Hello community,

here is the log from the commit of package otrs for openSUSE:Factory checked in 
at 2020-04-09 23:14:58
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/otrs (Old)
 and      /work/SRC/openSUSE:Factory/.otrs.new.3248 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Package is "otrs"

Thu Apr  9 23:14:58 2020 rev:68 rq:792266 version:6.0.27

Changes:
--------
--- /work/SRC/openSUSE:Factory/otrs/otrs.changes        2019-12-29 
15:50:01.275185094 +0100
+++ /work/SRC/openSUSE:Factory/.otrs.new.3248/otrs.changes      2020-04-09 
23:15:01.746229735 +0200
@@ -1,0 +2,74 @@
+Tue Apr  7 21:54:05 UTC 2020 - ch...@computersalat.de
+
+- Update to 6.0.27
+  https://community.otrs.com/otrs-community-edition-6-patch-level-27/
+- fix for
+  * boo#1168029 (CVE-2020-1773, OSA-2020-10)
+    Session / Password / Password token leak
+    An attacker with the ability to generate session IDs or password
+    reset tokens, either by being able to authenticate or by exploiting
+    OSA-2020-09, may be able to predict other users session IDs,
+    password reset tokens and automatically generated passwords.
+  * boo#1168029 (CVE-2020-1772, OSA-2020-09)
+    Information Disclosure
+    It’s possible to craft Lost Password requests with wildcards in
+    the Token value, which allows attacker to retrieve valid Token(s),
+    generated by users which already requested new passwords.
+  * boo#1168030 (CVE-2020-1771, OSA-2020-08)
+    Possible XSS in Customer user address book
+    Attacker is able craft an article with a link to the customer
+    address book with malicious content (JavaScript). When agent opens
+    the link, JavaScript code is executed due to the missing parameter
+    encoding.
+  * boo#1168031 (CVE-2020-1770, OSA-2020-07)
+    Information disclosure in support bundle files
+    Support bundle generated files could contain sensitive information
+    that might be unwanted to be disclosed.
+  * boo#1168032 (CVE-2020-1769, OSA-2020-06)
+    Autocomplete in the form login screens
+    In the login screens (in agent and customer interface), Username
+    and Password fields use autocomplete, which might be considered
+    as security issue.
+- Update to 6.0.26
+  https://community.otrs.com/otrs-community-edition-6-patch-level-26/
+  * (CVE-2019-11358, OSA-2020-05)
+    Possible to send drafted messages as wrong agent
+    OTRS use jquery version 3.2.1, which is vulnerable to the prototype
+    pollution attack. For more information, please read following
+    article https://snyk.io/test/npm/jquery/3.2.1
+
+-------------------------------------------------------------------
+Mon Feb  3 15:16:24 UTC 2020 - Dominique Leuenberger <dims...@opensuse.org>
+
+- BuildRequire pkgconfig(systemd) instead of systemd: allow OBS to
+  shortcut through the -mini flavors.
+
+-------------------------------------------------------------------
+Fri Jan 10 19:17:19 UTC 2020 - ch...@computersalat.de
+
+- Update to 6.0.25
+  https://community.otrs.com/otrs-community-edition-6-patch-level-25/
+- fix for boo#1160663
+  * (CVE-2020-1767, OSA-2020-03)
+    Possible to send drafted messages as wrong agent
+    Agent A is able to save a draft (i.e. for customer reply). Then
+    Agent B can open the draft, change the text completely and send
+    it in the name of Agent A. For the customer it will not be
+    visible that the message was sent by another agent.
+  * (CVE-2020-1766, OSA-2020-02)
+    Improper handling of uploaded inline images
+    Due to improper handling of uploaded images it is possible in very
+    unlikely and rare conditions to force the agents browser to execute
+    malicious javascript from a special crafted SVG file rendered as
+    inline jpg file.
+  * (CVE-2020-1765, OSA-2020-01)
+    Spoofing of From field in several screens
+    An improper control of parameters allows the spoofing of the from
+    fields of the following screens:
+    AgentTicketCompose, AgentTicketForward, AgentTicketBounce and
+    AgentTicketEmailOutbound
+  * run bin/otrs.Console.pl Maint::Config::Rebuild after the upgrade
+- update itsm-update.sh
+  * add Reject for *6.0.?.opm files
+
+-------------------------------------------------------------------

Old:
----
  itsm-6.0.24.tar.bz2
  otrs-6.0.24.tar.bz2

New:
----
  itsm-6.0.27.tar.bz2
  otrs-6.0.27.tar.bz2

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ otrs.spec ++++++
--- /var/tmp/diff_new_pack.F8XaKj/_old  2020-04-09 23:15:04.306231215 +0200
+++ /var/tmp/diff_new_pack.F8XaKj/_new  2020-04-09 23:15:04.306231215 +0200
@@ -1,7 +1,7 @@
 #
 # spec file for package otrs
 #
-# Copyright (c) 2019 SUSE LLC
+# Copyright (c) 2020 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -23,8 +23,8 @@
 
 Name:           otrs
 
-%define otrs_ver 6.0.24
-%define itsm_ver 6.0.24
+%define otrs_ver 6.0.27
+%define itsm_ver 6.0.27
 %define itsm_min 6
 %define otrs_root /srv/%{name}
 %define otrsdoc_dir_files AUTHORS* CHANGES* COPYING* CREDITS README* 
UPGRADING.SUSE doc
@@ -71,8 +71,8 @@
 BuildRequires:  pwdutils
 #
 %if 0%{?suse_version} >= 1210
-BuildRequires:  systemd
-%{?systemd_requires}
+BuildRequires:  pkgconfig(systemd)
+%{?systemd_ordering}
 %define has_systemd 1
 %endif
 #

++++++ itsm-6.0.24.tar.bz2 -> itsm-6.0.27.tar.bz2 ++++++
/work/SRC/openSUSE:Factory/otrs/itsm-6.0.24.tar.bz2 
/work/SRC/openSUSE:Factory/.otrs.new.3248/itsm-6.0.27.tar.bz2 differ: char 11, 
line 1

++++++ itsm-update.sh ++++++
--- /var/tmp/diff_new_pack.F8XaKj/_old  2020-04-09 23:15:04.362231247 +0200
+++ /var/tmp/diff_new_pack.F8XaKj/_new  2020-04-09 23:15:04.362231247 +0200
@@ -22,7 +22,7 @@
     PMINOR=$((${MAJOR} - 1))
     PMINOR_PKG=${PMINOR}
     PREJECT="*$((PMINOR - 1)).0.9?.opm,*$((MAJOR - 1)).0.?.opm,*$((MAJOR - 
1)).0.1?.opm,*$((MAJOR - 1)).0.2?.opm"
-    REJECT="*${PMINOR}.0.9?.opm,*${MAJOR}.0.9?.opm"
+    REJECT="*${PMINOR}.0.9?.opm,*${MAJOR}.0.9?.opm,*${MAJOR}.0.?.opm"
 fi
 
 if [[ ! -d itsm-${VERSION} ]]; then

++++++ otrs-6.0.24.tar.bz2 -> otrs-6.0.27.tar.bz2 ++++++
/work/SRC/openSUSE:Factory/otrs/otrs-6.0.24.tar.bz2 
/work/SRC/openSUSE:Factory/.otrs.new.3248/otrs-6.0.27.tar.bz2 differ: char 11, 
line 1


Reply via email to