Your message dated Thu, 05 Aug 2021 09:19:14 +0000 with message-id <e1mbzx0-00018p...@fasolo.debian.org> and subject line Bug#991593: fixed in otrs2 6.0.32-6 has caused the Debian Bug report #991593, regarding otrs2: CVE-2021-36092 CVE-2021-36091 CVE-2021-21443 CVE-2021-21440 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 991593: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=991593 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: otrs2 X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerabilities were published for otrs2. Couldn't find any Znuny references yet. CVE-2021-36092[0]: | It's possible to create an email which contains specially crafted link | and it can be used to perform XSS attack. This issue affects: OTRS AG | ((OTRS)) Community Edition:6.0.x version 6.0.1 and later versions. | OTRS AG OTRS: 7.0.x version 7.0.27 and prior versions; 8.0.x version | 8.0.14 and prior versions. https://otrs.com/release-notes/otrs-security-advisory-2021-15/ CVE-2021-36091[1]: | Agents are able to list appointments in the calendars without required | permissions. This issue affects: OTRS AG ((OTRS)) Community Edition: | 6.0.x version 6.0.1 and later versions. OTRS AG OTRS: 7.0.x versions | prior to 7.0.27. https://otrs.com/release-notes/otrs-security-advisory-2021-14/ CVE-2021-21443[2]: | Agents are able to list customer user emails without required | permissions in the bulk action screen. This issue affects: OTRS AG | ((OTRS)) Community Edition: 6.0.x version 6.0.1 and later versions. | OTRS AG OTRS: 7.0.x versions prior to 7.0.27. https://otrs.com/release-notes/otrs-security-advisory-2021-13/ CVE-2021-21440[3]: | Generated Support Bundles contains private S/MIME and PGP keys if | containing folder is not hidden. This issue affects: OTRS AG ((OTRS)) | Community Edition 6.0.x version 6.0.1 and later versions. OTRS AG OTRS | 7.0.x version 7.0.27 and prior versions; 8.0.x version 8.0.14 and | prior versions. https://otrs.com/release-notes/otrs-security-advisory-2021-13/ If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2021-36092 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36092 [1] https://security-tracker.debian.org/tracker/CVE-2021-36091 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36091 [2] https://security-tracker.debian.org/tracker/CVE-2021-21443 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21443 [3] https://security-tracker.debian.org/tracker/CVE-2021-21440 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21440 Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---Source: otrs2 Source-Version: 6.0.32-6 Done: Patrick Matthäi <pmatth...@debian.org> We believe that the bug you reported is fixed in the latest version of otrs2, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 991...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Patrick Matthäi <pmatth...@debian.org> (supplier of updated otrs2 package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Thu, 05 Aug 2021 10:37:30 +0200 Source: otrs2 Architecture: source Version: 6.0.32-6 Distribution: unstable Urgency: high Maintainer: Patrick Matthäi <pmatth...@debian.org> Changed-By: Patrick Matthäi <pmatth...@debian.org> Closes: 991593 Changes: otrs2 (6.0.32-6) unstable; urgency=high . * Add upstream patches to fix CVE-2021-36091, CVE-2021-21440 and CVE-2021-21443. Closes: #991593 Checksums-Sha1: 6825618043ff96b87f6c7f7273c96924d45b1131 1824 otrs2_6.0.32-6.dsc d56d7f4d542776fe673747f84689742da31ebe52 43068144 otrs2_6.0.32.orig.tar.gz a7caef14796308838ac62049c7efbc51c0f21fb6 40176 otrs2_6.0.32-6.debian.tar.xz d9a64db9a88789fc461ae8c99cf925cf5a667a36 6067 otrs2_6.0.32-6_source.buildinfo Checksums-Sha256: 2a64d87543935863d7c2852e2e059e43b30ce2eb5b8ffd59c9938d6003dbdc26 1824 otrs2_6.0.32-6.dsc c0db57d08038fa0f74000eb18c6995fbb4a74c4e0c97fc2f349f1bbb4c4b61da 43068144 otrs2_6.0.32.orig.tar.gz e6a1d8f3e96b9d44a3c97c53913cd4ed0089295f5d1b325692646b15a4ac8766 40176 otrs2_6.0.32-6.debian.tar.xz 4de6ac278c1187cab5013b7fc6f27d7b22862f7027bbde41052d5469ad921e5c 6067 otrs2_6.0.32-6_source.buildinfo Files: f7332a70f6fdc7a8a4ac0d809d1d3e98 1824 non-free/web optional otrs2_6.0.32-6.dsc 68c8bb26bef63d59e3aa1291b8d54543 43068144 non-free/web optional otrs2_6.0.32.orig.tar.gz aecdf4693469f23c1dea34f16132db4d 40176 non-free/web optional otrs2_6.0.32-6.debian.tar.xz 937ab8331be7c5840c52f09bbba1002c 6067 non-free/web optional otrs2_6.0.32-6_source.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEWKA9xYJCWk3IuQ4TEtmwSpDL2OQFAmELpjwACgkQEtmwSpDL 2OQ63Q//W3KhmBGGILZMSmXZdR6v39BRq/NbQvQ87Ca13okLNZAaz26Qoc26bc13 ZhIeKMYlfmVr34her7ZCZ8VzaYiUpD/kG7iYUfikyvefmFpl08SZpH/NKldt5qZj YMaOxHUt1E0NcCA2EgX5eh91OrhGPbb0dsyhefkZUx0EhKyosR4TNzQiAH+q0BWM RLpdEQPnBoPBt1WAtXoXXrTfizNn2zXBxVv4+4T5AgZ+pAK/wayeoh9a0Hayqgjl Xdv8lZsOocbdK9r85A0ZGDxXOI2HSYfoVIlkN83VjveG14xEU+fstXMLe6NR7C0c pK9LrqMlVOu43gLoCt6aCT3qlQtvhnB+BbWfa8Az3mT0UeMJGqIfgqm8YlQ2n5tj MuTuU2PAZHbrIQTuSPcgODDsdLdjmio8F6SE7DlXj7YpVHIYbwFs9F4L1E+E8nVW 17aq3SLb6sYD9SxadcCbjZDGB54b6PKFKp1t6gqiTAy24wKcjvZgrh5T+SqZwHZ3 8izwbrvUhIqgePU6ObE1fNiaZIfbA6G0zJfHZpWM6E5BArMo5PjAA+HHAEcf2+d4 s2IfjEWXkXbwlPgI/2VC3eDarrrC09kLzLmy3boOh+ce8n4al8m5d21GOY8nFRmb tHb9hHBsLPJB/7RoOYGT/s6cS6cY9DlcWStbM2YaMSO/k2qPa9o= =bj0s -----END PGP SIGNATURE-----
--- End Message ---
