Change log for otrs2 package in Ubuntu

otrs2 (6.3.2-1) unstable; urgency=medium

  * New upstream release.
  * Adjust lintian overrides.
  * Rename XS-Autobuild to just Autobuild.

 -- Patrick Matthäi <email address hidden>  Thu, 21 Apr 2022 14:02:59 +0200

Available diffs

• diff from 6.2.2-2 to 6.3.2-1 (27.3 MiB)

otrs2 (6.2.2-2) unstable; urgency=medium

  * Execute migration scripts for version 6.2.2.

 -- Patrick Matthäi <email address hidden>  Fri, 17 Dec 2021 09:40:39 +0100

Available diffs

• diff from 6.2.1-1 to 6.2.2-2 (12.0 KiB)

otrs2 (6.2.1-1) unstable; urgency=medium

  * New upstream release.
    - Adjust installed files.
  * Adjust debian/watch URL.
  * Adjust lintian overrides.

 -- Patrick Matthäi <email address hidden>  Fri, 29 Oct 2021 11:44:38 +0200

Available diffs

• diff from 6.1.2-1 to 6.2.1-1 (883.6 KiB)

otrs2 (6.1.2-1) unstable; urgency=high

  * New upstream release.
    - Fixes CVE-2021-36096 and CVE-2021-36094.
      Closes: #993846
    - Add 6.1.1 database upgrade scripts.
    - Remove patch 02-deactivate-cron-migrate.
    - Add new dependency libtext-diff-formattedhtml-perl.
  * Drop otrs meta package.
  * Remove deprecated database upgrade scripts.
  * Adjust lintian overrides.
  * Use which for test statement in postrm.

 -- Patrick Matthäi <email address hidden>  Thu, 14 Oct 2021 15:46:42 +0200

Available diffs

• diff from 6.0.32-6 to 6.1.2-1 (1.1 MiB)

otrs2 (6.0.32-6) unstable; urgency=high

  * Add upstream patches to fix CVE-2021-36091, CVE-2021-21440 and
    CVE-2021-21443.
    Closes: #991593

 -- Patrick Matthäi <email address hidden>  Thu, 05 Aug 2021 10:37:30 +0200

Available diffs

• diff from 6.0.32-5 to 6.0.32-6 (1.9 KiB)

otrs2 (6.0.32-5) unstable; urgency=high

  * Add upstream patch 14-ZSA-2021-03: There is a denial of service issue, when
    a mail with a special crafted url is received. This can lead to a maxout of
    the available server-CPU(s) and can reduce the quality of service or even
    bring the system to a halt. This addresses CVE-2021-21439.
    Closes: #989992
  * Add upstream patch 15-ZSA-2021-06: There is a XSS vulnerability in the
    ticket overviews, which can used to extract all kind of information just
    by having a e-mail shown in an overview. An attacker can send a prepared
    e-mail to the system to trigger the attack. This addresses CVE-2021-21441.
    Closes: #989992

 -- Patrick Matthäi <email address hidden>  Fri, 18 Jun 2021 15:10:23 +0200

Available diffs

• diff from 6.0.32-4 to 6.0.32-5 (3.5 KiB)

otrs2 (6.0.32-4) unstable; urgency=high

  * Add upstream patch to update jquery-validate from version 1.16.0 to 1.19.3.
    This fixes CVE-2021-21252.
    Closes: #980891

 -- Patrick Matthäi <email address hidden>  Wed, 05 May 2021 10:36:52 +0200

Available diffs

• diff from 6.0.32-2 to 6.0.32-4 (6.9 KiB)

otrs2 (6.0.32-2) unstable; urgency=medium

  * Uploading to unstable.

 -- Patrick Matthäi <email address hidden>  Tue, 02 Mar 2021 20:08:29 +0100

Available diffs

• diff from 6.0.30-2 to 6.0.32-2 (3.9 MiB)

otrs2 (6.0.30-2) unstable; urgency=medium

  * Bump Standards-Version to 4.5.1.
  * Update debian/watch file standard to version 4.
  * Adjust lintian overrides.

 -- Patrick Matthäi <email address hidden>  Thu, 19 Nov 2020 14:59:19 +0100

Available diffs

• diff from 6.0.30-1 to 6.0.30-2 (913 bytes)

otrs2 (6.0.30-1) unstable; urgency=high

  * New upstream release.
    - Fixes CVE-2020-11023 and CVE-2020-11022, also known as OSA-2020-14: OTRS
      uses jquery version 3.4.1, which is vulnerable to cross-site scripting
      (XSS).
  * Adjust lintian overrides.

 -- Patrick Matthäi <email address hidden>  Mon, 12 Oct 2020 10:31:12 +0200

Available diffs

• diff from 6.0.29-1 to 6.0.30-1 (461.5 KiB)

otrs2 (6.0.29-1) unstable; urgency=high

  * New upstream release.
    - Fixes CVE-2020-1776, also known as OSA-2020-13: When an agent user is
      renamed or set to invalid the session belonging to the user is kept
      active. The session can not be used to access ticket data in the case the
      agent is invalid.
  * Add missing dependency on libmoo-perl.
  * Adjust many lintian overrides.
  * Replace shebangs with /usr/bin/perl.
  * Don't install examples anymore.

