On Mon, Mar 01, 2021 at 11:46:17AM +0100, Patrick Matthäi wrote: > Hi > > Am 12.02.21 um 08:26 schrieb Salvatore Bonaccorso: > > Source: otrs2 > > Version: 6.0.30-2 > > Severity: important > > Tags: security upstream > > X-Debbugs-Cc: car...@debian.org, Debian Security Team > > <t...@security.debian.org> > > > > Hi, > > > > The following vulnerability was published for otrs2. > > > > CVE-2021-21435[0]: > > | Article Bcc fields and agent personal information are shown when > > | customer prints the ticket (PDF) via external interface. This issue > > | affects: OTRS AG OTRS 7.0.x version 7.0.23 and prior versions; 8.0.x > > | version 8.0.10 and prior versions. > > > > According to [1] it affects as well the 6.0.x versions but there is no > > mention of a fix in the 6.0.x series yet. > > > > > > If you fix the vulnerability please also make sure to include the > > CVE (Common Vulnerabilities & Exposures) id in your changelog entry. > > > > For further information see: > > > > [0] https://security-tracker.debian.org/tracker/CVE-2021-21435 > > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21435 > > [1] https://otrs.com/release-notes/otrs-security-advisory-2021-02/ > > > > Please adjust the affected versions in the BTS as needed. > > > > Regards, > > Salvatore > As described before before this issue does not affect the OTRS 6 community > edition, since it relies on an external interface, which is only part of the > business edition and otrs 7/8.
Okay thanks. What is confusing though is that they describe it on theyr advisory page as explicitly affecting OTRS 6.x: > This issue affects ((OTRS)) Community Edition 6.0.x. But then we trust you that this is not the case. Regards, Salvatore