Bug#991593: fixed in otrs2 6.0.32-6

Moritz Muehlenhoff Fri, 06 Aug 2021 00:15:12 -0700

On Fri, Aug 06, 2021 at 08:08:45AM +0200, Salvatore Bonaccorso wrote:
> Hi,
> 
> On Thu, Aug 05, 2021 at 11:49:41AM +0200, Moritz Mühlenhoff wrote:
> > Am Thu, Aug 05, 2021 at 09:19:14AM +0000 schrieb Debian FTP Masters:
> > > Source: otrs2
> > > Source-Version: 6.0.32-6
> > > Done: Patrick Matthäi <pmatth...@debian.org>
> > > 
> > > We believe that the bug you reported is fixed in the latest version of
> > > otrs2, which is due to be installed in the Debian FTP archive.
> > > 
> > > A summary of the changes between this version and the previous one is
> > > attached.
> > > 
> > > Thank you for reporting the bug, which will now be closed.  If you
> > > have further comments please address them to 991...@bugs.debian.org,
> > > and the maintainer will reopen the bug report if appropriate.
> > > 
> > > Debian distribution maintenance software
> > > pp.
> > > Patrick Matthäi <pmatth...@debian.org> (supplier of updated otrs2 package)
> > > 
> > > (This message was generated automatically at their request; if you
> > > believe that there is a problem with it please contact the archive
> > > administrators by mailing ftpmas...@ftp-master.debian.org)
> > > 
> > > 
> > > -----BEGIN PGP SIGNED MESSAGE-----
> > > Hash: SHA256
> > > 
> > > Format: 1.8
> > > Date: Thu, 05 Aug 2021 10:37:30 +0200
> > > Source: otrs2
> > > Architecture: source
> > > Version: 6.0.32-6
> > > Distribution: unstable
> > > Urgency: high
> > > Maintainer: Patrick Matthäi <pmatth...@debian.org>
> > > Changed-By: Patrick Matthäi <pmatth...@debian.org>
> > > Closes: 991593
> > > Changes:
> > >  otrs2 (6.0.32-6) unstable; urgency=high
> > >  .
> > >    * Add upstream patches to fix CVE-2021-36091, CVE-2021-21440 and
> > >      CVE-2021-21443.
> > >      Closes: #991593
> > 
> > Hi Patrick,
> > what about CVE-2021-36092, does that need to be split off to a separate
> > bug or is znuny as packaged in Debian not affected?
> 
> Probably sensible to split up the bug. Comments from upstream on it:
> https://github.com/znuny/Znuny/issues/105#issuecomment-894013730


Let's track it as <undetermined>, Znuny upstream did their due diligence
to the extent possible allowed by OTRS controlling the information, and
without concrete details (and given that they could not reproduce), there's
no need to track this as vulnerability affecting Znuny.

Cheers,
        Moritz

Bug#991593: fixed in otrs2 6.0.32-6

Reply via email to