 -- Patrick Matthäi <email address hidden>  Tue, 21 Jul 2020 10:25:01 +0200

Available diffs

• diff from 6.0.28-2 to 6.0.29-1 (331.2 KiB)

otrs2 (6.0.28-2) unstable; urgency=medium

  * Replace old ttf-dejavu dependencies with fonts-dejavu-extra and adjust the
    paths to the fonts.
    Closes: #961390

 -- Patrick Matthäi <email address hidden>  Tue, 02 Jun 2020 10:07:56 +0200

Available diffs

• diff from 6.0.28-1 to 6.0.28-2 (866 bytes)

otrs2 (6.0.28-1) unstable; urgency=high

  * New upstream release.
    - Fixes CVE-2020-1774, also known as OSA-2020-11: When user downloads PGP or
      S/MIME keys/certificates, exported file has same name for private and
      public keys. Therefore it’s possible to mix them and to send private key
      to the third-party instead of public key.
      Closes: #959448
  * Add new dependency libmath-random-secure-perl.
  * Upgrade to debhelper-compat 13.

 -- Patrick Matthäi <email address hidden>  Mon, 04 May 2020 13:32:51 +0200

Available diffs

• diff from 6.0.27-1 to 6.0.28-1 (2.5 MiB)

otrs2 (6.0.27-1) unstable; urgency=high

  * New upstream release.
    - Fixes CVE-2020-1773, also known as OSA-2020-10: It is possible that an
      authenticated user guess other session IDs based on its own. Also it is
      possible to guess a password reset token or an automated password
      generated.

 -- Patrick Matthäi <email address hidden>  Tue, 31 Mar 2020 10:46:34 +0200

Available diffs

• diff from 6.0.26-1 to 6.0.27-1 (276.4 KiB)

otrs2 (6.0.26-1) unstable; urgency=high

  * New upstream release.
    - Fixes CVE-2019-11358, also known as OSA-2020-05: OTRS use jquery version
      3.2.1, which is vulnerable to the prototype pollution attack.

 -- Patrick Matthäi <email address hidden>  Fri, 07 Feb 2020 15:27:15 +0100

Available diffs

• diff from 6.0.25-3 to 6.0.26-1 (458.7 KiB)

otrs2 (6.0.25-3) unstable; urgency=high

  * New version with pre-built binaries.

 -- Patrick Matthäi <email address hidden>  Fri, 31 Jan 2020 09:20:15 +0100

Available diffs

• diff from 6.0.25-2 to 6.0.25-3 (307 bytes)

otrs2 (6.0.25-2) unstable; urgency=medium

  * Adjust lintian overrides.
  * Bump Standards-Version to 4.5.0.

 -- Patrick Matthäi <email address hidden>  Thu, 23 Jan 2020 16:33:10 +0100

Available diffs

• diff from 6.0.25-1 to 6.0.25-2 (856 bytes)

otrs2 (6.0.25-1) unstable; urgency=high

  * New upstream release.
    - Fixes CVE-2020-1767, also known as OSA-2020-03: Agent A is able to save a
      draft (i.e. for customer reply). Then Agent B can open the draft, change
      the text completely and send it in the name of Agent A. For the customer
      it will not be visible that the message was sent by another agent.

 -- Patrick Matthäi <email address hidden>  Mon, 20 Jan 2020 11:21:00 +0100

Available diffs

• diff from 6.0.24-1 to 6.0.25-1 (140.1 KiB)

otrs2 (6.0.24-1) unstable; urgency=high

  * New upstream release.
    - Fixes CVE-2019-18179, also known as OSA-2019-14: An attacker who is logged
      into OTRS as an agent is able to list tickets assigned to other agents,
      which are in the queue where attacker doesn’t have permissions.
    - Fixes CVE-2019-18180, also known as OSA-2019-15: OTRS can be put into an
      endless loop by providing filenames with overly long extensions. This
      applies to the PostMaster (sending in email) and also upload (attaching
      files to mails, for example).
      Closes: #945251
  * Add dependency on package libcpan-audit-perl.
  * Use the new debhelper-compat notation, and drop the d/compat file.

 -- Patrick Matthäi <email address hidden>  Fri, 27 Dec 2019 10:51:52 +0100

Available diffs

• diff from 6.0.23-2 to 6.0.24-1 (81.8 KiB)

otrs2 (6.0.23-2) unstable; urgency=medium

  * Build binary packages.

 -- Patrick Matthäi <email address hidden>  Fri, 11 Oct 2019 10:20:09 +0200

Available diffs

• diff from 6.0.20-1 to 6.0.23-2 (330.8 KiB)

otrs2 (6.0.20-1) unstable; urgency=medium

  * New upstream release.
  * Bump Standards-Version to 4.4.0.

