Hi Patrick, On Thu, Nov 03, 2016 at 09:06:55PM +0100, Patrick Matth??i wrote: > Am 03.11.2016 um 19:48 schrieb Salvatore Bonaccorso: > > Source: otrs2 > > Version: 3.3.9-1 > > Severity: important > > Tags: security upstream fixed-upstream > > > > Hi, > > > > the following vulnerability was published for otrs2. > > > > CVE-2016-9139[0]: > > |An attacker could trick an authenticated agent or customer into opening > > |a malicious attachment which could lead to the execution of JavaScript > > |in OTRS context > > > > If you fix the vulnerability please also make sure to include the > > CVE (Common Vulnerabilities & Exposures) id in your changelog entry. > > > > For further information see: > > > > [0] https://security-tracker.debian.org/tracker/CVE-2016-9139 > > [1] https://www.otrs.com/security-advisory-2016-02-security-update-otrs/ > > > > Please adjust the affected versions in the BTS as needed. > > > > Hi, > > yeah already saw it and stable is affected also. Upstream says the > severity is low and I also would say IMHO that this is no candidate for > a jessie security update. What do you think?
Yes agreed, I think it would be enough to fix this issue via the upcoming point release and it does nto warrant a DSA on it's own. Regards, Salvatore
