020-1772, OSA-2020-09) Information Disclosure It’s possible to craft Lost Password requests with wildcards in the Token value, which allows attacker to retrieve valid Token(s), generated by users which already requested new passwords.
* boo#1168030 (CVE-2020-1771, OSA-2020-08) Possible XSS in Customer user address book Attacker is able craft an article with a link to the customer address book with malicious content (JavaScript). When agent opens the link, JavaScript code is executed due to the missing parameter encoding.
* boo#1168031 (CVE-2020-1770, OSA-2020-07) Information disclosure in support bundle files Support bundle generated files could contain sensitive information that might be unwanted to be disclosed.
* boo#1168032 (CVE-2020-1769, OSA-2020-06) Autocomplete in the form login screens In the login screens (in agent and customer interface), Username and Password fields use autocomplete, which might be considered as security issue.- Update to 6.0.26 https://community.otrs.com/otrs-community-edition-6-patch-level-26/
* (CVE-2019-11358, OSA-2020-05) Possible to send drafted messages as wrong agent OTRS use jquery version 3.2.1, which is vulnerable to the prototype pollution attack. For more information, please read following article https://snyk.io/test/npm/jquery/3.2.1
* Mon Feb 03 2020 Dominique Leuenberger - BuildRequire pkgconfig(systemd) instead of systemd: allow OBS to shortcut through the -mini flavors.
* Fri Jan 10 2020 chrisAATTcomputersalat.de- Update to 6.0.25 https://community.otrs.com/otrs-community-edition-6-patch-level-25/- fix for boo#1160663
* (CVE-2020-1767, OSA-2020-03) Possible to send drafted messages as wrong agent Agent A is able to save a draft (i.e. for customer reply). Then Agent B can open the draft, change the text completely and send it in the name of Agent A. For the customer it will not be visible that the message was sent by another agent.
* (CVE-2020-1766, OSA-2020-02) Improper handling of uploaded inline images Due to improper handling of uploaded images it is possible in very unlikely and rare conditions to force the agents browser to execute malicious javascript from a special crafted SVG file rendered as inline jpg file.
* (CVE-2020-1765, OSA-2020-01) Spoofing of From field in several screens An improper control of parameters allows the spoofing of the from fields of the following screens: AgentTicketCompose, AgentTicketForward, AgentTicketBounce and AgentTicketEmailOutbound
* run bin/otrs.Console.pl Maint::Config::Rebuild after the upgrade- update itsm-update.sh
* add Reject for
*6.0.?.opm files
* Sat Dec 28 2019 chrisAATTcomputersalat.de- Update 6.0.24 https://community.otrs.com/otrs-community-edition-6-patch-level-24/- fix for boo#1157001
* (CVE-2019-18180, OSA-2019-15) Denial of service OTRS can be put into an endless loop by providing filenames with overly long extensions. This applies to the PostMaster (sending in email) and also upload (attaching files to mails, for example).
* (CVE-2019-18179, OSA-2019-14) Information Disclosure An attacker who is logged into OTRS as an agent is able to list tickets assigned to other agents, which are in the queue where attacker doesn’t have permissions.
* Sun Nov 10 2019 chrisAATTcomputersalat.de- Update to 6.0.23 https://community.otrs.com/otrs-community-edition-6-patch-level-23/- fix for boo#1156431
* (CVE-2019-16375, OSA-2019-13) Stored XXS An attacker who is logged into OTRS as an agent or customer user with appropriate permissions can create a carefully crafted string containing malicious JavaScript code as an article body. This malicious code is executed when an agent compose an answer to the original article.
* Tue Sep 03 2019 chrisAATTcomputersalat.de- Update to 6.0.22 https://community.otrs.com/otrs-community-edition-6-patch-level-22/
* Sat Jul 20 2019 chrisAATTcomputersalat.de- Update to 6.0.20 https://community.otrs.com/release-notes-otrs-6-patch-level-20/- fix for boo#1141432
* (CVE-2019-13458, OSA-2019-12) Information Disclosure An attacker who is logged into OTRS as an agent user with appropriate permissions can leverage OTRS tags in templates in order to disclose hashed user passwords.- fix for boo#1141431
* (CVE-2019-13457, OSA-2019-11) Information Disclosure A customer user can use the search results to disclose information from their “company” tickets (with the same CustomerID), even when CustomerDisableCompanyTicketAccess setting is turned on.- fix for boo#1141430
* (CVE-2019-12746, OSA-2019-10) Session ID Disclosure A user logged into OTRS as an agent might unknowingly disclose their session ID by sharing the link of an embedded ticket article with third parties. This identifier can be then potentially abused in order to impersonate the agent user.
  
ICM