 -- Patrick Matthäi <email address hidden>  Fri, 12 Jul 2019 10:13:22 +0200

Available diffs

• diff from 6.0.19-1 to 6.0.20-1 (579.9 KiB)

otrs2 (6.0.19-1) unstable; urgency=medium

  * New upstream release.
    - Fixes OSA-2019-08, also known as CVE-2019-12248: An attacker could send a
      malicious email to an OTRS system. If a logged in agent user quotes it,
      the email could cause the browser to load external image resources.
    - Fixes OSA-2019-09, also known as CVE-2019-12497: In the customer or
      external frontend, personal information of agents can be disclosed like
      name and mail address in external notes.
  * Merge 6.0.16-2 changelog.

 -- Patrick Matthäi <email address hidden>  Thu, 06 Jun 2019 10:45:46 +0200

Available diffs

• diff from 6.0.18-1 to 6.0.19-1 (754.2 KiB)

otrs2 (6.0.18-1) unstable; urgency=high

  * New upstream release.
    - Fixes OSA-2019-06, also known as CVE-2019-10066: An attacker who is logged
      into OTRS as an agent with appropriate permissions may create a carefully
      crafted calendar appointment in order to cause execution of JavaScript in
      the context of OTRS.
    - Fixes OSA-2019-05, also known as CVE-2019-10067: An attacker who is logged
      into OTRS as an agent user with appropriate permissions may manipulate the
      URL to cause execution of JavaScript in the context of OTRS.
    - Fixes OSA-2019-04, also known as CVE-2019-9892: An attacker who is logged
      into OTRS as an agent user with appropriate permissions may try to import
      carefully crafted Report Statistics XML that will result in reading of
      arbitrary files of OTRS filesystem.

 -- Patrick Matthäi <email address hidden>  Fri, 26 Apr 2019 11:00:38 +0200

Available diffs

• diff from 6.0.17-1 to 6.0.18-1 (446.9 KiB)

otrs2 (6.0.17-1) unstable; urgency=medium

  * New upstream release.
    - Fixes OSA-2019-03: An attacker who is logged into OTRS as an admin user
      may manipulate the URL to cause execution of JavaScript in the context
      of OTRS.

 -- Patrick Matthäi <email address hidden>  Fri, 08 Mar 2019 14:49:17 +0100

Available diffs

• diff from 6.0.16-1 to 6.0.17-1 (310.8 KiB)

otrs2 (6.0.16-1) unstable; urgency=high

  * New upstream release.
    - This release fixes OSA-2019-01: An attacker who is logged into OTRS as an
      agent or a customer user may upload a carefully crafted resource in order
      to cause execution of JavaScript in the context of OTRS.
  * Bump debian/compat to level 12.

 -- Patrick Matthäi <email address hidden>  Fri, 18 Jan 2019 13:16:27 +0100

Available diffs

• diff from 6.0.15-1 to 6.0.16-1 (343.8 KiB)

otrs2 (6.0.15-1) unstable; urgency=medium

  * New upstream release.
  * Bump Standards-Version to 4.3.0.

 -- Patrick Matthäi <email address hidden>  Thu, 27 Dec 2018 11:59:21 +0100

Available diffs

• diff from 6.0.14-1 to 6.0.15-1 (392.7 KiB)

otrs2 (6.0.14-1) unstable; urgency=high

  * New upstream release.
    - Fixes OSA-2018-10: Users updating to OTRS 6.0.13 (also patchlevel updates)
      or 5.0.31 (only major updates) will experience data loss in their agent
      preferences table.

 -- Patrick Matthäi <email address hidden>  Thu, 15 Nov 2018 11:15:54 +0100

Available diffs

• diff from 6.0.13-1 to 6.0.14-1 (6.4 KiB)

otrs2 (6.0.13-1) unstable; urgency=high

  * New upstream release.
    - Fixes OSA-2018-07: An attacker who is logged into OTRS as a user may
      manipulate the submission form to cause deletion of arbitrary files that
      the OTRS web server user has write access to.
    - Fixes OSA-2018-08: An attacker who is logged into OTRS as an admin user
      may manipulate the URL to cause execution of JavaScript in the context of
      OTRS.
    - Fixes OSA-2018-09: An attacker who is logged into OTRS as an admin user
      may manipulate the URL to cause execution of JavaScript in the context of
      OTRS.
  * Correct instructions to use the package manager.
    Closes: #909160
  * Merge 6.0.12-1~bpo9+1 and 5.0.16-1+deb9u6 changelog.

 -- Patrick Matthäi <email address hidden>  Fri, 09 Nov 2018 10:22:44 +0100

Available diffs

• diff from 6.0.12-1 to 6.0.13-1 (447.5 KiB)

otrs2 (6.0.12-1) unstable; urgency=high

  * New upstream release.
    - Fixes CVE-2018-17883, also known as OSA-2018-06: An attacker could send
      an email with a malicious link to an OTRS system or an agent. If a logged
      in agent opens this link, it could cause the execution of JavaScript in
      the context of OTRS.
  * Add XS-Autobuild yes to debian/control.
  * Adjust lintian overrides.
  * Correct 6.0.11-1 changelog about the fixed CVEs.
  * Merge 6.0.11-1~bpo9+1 changelog.
  * Remove extra documentation files.

