Package: otrs2 Version: 6.0.36-2 Severity: important Tags: security upstream
Hi, The following vulnerabilities were published for otrs2. Couldn't find any Znuny references yet. CVE-2021-36096[0] Generated Support Bundles contains private S/MIME and PGP keys if containing folder is not hidden. This issue affects: OTRS AG ((OTRS)) Community Edition 6.0.x version 6.0.1 and later versions. OTRS AG OTRS 7.0.x version 7.0.28 and prior versions; 8.0.x version 8.0.15 and prior versions. https://otrs.com/release-notes/otrs-security-advisory-2021-10/ CVE-2021-36095[1] Malicious attacker is able to find out valid user logins by using the "lost password" feature. This issue affects: OTRS AG ((OTRS)) Community Edition version 6.0.1 and later versions. OTRS AG OTRS 7.0.x version 7.0.28 and prior versions. https://otrs.com/release-notes/otrs-security-advisory-2021-18/ CVE-2021-36094[2] It's possible to craft a request for appointment edit screen, which could lead to the XSS attack. This issue affects: OTRS AG ((OTRS)) Community Edition 6.0.x version 6.0.1 and later versions. OTRS AG OTRS 7.0.x version 7.0.28 and prior versions. https://otrs.com/release-notes/otrs-security-advisory-2021-17/ CVE-2021-36093[3] It's possible to create an email which can be stuck while being processed by PostMaster filters, causing DoS. This issue affects: OTRS AG ((OTRS)) Community Edition 6.0.x version 6.0.1 and later versions. OTRS AG OTRS 7.0.x version 7.0.28 and prior versions; 8.0.x version 8.0.15 and prior versions. https://otrs.com/release-notes/otrs-security-advisory-2021-16/ [0] https://security-tracker.debian.org/tracker/CVE-2021-36096 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36096 [1] https://security-tracker.debian.org/tracker/CVE-2021-36095 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36095 [2] https://security-tracker.debian.org/tracker/CVE-2021-36094 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36094 [3] https://security-tracker.debian.org/tracker/CVE-2021-36093 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36093 -- System Information: Debian Release: 10.10 APT prefers oldstable-updates APT policy: (500, 'oldstable-updates'), (500, 'oldstable') Architecture: amd64 (x86_64) Kernel: Linux 4.19.0-17-amd64 (SMP w/4 CPU cores) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB:en (charmap=UTF-8) Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled
