SEARCH
NEW RPMS
DIRECTORIES
ABOUT
FAQ
VARIOUS
BLOG

 
 
Changelog for otrs-doc-6.0.30-bp154.1.1.noarch.rpm :

* Wed Nov 04 2020 chrisAATTcomputersalat.de- Update to 6.0.30 https://community.otrs.com/otrs-community-edition-6-patch-level-30/- fix for boo#1178434
* (CVE-2020-11022, CVE-2020-11023, OSA-2020-14) Vulnerability in third-party library - jquery OTRS uses jquery version 3.4.1, which is vulnerable to cross-site scripting (XSS). For more information, please read following article https://snyk.io/test/npm/jquery/3.4.1
* Mon Aug 03 2020 chrisAATTcomputersalat.de- Update to 6.0.29 https://community.otrs.com/otrs-community-edition-6-patch-level-29/- fix for boo#1174830
* (CVE-2020-1776, OSA-2020-13) Information disclosure When an agent user is renamed or set to invalid the session belonging to the user is keept active. The session can not be used to access ticket data in the case the agent is invalid.- Update to 6.0.28 https://community.otrs.com/otrs-community-edition-6-patch-level-28/- fix for boo#1170764
* (CVE-2020-1774, OSA-2020-11) Information disclosure When user downloads PGP or S/MIME keys/certificates, exported file has same name for private and public keys. Therefore it’s possible to mix them and to send private key to the third-party instead of public key.- rebase otrs-CheckModules.patch
* Sat Aug 01 2020 chrisAATTcomputersalat.de- fix deps
* add missing perl(Moo)- add otrs-CheckModules.patch
* Tue Apr 07 2020 chrisAATTcomputersalat.de- Update to 6.0.27 https://community.otrs.com/otrs-community-edition-6-patch-level-27/- fix for
* boo#1168029 (CVE-2020-1773, OSA-2020-10) Session / Password / Password token leak An attacker with the ability to generate session IDs or password reset tokens, either by being able to authenticate or by exploiting OSA-2020-09, may be able to predict other users session IDs, password reset tokens and automatically generated passwords.
* boo#1168029 (CVE-2020-1772, OSA-2020-09) Information Disclosure It’s possible to craft Lost Password requests with wildcards in the Token value, which allows attacker to retrieve valid Token(s), generated by users which already requested new passwords.
* boo#1168030 (CVE-2020-1771, OSA-2020-08) Possible XSS in Customer user address book Attacker is able craft an article with a link to the customer address book with malicious content (JavaScript). When agent opens the link, JavaScript code is executed due to the missing parameter encoding.
* boo#1168031 (CVE-2020-1770, OSA-2020-07) Information disclosure in support bundle files Support bundle generated files could contain sensitive information that might be unwanted to be disclosed.
* boo#1168032 (CVE-2020-1769, OSA-2020-06) Autocomplete in the form login screens In the login screens (in agent and customer interface), Username and Password fields use autocomplete, which might be considered as security issue.- Update to 6.0.26 https://community.otrs.com/otrs-community-edition-6-patch-level-26/
* (CVE-2019-11358, OSA-2020-05) Possible to send drafted messages as wrong agent OTRS use jquery version 3.2.1, which is vulnerable to the prototype pollution attack. For more information, please read following article https://snyk.io/test/npm/jquery/3.2.1
* Mon Feb 03 2020 Dominique Leuenberger - BuildRequire pkgconfig(systemd) instead of systemd: allow OBS to shortcut through the -mini flavors.
* Fri Jan 10 2020 chrisAATTcomputersalat.de- Update to 6.0.25 https://community.otrs.com/otrs-community-edition-6-patch-level-25/- fix for boo#1160663
* (CVE-2020-1767, OSA-2020-03) Possible to send drafted messages as wrong agent Agent A is able to save a draft (i.e. for customer reply). Then Agent B can open the draft, change the text completely and send it in the name of Agent A. For the customer it will not be visible that the message was sent by another agent.
* (CVE-2020-1766, OSA-2020-02) Improper handling of uploaded inline images Due to improper handling of uploaded images it is possible in very unlikely and rare conditions to force the agents browser to execute malicious javascript from a special crafted SVG file rendered as inline jpg file.