 -- Patrick Matthäi <email address hidden>  Tue, 09 Oct 2018 12:00:19 +0200

Available diffs

• diff from 6.0.11-1 to 6.0.12-1 (2.3 MiB)

otrs2 (6.0.11-1) unstable; urgency=high

  * New upstream release.
    - Fixes CVE-2018-16586, also known as OSA-2018-04: An attacker could send a
      malicious email to an OTRS system. If a user with admin permissions opens
      it, it causes deletions of arbitrary files that the OTRS web server user
      has write access to.
  * Bump Standards-Version to 4.2.1.
  * Correct outdated SetPermissions example in README.Debian.
    Closes: #909160

 -- Patrick Matthäi <email address hidden>  Fri, 21 Sep 2018 16:21:29 +0200

Available diffs

• diff from 6.0.10-1 to 6.0.11-1 (382.2 KiB)

otrs2 (6.0.10-1) unstable; urgency=medium

  * New upstream release.
  * Merge 6.0.9-1~bpo9+1 changelog.

 -- Patrick Matthäi <email address hidden>  Tue, 31 Jul 2018 10:31:17 +0200

Available diffs

• diff from 6.0.9-1 to 6.0.10-1 (37.1 KiB)

otrs2 (6.0.9-1) unstable; urgency=medium

  * New upstream release.
  * Do not run the database upgrade script in non-interactive mode, because
    a working database upgrade requires some questions and answers about the
    used timezone.
  * Correct Backups directory permissions before calling setup_database.
  * Bump Standards-Version to 4.1.5.
  * Adjust lintian overrides.
  * Add non-free disclaimer to debian/copyright.

 -- Patrick Matthäi <email address hidden>  Thu, 26 Jul 2018 14:46:46 +0200

Available diffs

• diff from 6.0.8-1 to 6.0.9-1 (236.2 KiB)

otrs2 (6.0.8-1) unstable; urgency=medium

  * New upstream release.

 -- Patrick Matthäi <email address hidden>  Tue, 12 Jun 2018 10:59:58 +0200

Available diffs

• diff from 6.0.7-1 to 6.0.8-1 (295.0 KiB)

otrs2 (6.0.7-1) unstable; urgency=medium

  * New upstream release.
  * Use new libsisimai-perl Debian package.
    Closes: #887514
  * Bump Standards-Version to 4.1.4.
  * OTRS 6.x is compatible with GPG2.
    Closes: #890544

 -- Patrick Matthäi <email address hidden>  Mon, 07 May 2018 16:35:31 +0200

Available diffs

• diff from 6.0.6-1 to 6.0.7-1 (444.3 KiB)

otrs2 (6.0.6-1) unstable; urgency=medium

  * New upstream release.
  * Correct renamed lintian tag.
  * Move lintian-overrides file to source directory.

 -- Patrick Matthäi <email address hidden>  Thu, 15 Mar 2018 15:38:44 +0100

Available diffs

• diff from 6.0.5-1 to 6.0.6-1 (288.1 KiB)

otrs2 (6.0.5-1) unstable; urgency=medium

  * New upstream release.
    - Rewrite patch 03-backup.

 -- Patrick Matthäi <email address hidden>  Thu, 15 Feb 2018 10:36:17 +0100

Available diffs

• diff from 6.0.4-1 to 6.0.5-1 (330.0 KiB)

otrs2 (6.0.4-1) unstable; urgency=medium

  * New upstream release.
  * Add dependency on libclass-accessor-lite-perl.
    Closes: #887518
  * Bump Standards-Version to 4.1.3 (no changes required).
  * Bump debian/compat to level 11.
  * Temporary install Sisimai Perl module to work around #887514 until this
    module is packaged.
  * Adjust otrs2.docs installation.
  * Adjust lintian overrides.

 -- Patrick Matthäi <email address hidden>  Wed, 24 Jan 2018 14:49:12 +0100

Available diffs

• diff from 6.0.3-1 to 6.0.4-1 (471.2 KiB)

otrs2 (6.0.3-1) unstable; urgency=high

  * New upstream release.
    - This fixes OSA-2017-10, also known as CVE-2017-17476: A session hijacking
      vulnerability.
      Closes: #884801
  * Merge 3.3.18-1+deb8u3, 3.3.18-1+deb8u4, 5.0.16-1+deb9u4 and 5.0.16-1+deb9u5
    changelog.
  * Bump Standards-Version to 4.1.2 (no changes required).

 -- Patrick Matthäi <email address hidden>  Wed, 20 Dec 2017 09:25:55 +0100

Available diffs

• diff from 6.0.2-1 to 6.0.3-1 (142.4 KiB)

otrs2 (6.0.2-1) unstable; urgency=high

  * New upstream release.
    - This release fixes OSA-2017-08, also known as CVE-2017-16854.
    - Refresh patch 06-no-installer.
  * Merge 5.0.16-1+deb9u4 changelog.

