CVE-2021-36095: may not be fixed with 6.1.2 CVE-2021-36093: znuny not affected / not reproduceable
Am 07.09.2021 um 09:49 schrieb Neil Williams: > Package: otrs2 > Version: 6.0.36-2 > Severity: important > Tags: security upstream > > > Hi, > > The following vulnerabilities were published for otrs2. Couldn't > find any Znuny references yet. > > CVE-2021-36096[0] > Generated Support Bundles contains private S/MIME and PGP keys if > containing folder is not hidden. This issue affects: OTRS AG ((OTRS)) > Community Edition 6.0.x version 6.0.1 and later versions. OTRS AG OTRS > 7.0.x version 7.0.28 and prior versions; 8.0.x version 8.0.15 and prior > versions. > https://otrs.com/release-notes/otrs-security-advisory-2021-10/ > > CVE-2021-36095[1] > Malicious attacker is able to find out valid user logins by using the > "lost password" feature. This issue affects: OTRS AG ((OTRS)) Community > Edition version 6.0.1 and later versions. OTRS AG OTRS 7.0.x version > 7.0.28 and prior versions. > https://otrs.com/release-notes/otrs-security-advisory-2021-18/ > > CVE-2021-36094[2] > It's possible to craft a request for appointment edit screen, which > could lead to the XSS attack. This issue affects: OTRS AG ((OTRS)) > Community Edition 6.0.x version 6.0.1 and later versions. OTRS AG OTRS > 7.0.x version 7.0.28 and prior versions. > https://otrs.com/release-notes/otrs-security-advisory-2021-17/ > > CVE-2021-36093[3] > It's possible to create an email which can be stuck while being > processed by PostMaster filters, causing DoS. This issue affects: OTRS > AG ((OTRS)) Community Edition 6.0.x version 6.0.1 and later versions. > OTRS AG OTRS 7.0.x version 7.0.28 and prior versions; 8.0.x version > 8.0.15 and prior versions. > https://otrs.com/release-notes/otrs-security-advisory-2021-16/ > > [0] https://security-tracker.debian.org/tracker/CVE-2021-36096 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36096 > > [1] https://security-tracker.debian.org/tracker/CVE-2021-36095 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36095 > > [2] https://security-tracker.debian.org/tracker/CVE-2021-36094 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36094 > > [3] https://security-tracker.debian.org/tracker/CVE-2021-36093 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36093 > > > -- System Information: > Debian Release: 10.10 > APT prefers oldstable-updates > APT policy: (500, 'oldstable-updates'), (500, 'oldstable') > Architecture: amd64 (x86_64) > > Kernel: Linux 4.19.0-17-amd64 (SMP w/4 CPU cores) > Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), > LANGUAGE=en_GB:en (charmap=UTF-8) > Shell: /bin/sh linked to /usr/bin/dash > Init: systemd (via /run/systemd/system) > LSM: AppArmor: enabled -- /* Mit freundlichem Gruß / With kind regards, Patrick Matthäi GNU/Linux Debian Developer Blog: https://www.linux-dev.org/ E-Mail: pmatth...@debian.org patr...@linux-dev.org */