-
otrs2 (5.0.16-1+deb9u3build0.17.04.1) zesty-security; urgency=medium
* fake sync from Debian
otrs2 (5.0.16-1+deb9u3) stretch-security; urgency=high
* Add patch 17-CVE-2017-16664:
This fixes OSA-2017-07, also known as CVE-2017-16664: An attacker who is
logged into OTRS as an agent can request special URLs from OTRS which can
lead to the execution of shell commands with the permissions of the web
server user.
Closes: #882370
-- Tyler Hicks <email address hidden> Tue, 28 Nov 2017 15:54:41 +0000
-
otrs2 (5.0.16-1+deb9u2build0.17.04.1) zesty-security; urgency=medium
* fake sync from Debian
otrs2 (5.0.16-1+deb9u2) stretch-security; urgency=high
* Add patch 16-CVE-2017-14635:
This fixes OSA-2017-04, also known as CVE-2017-14635: An attacker who is
logged into OTRS as an agent with write permissions for statistics can
inject arbitrary code into the system. This can lead to serious problems
like privilege escalation, data loss, and denial of service.
Closes: #876462
otrs2 (5.0.16-1+deb9u1) stretch-security; urgency=high
* Add patch 15-CVE-2017-9324:
This fixes OSA-2017-03, also known as CVE-2017-9324: An attacker with
agent permission is capable by opening a specific URL in a browser to
gain administrative privileges / full access. Afterward, all system
settings can be read and changed.
Closes: #864319
-- Marc Deslauriers <email address hidden> Mon, 13 Nov 2017 12:52:04 -0500
-
otrs2 (5.0.16-1) unstable; urgency=low
* New upstream release.
- Refresh patch 09-disable-DashboardProductNotify.
- Refresh patch 14-font-paths.
-- Patrick Matthäi <email address hidden> Tue, 24 Jan 2017 12:31:59 +0100
-
otrs2 (5.0.15-1) unstable; urgency=medium
* New upstream release.
- Refresh patch 01-cron.
- Refresh patch 03-backup.
- Refresh patch 07-otrs-business-check.
- Refresh patch 09-disable-DashboardProductNotify.
- Refresh patch 11-do-not-test-file-writes.
- Refresh patch 14-font-paths.
* Merge 5.0.14-1~bpo8+1 changelog.
-- Patrick Matthäi <email address hidden> Mon, 19 Dec 2016 16:31:47 +0100
-
otrs2 (5.0.14-1) unstable; urgency=high
* New upstream release.
- Fixes CVE-2016-9139, also known as OSA-2016-02: An attacker could trick
an authenticated agent or customer into opening a malicious attachment
which could lead to the execution of JavaScript in OTRS context.
Closes: #843091
* Adjust linitian overrides.
-- Patrick Matthäi <email address hidden> Wed, 09 Nov 2016 10:06:51 +0100
-
otrs2 (5.0.13-2) unstable; urgency=medium
* Move package from main to non-free, because of the "browserified" issue as
long as there is no way to replace all embedded javascript code copies
safely (without introducing new issues as in the past) from the package.
Closes: #695664, #836181
* Merge 5.0.13-1~bpo8+1 changelog.
* Recommend default-mysql-client and default-mysql-server package.
-- Patrick Matthäi <email address hidden> Mon, 17 Oct 2016 10:25:02 +0200
-
otrs2 (5.0.12-1) unstable; urgency=medium
* New upstream release.
- Refresh patch 09-disable-DashboardProductNotify.
- Refresh patch 14-font-paths.
-- Patrick Matthäi <email address hidden> Fri, 12 Aug 2016 11:18:26 +0200