 -- Patrick Matthäi <email address hidden>  Thu, 07 Dec 2017 14:05:54 +0100

Available diffs

• diff from 6.0.1-1 to 6.0.2-1 (429.7 KiB)

otrs2 (6.0.1-1) unstable; urgency=low

  * New upstream release.
    - Remove patch 02-dbupdate-as-root.
    - Rewrite patch 03-backup.
    - Rewrite patch 04-opt.
    - Rewrite patch 06-no-installer.
    - Rewrite patch 07-otrs-business-check.
    - Rewrite patch 09-disable-DashboardProductNotify.
    - Rewrite patch 11-do-not-test-file-writes.
    - Rewrite patch 12-font-paths.
    - Remove now useless empty directories for SQL upgrade scripts.
    - Add new dependencies libcrypt-ssleay-perl, libxml-simple-perl,
      libxml-libxml-simple-perl and libdatetime-perl.
  * Merge 5.0.24-1~bpo9+1 changelog.
  * Rename patch 14-font-paths to 12-font-paths.
  * Do not use yui-compressor anymore.
  * Remove deprecated otrs2.maintscript.
  * Remove deprecated MySQL upgrade notice from README.Debian.
  * Remove deprecated replaces and breaks from debian/control.
  * Adjust fonts-font-awesome paths.
  * Adjust debian/copyright.
  * Adjust source-contains-prebuilt-javascript-object lintian overrides.
  * Remove deprecated database scripts and install new 6.0 ones.
  * Add patch 02-deactivate-cron-migrate to disable the automatic cronjob
    migration on upgrading from version 5.
  * Kill otrs.Daemon processes on purge before trying to delete the user.
  * Reorder packaging.
  * Add new Config/Backups directory.

 -- Patrick Matthäi <email address hidden>  Fri, 01 Dec 2017 11:43:12 +0100

Available diffs

• diff from 5.0.24-1 to 6.0.1-1 (21.0 MiB)

otrs2 (5.0.16-1+deb9u3build0.17.04.1) zesty-security; urgency=medium

  * fake sync from Debian

Available diffs

• diff from 5.0.16-1+deb9u2build0.17.04.1 (in ~ubuntu-security/ubuntu/ppa) to 5.0.16-1+deb9u3build0.17.04.1 (1.0 KiB)
• diff from 5.0.16-1 (in Debian) to 5.0.16-1+deb9u3build0.17.04.1 (6.2 KiB)

otrs2 (5.0.24-1) unstable; urgency=high

  * New upstream release.
    - This fixes OSA-2017-07, also known as CVE-2017-16664: An attacker who is
      logged into OTRS as an agent can request special URLs from OTRS which can
      lead to the execution of shell commands with the permissions of the web
      server user.
      Closes: #882370
  * Merge 3.3.18-1+deb8u1, 3.3.18-1+deb8u2, 5.0.16-1+deb9u2, 5.0.16-1+deb9u3
    and 5.0.23-1~bpo9+1 changelog.
  * Use secure URI in debian/watch and for the homepage field.
  * Bump Standards-Version to 4.1.1 (no changes required).

 -- Patrick Matthäi <email address hidden>  Wed, 22 Nov 2017 16:33:29 +0100

Available diffs

• diff from 5.0.23-1 to 5.0.24-1 (158.1 KiB)

otrs2 (5.0.16-1+deb9u2build0.17.04.1) zesty-security; urgency=medium

  * fake sync from Debian

Available diffs

• diff from 5.0.16-1 (in Debian) to 5.0.16-1+deb9u2build0.17.04.1 (5.9 KiB)

otrs2 (5.0.23-1) unstable; urgency=high

  * New upstream release.
    - This fixes OSA-2017-04, also known as CVE-2017-14635: An attacker who is
      logged into OTRS as an agent with write permissions for statistics can
      inject arbitrary code into the system. This can lead to serious problems
      like privilege escalation, data loss, and denial of service.
      Closes: #876462
    - Refresh patch 07-otrs-business-check.
    - Refresh patch 09-disable-DashboardProductNotify.
    - Refresh patch 11-do-not-test-file-writes.
    - Refresh patch 14-font-paths.
  * Bump Standards-Version to 4.1.0 (no changes required).

 -- Patrick Matthäi <email address hidden>  Thu, 28 Sep 2017 10:42:32 +0200

Available diffs

• diff from 5.0.22-1 to 5.0.23-1 (173.8 KiB)

otrs2 (5.0.22-1) unstable; urgency=medium

  * New upstream release.
  * Merge 5.0.21-1~bpo9+1 changelog.
  * Add dependency on libmodule-refresh-perl.
  * Bump debian/compat to level 10.
  * Override embedded-javascript-library lintian warnings. The libraries are
    not replaceable with the Debian versions.

 -- Patrick Matthäi <email address hidden>  Wed, 02 Aug 2017 09:57:31 +0200

Available diffs

• diff from 5.0.21-1 to 5.0.22-1 (44.2 KiB)

otrs2 (5.0.21-1) unstable; urgency=medium

  * New upstream release.
  * Bump Standards-Version to 4.0.0 (no changes required).

