Hello community, here is the log from the commit of package otrs for openSUSE:Factory checked in at 2020-04-09 23:14:58 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/otrs (Old) and /work/SRC/openSUSE:Factory/.otrs.new.3248 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "otrs" Thu Apr 9 23:14:58 2020 rev:68 rq:792266 version:6.0.27 Changes: -------- --- /work/SRC/openSUSE:Factory/otrs/otrs.changes 2019-12-29 15:50:01.275185094 +0100 +++ /work/SRC/openSUSE:Factory/.otrs.new.3248/otrs.changes 2020-04-09 23:15:01.746229735 +0200 @@ -1,0 +2,74 @@ +Tue Apr 7 21:54:05 UTC 2020 - ch...@computersalat.de + +- Update to 6.0.27 + https://community.otrs.com/otrs-community-edition-6-patch-level-27/ +- fix for + * boo#1168029 (CVE-2020-1773, OSA-2020-10) + Session / Password / Password token leak + An attacker with the ability to generate session IDs or password + reset tokens, either by being able to authenticate or by exploiting + OSA-2020-09, may be able to predict other users session IDs, + password reset tokens and automatically generated passwords. + * boo#1168029 (CVE-2020-1772, OSA-2020-09) + Information Disclosure + It’s possible to craft Lost Password requests with wildcards in + the Token value, which allows attacker to retrieve valid Token(s), + generated by users which already requested new passwords. + * boo#1168030 (CVE-2020-1771, OSA-2020-08) + Possible XSS in Customer user address book + Attacker is able craft an article with a link to the customer + address book with malicious content (JavaScript). When agent opens + the link, JavaScript code is executed due to the missing parameter + encoding. + * boo#1168031 (CVE-2020-1770, OSA-2020-07) + Information disclosure in support bundle files + Support bundle generated files could contain sensitive information + that might be unwanted to be disclosed. + * boo#1168032 (CVE-2020-1769, OSA-2020-06) + Autocomplete in the form login screens + In the login screens (in agent and customer interface), Username + and Password fields use autocomplete, which might be considered + as security issue. +- Update to 6.0.26 + https://community.otrs.com/otrs-community-edition-6-patch-level-26/ + * (CVE-2019-11358, OSA-2020-05) + Possible to send drafted messages as wrong agent + OTRS use jquery version 3.2.1, which is vulnerable to the prototype + pollution attack. For more information, please read following + article https://snyk.io/test/npm/jquery/3.2.1 + +------------------------------------------------------------------- +Mon Feb 3 15:16:24 UTC 2020 - Dominique Leuenberger <dims...@opensuse.org> + +- BuildRequire pkgconfig(systemd) instead of systemd: allow OBS to + shortcut through the -mini flavors. + +------------------------------------------------------------------- +Fri Jan 10 19:17:19 UTC 2020 - ch...@computersalat.de + +- Update to 6.0.25 + https://community.otrs.com/otrs-community-edition-6-patch-level-25/ +- fix for boo#1160663 + * (CVE-2020-1767, OSA-2020-03) + Possible to send drafted messages as wrong agent + Agent A is able to save a draft (i.e. for customer reply). Then + Agent B can open the draft, change the text completely and send + it in the name of Agent A. For the customer it will not be + visible that the message was sent by another agent. + * (CVE-2020-1766, OSA-2020-02) + Improper handling of uploaded inline images + Due to improper handling of uploaded images it is possible in very + unlikely and rare conditions to force the agents browser to execute + malicious javascript from a special crafted SVG file rendered as + inline jpg file. + * (CVE-2020-1765, OSA-2020-01) + Spoofing of From field in several screens + An improper control of parameters allows the spoofing of the from + fields of the following screens: + AgentTicketCompose, AgentTicketForward, AgentTicketBounce and + AgentTicketEmailOutbound + * run bin/otrs.Console.pl Maint::Config::Rebuild after the upgrade +- update itsm-update.sh + * add Reject for *6.0.?.opm files + +------------------------------------------------------------------- Old: ---- itsm-6.0.24.tar.bz2 otrs-6.0.24.tar.bz2 New: ---- itsm-6.0.27.tar.bz2 otrs-6.0.27.tar.bz2 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ otrs.spec ++++++ --- /var/tmp/diff_new_pack.F8XaKj/_old 2020-04-09 23:15:04.306231215 +0200 +++ /var/tmp/diff_new_pack.F8XaKj/_new 2020-04-09 23:15:04.306231215 +0200 @@ -1,7 +1,7 @@ # # spec file for package otrs # -# Copyright (c) 2019 SUSE LLC +# Copyright (c) 2020 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -23,8 +23,8 @@ Name: otrs -%define otrs_ver 6.0.24 -%define itsm_ver 6.0.24 +%define otrs_ver 6.0.27 +%define itsm_ver 6.0.27 %define itsm_min 6 %define otrs_root /srv/%{name} %define otrsdoc_dir_files AUTHORS* CHANGES* COPYING* CREDITS README* UPGRADING.SUSE doc @@ -71,8 +71,8 @@ BuildRequires: pwdutils # %if 0%{?suse_version} >= 1210 -BuildRequires: systemd -%{?systemd_requires} +BuildRequires: pkgconfig(systemd) +%{?systemd_ordering} %define has_systemd 1 %endif # ++++++ itsm-6.0.24.tar.bz2 -> itsm-6.0.27.tar.bz2 ++++++ /work/SRC/openSUSE:Factory/otrs/itsm-6.0.24.tar.bz2 /work/SRC/openSUSE:Factory/.otrs.new.3248/itsm-6.0.27.tar.bz2 differ: char 11, line 1 ++++++ itsm-update.sh ++++++ --- /var/tmp/diff_new_pack.F8XaKj/_old 2020-04-09 23:15:04.362231247 +0200 +++ /var/tmp/diff_new_pack.F8XaKj/_new 2020-04-09 23:15:04.362231247 +0200 @@ -22,7 +22,7 @@ PMINOR=$((${MAJOR} - 1)) PMINOR_PKG=${PMINOR} PREJECT="*$((PMINOR - 1)).0.9?.opm,*$((MAJOR - 1)).0.?.opm,*$((MAJOR - 1)).0.1?.opm,*$((MAJOR - 1)).0.2?.opm" - REJECT="*${PMINOR}.0.9?.opm,*${MAJOR}.0.9?.opm" + REJECT="*${PMINOR}.0.9?.opm,*${MAJOR}.0.9?.opm,*${MAJOR}.0.?.opm" fi if [[ ! -d itsm-${VERSION} ]]; then ++++++ otrs-6.0.24.tar.bz2 -> otrs-6.0.27.tar.bz2 ++++++ /work/SRC/openSUSE:Factory/otrs/otrs-6.0.24.tar.bz2 /work/SRC/openSUSE:Factory/.otrs.new.3248/otrs-6.0.27.tar.bz2 differ: char 11, line 1