* (CVE-2020-1765, OSA-2020-01) Spoofing of From field in several screens An improper control of parameters allows the spoofing of the from fields of the following screens: AgentTicketCompose, AgentTicketForward, AgentTicketBounce and AgentTicketEmailOutbound
* run bin/otrs.Console.pl Maint::Config::Rebuild after the upgrade- update itsm-update.sh
* add Reject for
*6.0.?.opm files
* Sat Dec 28 2019 chrisAATTcomputersalat.de- Update 6.0.24 https://community.otrs.com/otrs-community-edition-6-patch-level-24/- fix for boo#1157001
* (CVE-2019-18180, OSA-2019-15) Denial of service OTRS can be put into an endless loop by providing filenames with overly long extensions. This applies to the PostMaster (sending in email) and also upload (attaching files to mails, for example).
* (CVE-2019-18179, OSA-2019-14) Information Disclosure An attacker who is logged into OTRS as an agent is able to list tickets assigned to other agents, which are in the queue where attacker doesn’t have permissions.
* Sun Nov 10 2019 chrisAATTcomputersalat.de- Update to 6.0.23 https://community.otrs.com/otrs-community-edition-6-patch-level-23/- fix for boo#1156431
* (CVE-2019-16375, OSA-2019-13) Stored XXS An attacker who is logged into OTRS as an agent or customer user with appropriate permissions can create a carefully crafted string containing malicious JavaScript code as an article body. This malicious code is executed when an agent compose an answer to the original article.
* Tue Sep 03 2019 chrisAATTcomputersalat.de- Update to 6.0.22 https://community.otrs.com/otrs-community-edition-6-patch-level-22/
* Sat Jul 20 2019 chrisAATTcomputersalat.de- Update to 6.0.20 https://community.otrs.com/release-notes-otrs-6-patch-level-20/- fix for boo#1141432
* (CVE-2019-13458, OSA-2019-12) Information Disclosure An attacker who is logged into OTRS as an agent user with appropriate permissions can leverage OTRS tags in templates in order to disclose hashed user passwords.- fix for boo#1141431
* (CVE-2019-13457, OSA-2019-11) Information Disclosure A customer user can use the search results to disclose information from their “company” tickets (with the same CustomerID), even when CustomerDisableCompanyTicketAccess setting is turned on.- fix for boo#1141430
* (CVE-2019-12746, OSA-2019-10) Session ID Disclosure A user logged into OTRS as an agent might unknowingly disclose their session ID by sharing the link of an embedded ticket article with third parties. This identifier can be then potentially abused in order to impersonate the agent user.
* Sat Jun 29 2019 chrisAATTcomputersalat.de- Update to 6.0.19 https://community.otrs.com/release-notes-otrs-6-patch-level-19/- fix for boo#1137614
* (CVE-2019-12497, OSA-2019-09) Information Disclosure In the customer or external frontend, personal information of agents can be disclosed like Name and mail address in external notes.- fix for boo#1137615
* (CVE-2019-12248, OSA-2019-08) Loading External Image Resources An attacker could send a malicious email to an OTRS system. If a logged in agent user quotes it, the email could cause the browser to load external image resources.- Update to 6.0.18 https://community.otrs.com/release-notes-otrs-6-patch-level-18/- fix for boo#1139406
* (CVE-2019-10066, OSA-2019-06) Stored XSS An attacker who is logged into OTRS as an agent with appropriate permissions may create a carefully crafted calendar appointment in order to cause execution of JavaScript in the context of OTRS.- fix for boo#1139406
* (CVE-2019-10067, OSA-2019-05) Reflected and Stored XSS An attacker who is logged into OTRS as an agent user with appropriate permissions may manipulate the URL to cause execution of JavaScript in the context of OTRS.- fix for boo#1139406
* (CVE-2019-9892, OSA-2019-04) XXE Processing An attacker who is logged into OTRS as an agent user with appropriate permissions may try to import carefully crafted Report Statistics XML that will result in reading of arbitrary files of OTRS filesystem.- Update to 6.0.17 https://community.otrs.com/release-notes-otrs-6-patch-level-17/- fix for boo#1129755
* (CVE-2019-9751, OSA-2019-02) XSS An attacker who is logged into OTRS as an admin user may manipulate the URL to cause execution of JavaScript in the context of OTRS.- rebase otrs-perm_test.patch
* Sat Jun 22 2019 chrisAATTcomputersalat.de- fix changes file (chronological order)- update missing CVE for OSA-2018-10, OSA-2019-01
* Fri Feb 22 2019 Franck Bui - Drop use of $FIRST_ARG in .spec The use of $FIRST_ARG was probably required because of the %service_
* rpm macros were playing tricks with the shell positional parameters. This is bad practice and error prones so let\'s assume that no macros should do that anymore and hence it\'s safe to assume that positional parameters remains unchanged after any rpm macro call.