 -- Patrick Matthäi <email address hidden>  Tue, 18 Jul 2017 15:35:45 +0200

Available diffs

• diff from 5.0.20-1 to 5.0.21-1 (172.7 KiB)

otrs2 (5.0.20-1) unstable; urgency=high

  * New upstream release.
    - This fixes OSA-2017-03, also known as CVE-2017-9324: An attacker with
      agent permission is capable by opening a specific URL in a browser to
      gain administrative privileges / full access. Afterward, all system
      settings can be read and changed.
      Closes: #864319
  * Remove obsolete symlink for jquery-ui.
    Closes: #864175
  * Merge 3.3.9-3+deb8u1 and 5.0.16-1+deb9u1 changelog.

 -- Patrick Matthäi <email address hidden>  Thu, 08 Jun 2017 10:39:18 +0200

Available diffs

• diff from 5.0.19-1 to 5.0.20-1 (336.5 KiB)

otrs2 (5.0.19-1) unstable; urgency=low

  * New upstream release.
  * Uploading to unstable.

 -- Patrick Matthäi <email address hidden>  Tue, 09 May 2017 09:35:01 +0200

Available diffs

• diff from 5.0.17-1 to 5.0.19-1 (508.1 KiB)

otrs2 (5.0.17-1) unstable; urgency=low

  * New upstream release.
  * Merge 5.0.16-1~bpo8+1 changelog.

 -- Patrick Matthäi <email address hidden>  Thu, 09 Mar 2017 14:56:10 +0100

Available diffs

• diff from 5.0.16-1 to 5.0.17-1 (761.5 KiB)

otrs2 (5.0.16-1) unstable; urgency=low

  * New upstream release.
    - Refresh patch 09-disable-DashboardProductNotify.
    - Refresh patch 14-font-paths.

 -- Patrick Matthäi <email address hidden>  Tue, 24 Jan 2017 12:31:59 +0100

Available diffs

• diff from 5.0.15-1 to 5.0.16-1 (324.5 KiB)

otrs2 (5.0.15-1) unstable; urgency=medium

  * New upstream release.
    - Refresh patch 01-cron.
    - Refresh patch 03-backup.
    - Refresh patch 07-otrs-business-check.
    - Refresh patch 09-disable-DashboardProductNotify.
    - Refresh patch 11-do-not-test-file-writes.
    - Refresh patch 14-font-paths.
  * Merge 5.0.14-1~bpo8+1 changelog.

 -- Patrick Matthäi <email address hidden>  Mon, 19 Dec 2016 16:31:47 +0100

Available diffs

• diff from 5.0.14-1 to 5.0.15-1 (322.1 KiB)

otrs2 (5.0.14-1) unstable; urgency=high

  * New upstream release.
    - Fixes CVE-2016-9139, also known as OSA-2016-02: An attacker could trick
      an authenticated agent or customer into opening a malicious attachment
      which could lead to the execution of JavaScript in OTRS context.
      Closes: #843091
  * Adjust linitian overrides.

 -- Patrick Matthäi <email address hidden>  Wed, 09 Nov 2016 10:06:51 +0100

Available diffs

• diff from 5.0.13-2 to 5.0.14-1 (947.4 KiB)

otrs2 (5.0.13-2) unstable; urgency=medium

  * Move package from main to non-free, because of the "browserified" issue as
    long as there is no way to replace all embedded javascript code copies
    safely (without introducing new issues as in the past) from the package.
    Closes: #695664, #836181
  * Merge 5.0.13-1~bpo8+1 changelog.
  * Recommend default-mysql-client and default-mysql-server package.

 -- Patrick Matthäi <email address hidden>  Mon, 17 Oct 2016 10:25:02 +0200

Available diffs

• diff from 5.0.12-1 to 5.0.13-2 (330.5 KiB)

otrs2 (5.0.12-1) unstable; urgency=medium

  * New upstream release.
    - Refresh patch 09-disable-DashboardProductNotify.
    - Refresh patch 14-font-paths.

 -- Patrick Matthäi <email address hidden>  Fri, 12 Aug 2016 11:18:26 +0200

Available diffs

• diff from 5.0.11-1 to 5.0.12-1 (633.8 KiB)

otrs2 (5.0.11-1) unstable; urgency=medium

  * New upstream release.
    - Refresh patch 07-otrs-business-check.
    - Refresh patch 08-usable-apache-config.
    - Refresh patch 09-disable-DashboardProductNotify.
    - Refresh patch 14-font-paths.
  * Merge 5.0.10-1~bpo8+1 changelog.
  * Overwrite false positive lintian warning about prebuilt javascript object
    Core.UI.InputFields.UnitTest.js.
  * Remove GenericAgent.pm on purge.

 -- Patrick Matthäi <email address hidden>  Thu, 07 Jul 2016 09:55:45 +0200

Available diffs

• diff from 5.0.10-1 to 5.0.11-1 (325.9 KiB)

otrs2 (5.0.10-1) unstable; urgency=medium

  * New upstream release.
    - Refresh patch 09-disable-DashboardProductNotify.
    - Refresh patch 11-do-not-test-file-writes.
    - Refresh patch 14-font-paths.
  * Bump Standards-Version to 3.9.8 (no changes required).
  * Mangle repack in debian/watch.

 -- Patrick Matthäi <email address hidden>  Tue, 17 May 2016 12:53:34 +0200

Available diffs

• diff from 5.0.9+repack1-1 to 5.0.10-1 (521.0 KiB)

otrs2 (5.0.9+repack1-1) unstable; urgency=medium

  * Revert usage of external ckeditor package, since it breaks OTRS. Create an
    new repack package.

 -- Patrick Matthäi <email address hidden>  Wed, 20 Apr 2016 11:44:47 +0200

Available diffs

• diff from 5.0.7-1 to 5.0.9+repack1-1 (2.3 MiB)

otrs2 (5.0.7-1) unstable; urgency=medium

  * New upstream release.
    - Refresh patch 09-disable-DashboardProductNotify.
    - Refresh patch 10-nice-packagemanager-permissions-message.
    - Refresh patch 11-do-not-test-file-writes.
    - Refresh patch 14-font-paths.
  * Merge 5.0.6-1~bpo8+1 changelog.
  * Bump Standards-Version to 3.9.7 (no changes required).
  * Do not overwrite source-contains-prebuilt-object lintian warnings.

 -- Patrick Matthäi <email address hidden>  Tue, 16 Feb 2016 13:20:26 +0100

Available diffs

• diff from 5.0.6-1 to 5.0.7-1 (441.5 KiB)

otrs2 (5.0.6-1) unstable; urgency=medium

  * New upstream release.
    - Refresh hunky patch 09-disable-DashboardProductNotify.
    - Refresh hunky patch 14-font-paths.

 -- Patrick Matthäi <email address hidden>  Tue, 19 Jan 2016 09:07:34 +0100

Available diffs

• diff from 5.0.5-1 to 5.0.6-1 (2.7 MiB)

otrs2 (5.0.5-1) unstable; urgency=medium

  * New upstream release.
  * Add patch 07-otrs-business-check to deactivate OTRSBusinessEntitlementCheck
    and OTRSBusinessAvailabilityCheck cronjob in the default configuration,
    since they connect to cloud.otrs.com.
    Closes: #806263

 -- Patrick Matthäi <email address hidden>  Wed, 16 Dec 2015 10:18:39 +0100

Available diffs

• diff from 5.0.3-1 to 5.0.5-1 (556.9 KiB)

otrs2 (5.0.3-1) unstable; urgency=medium

  * New upstream release.
  * Do not use anymore embedded Lingua::Translit library and depend on
    liblingua-translit-perl.

 -- Patrick Matthäi <email address hidden>  Tue, 17 Nov 2015 13:34:27 +0100

Available diffs

• diff from 5.0.2-1 to 5.0.3-1 (140.8 KiB)

otrs2 (5.0.2-1) unstable; urgency=medium

  * New upstream release.
  * Add dependency on new package libschedule-cron-events-perl.
    Closes: #803301
  * Add dependency on libhtml-parser-perl.
  * Add dependency on libhtml-tagset-perl and libhtml-truncate-perl and remove
    the cpan-lib/HTML directory.

 -- Patrick Matthäi <email address hidden>  Thu, 05 Nov 2015 14:18:07 +0100

Available diffs

• diff from 5.0.1-2 to 5.0.2-1 (727.8 KiB)

otrs2 (5.0.1-2) unstable; urgency=medium

  * Drop dependency on libjs-jquery-ui and the patches
    12-use-debian-libjs-packages and 13-load-debian-libjs. Use again the
    embedded version.
    Closes: #802938

 -- Patrick Matthäi <email address hidden>  Mon, 26 Oct 2015 18:13:00 +0100

Available diffs

• diff from 5.0.1-1 to 5.0.1-2 (1.4 KiB)

otrs2 (5.0.1-1) unstable; urgency=medium

  * New upstream release.
    - Rewrite patch 01-cron, everything is working now with the new scheduler.
    - Use DB-Update-5 script in 02-dbupdate-as-root.
    - Refresh hunky patch 03-backup.
    - Rewrite patch 04-opt.
    - Rewrite patch 05-database.
    - Refresh hunky patch 06-no-installer.
    - Refresh hunky patch 09-disable-DashboardProductNotify.
    - Rewrite patch 10-nice-packagemanager-permissions-message.
    - Refresh hunky patch 11-do-not-test-file-writes.
    - Rewrite patch 12-use-debian-libjs-packages.
    - Rewrite patch 13-load-debian-libjs.
    - Refresh hunky patch 14-font-paths.
    - Adjust yui-compressor paths in debian/rules.
    - Adjust package descriptions for release 5.
    - Add new dependencies on libxml-libxml-perl and libxml-libxslt-perl.
    - Install and use new DBUpdate 5 schema files and script for upgrading.
    - Use new tool otrs.Console.pl, which replaced old scripts like
      otrs.CheckDB.pl, otrs.RebuildConfig and otrs.DeleteCache.
    - Adjust otrs2.install.
  * Merge 4.0.13-1~bpo8+1 changelog.
  * Do not suggest dropped otrs2-doc packages anymore.
  * Watch again all releases.
  * Import DBUpdate-to-4 from the last OTRS 4.0.13 release.
  * Remove obsolete stuff from debian/rules.
  * Remove auto_build directory.
  * Adjust debian/copyright.
  * Remove GenericAgent.pm from config file handling.
  * Install required Lingua cpan module.
  * Add dependency libpod-strip-perl.
  * Use otrs.Console.pl in otrs2.config to get database parameters.
  * Set additional new permissions on the configuration directory.
  * Create /run/otrs in cronjob, if it does not exist.