* Sat Feb 02 2019 Jan Engelhardt - Do not hide errors from useradd.- Remove pointless groupadd/useradd in %build (this always fails, and the error is always ignored).- Replace %__-type macro indirections. Replace old $RPM_
* shell vars.- Trim redundant metadata from description.- Switch out strong PreReq by more lenient Requires(pre,post).
* Thu Jan 31 2019 chrisAATTcomputersalat.de- update rpmlintrc
* disable setBadness(\'permissions-unauthorized-file\', 333)
* Tue Jan 29 2019 chrisAATTcomputersalat.de- Update to 6.0.16 https://community.otrs.com/release-notes-otrs-faq-6-patch-level-16/- fix for boo#1122560
* (CVE-2019-9752, OSA-2019-01) Stored XSS An attacker who is logged into OTRS as an agent or a customer user may upload a carefully crafted resource in order to cause execution of JavaScript in the context of OTRS.- Update to 6.0.15 https://community.otrs.com/release-notes-otrs-faq-6-patch-level-15/- fix typo in itsm.README- fix permissions
* add missing trailing /- rework rpmlintrc
* addFilter pem-certificate
* keep permissions-unauthorized-file for other DISTS than Factory
* Sat Dec 01 2018 chrisAATTcomputersalat.de- Update to 6.0.14 https://community.otrs.com/release-notes-otrs-faq-6-patch-level-14/- fix Url- update License: AGPL-3.0-only -> GPL-3.0-or-later- improve itsm-update.sh- rebase otrs-perm_test.patch- update
* UPGRADING.SUSE
* ZZZAuto.pm
* otrs.README.de
* otrs.README.en- remove SysVinit stuff and scripts
* otrs.init- rework permissions handling vor AATTOTRS_ROOTAATT/var/tmp
* Thu Nov 29 2018 chrisAATTcomputersalat.de- Update to 5.0.32
* https://community.otrs.com/release-notes-otrs-5s-patch-level-32/- fix for boo#1116004
* (CVE-2018-20800, OSA-2018-10) Data loss during migration Users updating to OTRS 6.0.13 (also patchlevel updates) or 5.0.31 (only major updates) will experience data loss in their agent preferences table.- fix for boo#1115416
* (CVE-2018-19141, OSA-2018-09) Privilege Escalation An attacker who is logged into OTRS as an admin user may manipulate the URL to cause execution of JavaScript in the context of OTRS.
* (CVE-2018-19143, OSA-2018-07) Remote File Deletion An attacker who is logged into OTRS as a user may manipulate the submission form to cause deletion of arbitrary files that the OTRS web server user has write access to.
* Wed Sep 26 2018 chrisAATTcomputersalat.de- Update to 5.0.30
* https://community.otrs.com/release-notes-otrs-5s-patch-level-30/
* https://community.otrs.com/release-notes-otrs-5s-patch-level-29/- fix for boo#1109822 (CVE-2018-16586, OSA-2018-05)
* Loading External Image or CSS Resources An attacker could send a malicious email to an OTRS system. If a logged in user opens it, the email could cause the browser to load external image or CSS resources.- fix for boo#1109823 (CVE-2018-16587, OSA-2018-04)
* Remote File Deletion An attacker could send a malicious email to an OTRS system. If a user with admin permissions opens it, it causes deletions of arbitrary files that the OTRS web server user has write access to.- fix for boo#1103800 (CVE-2018-14593, OSA-2018-03)
* Privilege Escalation An attacker who is logged into OTRS as a user may escalate their privileges by accessing a specially crafted URL.- improve itsm-update.sh- fix permissions file
* AATTOTRS_ROOTAATT/var/tmp -> AATTOTRS_ROOTAATT/var/tmp/
* Wed Jul 11 2018 chrisAATTcomputersalat.de- Update to 5.0.28
* Renamed \'OTRS Free\' to \'((OTRS)) Community Edition\'.
* https://github.com/OTRS/otrs/blob/rel-5_0_28/CHANGES.md- improve itsm-update.sh- fix otrs.service
* remove otrs-scheduler.service from [Unit]After
* Wed Jan 24 2018 chrisAATTcomputersalat.de- fix wrong fillup_only call
* Thu Dec 28 2017 chrisAATTcomputersalat.de- Update to 5.0.26
* https://www.otrs.com/release-notes-otrs-5s-patch-level-26
* https://www.otrs.com/release-notes-otrsitsm-module-5s-patch-level-26/- remove obsolete
* otrs-scheduler.service
* otrs-scheduler.init
* Thu Dec 28 2017 chrisAATTcomputersalat.de- fix for boo#1073747 (CVE-2017-17476, OSA-2017-10)
* Session hijacking An attacker can send a specially prepared email to an OTRS system. If this system has cookie support disabled, and a logged in agent clicks a link in this email, the session information could be leaked to external systems, allowing the attacker to take over the agent’s session.- Update to 4.0.28
* https://github.com/OTRS/otrs/blob/rel-4_0_28/CHANGES.md- improve itsm-update.sh
* Fri Dec 08 2017 chrisAATTcomputersalat.de- fix for boo#1071797 (CVE-2017-16921, OSA-2017-09)
* Remote code execution: An attacker who is logged into OTRS as an agent can manipulate form parameters and execute arbitrary shell commands with the permissions of the OTRS or web server user.- fix for boo#1071799 (CVE-2017-16854, OSA-2017-08)
* Information Disclosure: An attacker who is logged into OTRS as a customer can use the ticket search form to disclose internal article information of their customer tickets.- Update to 4.0.27
* https://github.com/OTRS/otrs/blob/rel-4_0_27/CHANGES.md
* Thu Nov 23 2017 rbrownAATTsuse.com- Replace references to /var/adm/fillup-templates with new %_fillupdir macro (boo#1069468)
* Wed Nov 22 2017 chrisAATTcomputersalat.de- fix for boo#1069391 (CVE-2017-16664, OSA-2017-07)
* vulnerabilities discovered in the OTRS framework: An attacker who is logged into OTRS as an agent can request special URLs from OTRS which can lead to the execution of shell commands with the permissions of the web server user.- Update to 4.0.26
* Improved handling of spell checker.
* https://github.com/OTRS/otrs/blob/rel-4_0_26/CHANGES.md- improve itsm-update.sh
* only package latest packages (<10)- rebase patches
* otrs-httpd_conf.patch
* otrs-perm_test.patch- fix permissions (SLE 11)
* Sat Sep 30 2017 chrisAATTcomputersalat.de- improve itsm-update.sh to provide
* current and previous itsm packages
* exclude PreRelease packages (
*x.y.9?.opm)- replace itsm tarball so generated
* Sun Sep 24 2017 astiegerAATTsuse.com- fix and make universal itsm-update.sh- replace itsm tarball so generated
* Sat Sep 23 2017 chrisAATTcomputersalat.de- fix for boo#1059691 (CVE-2017-14635)
* Code Injection / Privilege Escalation OTRS- Update to 4.0.25
* Improved validation in statistic import and export. see OSA-2017-04 (Code Injection / Privilege Escalation OTRS)
* for more info see https://www.otrs.com/release-notes-otrs-4-patch-level-25/
* Mon Jun 12 2017 chrisAATTcomputersalat.de- Update to 4.0.24
* for more info see https://www.otrs.com/release-notes-otrs-4-patch-level-24/- update UPGRADING.SUSE, otrs.README.??, ZZZAuto.pm- rework/rebase patches
* otrs-httpd_conf.patch
* otrs-perm_test.patch- add systemd service files and helper
* otrs.service, otrs.service.helper.sh
* otrs-scheduler.service- rework permissions
* add otrs.permissions file for var/tmp, cause \'otrs\' and \'wwwrun\' are writing there
* Wed Jun 07 2017 chrisAATTcomputersalat.de- fix for boo#1043086
* Incorrect Access Control in OTRS- Update to 3.3.17 2017-06-06
* Improved SecureMode detection in Installer. see OSA-2017-03 (CVE-2017-9324)
* Bug#12753 - Function \"SystemDataGroupGet\" has problems with empty values in oracle.