 -- Patrick Matthäi <email address hidden>  Fri, 23 Oct 2015 15:44:39 +0200

Available diffs

• diff from 4.0.10-1 to 5.0.1-1 (16.1 MiB)
• diff from 4.0.13-1 to 5.0.1-1 (16.0 MiB)

otrs2 (4.0.13-1) unstable; urgency=medium

  * New upstream release.

 -- Patrick Matthäi <email address hidden>  Thu, 01 Oct 2015 14:57:24 +0200

otrs2 (4.0.10-1) unstable; urgency=medium

  * New upstream release.

 -- Patrick Matthäi <email address hidden>  Thu, 16 Jul 2015 20:20:34 +0200

Available diffs

• diff from 4.0.9-1 to 4.0.10-1 (52.6 KiB)

otrs2 (4.0.9-1) unstable; urgency=low

  * New upstream release.
    - Refresh hunky patch 11-do-not-test-file-writes.
  * Overwrite false positive lintian warning
    command-with-path-in-maintainer-script.

 -- Patrick Matthäi <email address hidden>  Tue, 07 Jul 2015 09:46:32 +0200

Available diffs

• diff from 4.0.8-1 to 4.0.9-1 (145.3 KiB)

otrs2 (4.0.8-1) unstable; urgency=low

  * New upstream release.
  * Switch to DEP5 debian/copyright format.

 -- Patrick Matthäi <email address hidden>  Tue, 12 May 2015 20:02:51 +0200

Available diffs

• diff from 4.0.7-2 to 4.0.8-1 (483.5 KiB)

otrs2 (4.0.7-2) unstable; urgency=low

  * Upload to unstable.

 -- Patrick Matthäi <email address hidden>  Wed, 29 Apr 2015 10:00:47 +0200

Available diffs

• diff from 3.3.9-3 to 4.0.7-2 (10.6 MiB)

otrs2 (3.3.9-3) unstable; urgency=medium


  * Add patch 16-CVE-2014-9324.diff which fixes CVE-2014-9324, also known as
    OSA-2014-06:
    An attacker with valid OTRS credentials could access and manipulate ticket
    data of other users via the GenericInterface, if a ticket webservice is
    configured and not additionally secured.

 -- Patrick Matthäi <email address hidden>  Thu, 18 Dec 2014 19:02:56 +0100

Available diffs

• diff from 3.3.9-2 to 3.3.9-3 (7.2 KiB)

otrs2 (3.3.9-2) unstable; urgency=low


  * Drop libjs-jquery dependency and use the emebedded version again to avoid
    application errors.
    Closes: #763750
  * Bump Standards-Version to 3.9.6 (no changes required).
  * Remove unused override about package-contains-broken-symlink.

 -- Patrick Matthäi <email address hidden>  Mon, 27 Oct 2014 21:07:36 +0100

Available diffs

• diff from 3.3.9-1 to 3.3.9-2 (1.9 KiB)

otrs2 (3.3.9-1) unstable; urgency=medium


  * New upstream release.
  * Temporary only watch 3.3.x releases.

 -- Patrick Matthäi <email address hidden>  Tue, 09 Sep 2014 16:15:53 +0200

Available diffs

• diff from 3.3.8-1 to 3.3.9-1 (54.3 KiB)

otrs2 (3.3.8-1) unstable; urgency=medium


  * New upstream release.
    - Refresh hunky patch 03-backup.
  * Remove unused lintian overrides.

 -- Patrick Matthäi <email address hidden>  Wed, 09 Jul 2014 10:22:12 +0200

Available diffs

• diff from 3.3.7-2 to 3.3.8-1 (277.5 KiB)

otrs2 (3.3.7-2) unstable; urgency=medium


  * Create missing /run/otrs for the scheduler about the cronjob.
  * Remove otrs2 cron.d symlink on purge.
  * Check also for /etc/cron.d/otrs in postinst.

 -- Patrick Matthäi <email address hidden>  Fri, 23 May 2014 10:02:48 +0200

Available diffs

• diff from 3.3.7-1 to 3.3.7-2 (1.9 KiB)

otrs2 (3.3.7-1) unstable; urgency=medium


  * New upstream release.
    - Rewrite patch 01-cron.
    - Refresh hunky patch 07-dont-chown-links.
    - Refresh hunky patch 09-disable-DashboardProductNotify.
    - Refresh hunky patch 12-use-debian-libjs-packages.
    - init script has been removed.
  * Automatic link /etc/otrs/cron to /etc/cron.d/otrs2.
  * Remove deprecated cron snippet from postinst.

 -- Patrick Matthäi <email address hidden>  Tue, 13 May 2014 11:13:58 +0200

Available diffs

• diff from 3.3.6-1 to 3.3.7-1 (181.3 KiB)