* Bug#9941 - Articles with multi-byte characters that claim to be UTF-8 will not display in the browser.
* Bug#7961 - customer search should not return results for internal articles. see OSA-2017-02
* Bug#12391 - Base64 encoded image does not display in article.
* Bug#12461 - Chrome can not display attached PDF files since 5.0.14.
* Wed Nov 02 2016 chrisAATTcomputersalat.de- fix for boo#1008017
* execution of JavaScript in OTRS context by opening malicious attachment- Update to 3.3.16
* Improved sandboxing of displayed attachments. see OSA-2016-02 (CVE-2016-9139)
* Added package verification information to otrs.PackageManager.pl, use bin/otrs.PackageManager.pl -a list -e (to show package verification information) or bin/otrs.PackageManager.pl -a list -e -c (to show package verification information deleting the cache before).
* Bug#11959 – 500 Can’t connect to www.otrs.com/product.xml:443.
* Bug#11870 – Missing quoting in Layout::AgentQueueListOption().
* Bug#11802 – Customer user can get access to all ticket data.- fix ZZZAuto.pm
* do not replace existing file (manually merge needed for ITSM)
* Sun Oct 30 2016 chrisAATTcomputersalat.de- fix itsm package
* version is 3.3.14- rebase otrs-3.3.15-perm_test.patch to otrs-perm_test.patch- merge otrs-httpd_conf-apache2_4.patch into otrs-httpd_conf.patch
* Sat Oct 24 2015 ajAATTajaissle.de- Update to 3.3.15
* HTML emails not properly displayed (parts missing).
* Fixed a nasty JSON::XS crash on some platforms.
* Updated CPAN module Proc::Daemon to version 0.21.
* TransitionAction TicketLockSet typo, thanks to Torsten Thau (c.a.p.e. IT).
* auto reply with DynamicFields from webservice.
* Added option to package manager list action, to show deployment info of installed packages.
* Reply in process ticket on webrequest article fills customer mail into \"cc\" instead of \"to\".- Changes 3.3.14
* Package installation/uninstallation leads to endless loop.
* Lang parameter not correctly validated.
* Search for multiple ticket numbers with GenericInterface.- Changes 3.3.13
* Updated translation files.
* Refresh bug on process client interface using ie8
* Adding email recipients via addressbook does not update customer information.
* Wrong column encoding in Kernel::System::Notification::NotificationGet().
* Generic Agent ticket actions can\'t be unselect.
* GI: Use of uninitialized value in string ne at AdminGenericInterfaceWebservice.pm.
* Reply in process ticket on webrequest article fills customer mail into \"cc\" instead of \"to\".
* Download button for dashboard stats visible even if no permissions for AgentStats exist..
* Invalid utf-8 parameters not filtered sufficciently.
* DynamicField Filter in AgentDashboard accepts only one value.
* Can\'t select customer and/or public interface in AdminACL.
* Incorrect utf8 in ZZZAuto.pm (via SysConfig) also for hash keys.
* Added possibility to turn of SSL certificate validation.
* SLA can not be set over Free Fields Dialog.
* Not possible to change customer.
* Error from GenericInterface using SOAP and TicketGet operation.
* Fixed problem with missing TimeObject in GenericInterface/Event/Handler.pm.
* Updated CPAN module Crypt::PasswdMD5 to version 1.40 to fix problems with perl 5.20.- Changes 3.3.12
* Ticket owner is not shown regardless what is configured, thanks to Renee Bäcker.
* Adressbook search does not permit to add contacts via click.
* Wrong sortation of Ticket Overview settings.
* Missing translations in Dashboard and TicketOverview settings.
* Internal Server Error, instead of warning.
* Dashlet: Filter Attributes with more then one CustomerID doesn\'t work.
* SQL error with \"0 oracle\" for article body in Ticket Search.
* Incorrect utf8 in ZZZAuto.pm (via SysConfig).
* ProcessManagement: TransitionAction delete does not check if is used.
* GPG option 0xlong breaks decryption of emails.
* ORA-03113 Error after scheduler start.
* /etc/init.d/otrs running httpd is not detected on CentOS 7.
* Unable to change password in customer interface.
* Dynamic Field shown information in customer interface is not consistent with agent interface.
* Error: No Process configured! - Agent interface.
* Error while splitting ticket.
* ActivityDialogEntityID not working in ACLs from Process screens reducing States.- Rebased otrs-perm.patch as otrs-3.3.15-perm_test.patch- Added itsm-update.sh, a script to update the itsm source we use- Updated sources
* otrs.README.de
* otrs.README.en
* UPGRADING.SuSE -> UPGRADING.SUSE
* ZZZAuto.pm
* Mon Dec 29 2014 chrisAATTcomputersalat.de- fix for boo#910988 (CVE-2014-9324)- update to 3.3.11 fix for OSA-2014-06 (CVE-2014-9324)
* Updated translations, thanks to all translators.
* Bug#10904 – Upon entering CIC, search only returns hits during the first search.
* Bug#10944 – Multiple selection in Tree Selection also affects filtered elements.
* Follow-up fix for Bug#6284 – Problem with unicode characters when using FastCGI.
* Bug#10830 – Textarea Limitation in Generic Agent.
* Bug#10920 – ProcessManagement: Deleting Activities from canvas does not update process layout.
* Bug#10801 – Editor is extremely slow with large articles.
* Enhanced Permission Checks in GenericInterface Ticket Connector.
* Bug#10634 – ProcessManagement: Can not use an arbitrary email address as a CustomerUser.
* Bug#10839 – ACL cannot set possible TicketType in AgentTicketPhone and AgentTicketEmail.
* Bug#10776 – Medium and Large view don’t indicate active filters.
* Bug#10808 – Set of pending time is not working at all in Frontend::Agent::Ticket::ViewNote.
* Bug#10892 – TicketActionsPerTicket open multiple popups at TicketOverview.
* Bug#10857 – JS added too often in AgentTicketOverviewSmall.
* Bug#10639 – Set of pending time/state not working properly (process management).
* Bug#10893 – Missing log name partitions in Service Center.
* Bug#10879 – GenericInterfae: TicketSearch operation does not take escalation parameters.
* Bug#10812 – SOAP Response is always in version SOAP 1.2.
* Bug#10083 – SMIME and Email address detection is case sensitive (for the right part)..
* Bug#10826 – German – Translation Problem.
* Bug#10678 – Dates off by one on area diagram in dashboard widget.
* Bug#7369 – LinkQoute fails for some characters in hash or parameter.
* Bug#8404 – Wrong sorting of responses dropdown in TicketZoom.
* Bug#8781 – 508 Compliance: In Ticket Overviews the title attribute of large view link is incorrect.
* Bug#10669 – Maxlength validation of textarea dynamic fields does not work correctly in IE.
* Bug#10471 – Missing translations for tooltips of TicketOverviewSmall columns.
* Bug#10850 – Double-quoted special characters in title of dynamic field sidebar output in TicketZoom.
* Bug#10805 – Open tickets in 3 days show right function but wrong number.
* Bug#10845 – No date search if TimeInputFormat is Input.
* Bug#10706 – dashboard settings are lost by different user login.
* Bug#10577 – Service Center does not show MOD_PERL version on Ubuntu 14.04.
* Bug#10679 – Texts in notification tags loose their empty lines and spaces.
* Thu Nov 27 2014 Led - One more fix after fix bashisms in previous commit
* Sat Nov 08 2014 Led - fix bashisms in post script
 
ICM