[Git][security-tracker-team/security-tracker][master] 2 commits: Add upstream tag references to several znuny commits

Salvatore Bonaccorso (@carnil) carnil at debian.org
Thu Aug 17 19:15:32 BST 2023 


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
6fe5fda9 by Salvatore Bonaccorso at 2023-08-17T20:14:35+02:00
Add upstream tag references to several znuny commits

- - - - -
95609623 by Salvatore Bonaccorso at 2023-08-17T20:14:59+02:00
Update status for CVE-2021-21443 and CVE-2021-21440

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -3280,7 +3280,7 @@ CVE-2023-38060 (Improper Input Validation vulnerability in the ContentType param
 	[bookworm] - znuny <no-dsa> (Minor issue)
 	- otrs2 <removed>
 	[bullseye] - otrs2 <no-dsa> (Minor issue)
-	NOTE: https://github.com/znuny/Znuny/commit/355800e68c1560c1d098ec0953ee9940d2d1f836
+	NOTE: https://github.com/znuny/Znuny/commit/355800e68c1560c1d098ec0953ee9940d2d1f836 (rel-6_5_3)
 CVE-2023-38058 (An improper privilege check in the OTRS ticket move action in the agen ...)
 	NOT-FOR-US: OTRS
 	NOTE: Issue is listed as specific to 8.x, so won't affect Znuny which forked from 6.x
@@ -151793,10 +151793,10 @@ CVE-2021-36100 (Specially crafted string in OTRS system configuration can allow
 	[buster] - otrs2 <no-dsa> (Non-free not supported)
 	NOTE: https://www.znuny.org/en/releases/znuny-6-3-2
 	NOTE: https://www.znuny.org/en/advisories/zsa-2022-02
-	NOTE: https://github.com/znuny/Znuny/commit/309ec536540201a5b2741314e928c54a792bb845 (znuny 6.0.41)
-	NOTE: https://github.com/znuny/Znuny/commit/f6fe8ca2e48a18680ace94df0d84eb1e2c26e685 (znuny 6.0.41)
-	NOTE: https://github.com/znuny/Znuny/commit/42458dad68f330e3f94294348de29e48cc9432c8 (znuny 6.0.41)
-	NOTE: https://github.com/znuny/Znuny/commit/02ac202c624bfccfd97e7f4ea95e0fd4adcf7a07 (znuny 6.0.41)
+	NOTE: https://github.com/znuny/Znuny/commit/309ec536540201a5b2741314e928c54a792bb845 (rel-6_0_41)
+	NOTE: https://github.com/znuny/Znuny/commit/f6fe8ca2e48a18680ace94df0d84eb1e2c26e685 (rel-6_0_41)
+	NOTE: https://github.com/znuny/Znuny/commit/42458dad68f330e3f94294348de29e48cc9432c8 (rel-6_0_41)
+	NOTE: https://github.com/znuny/Znuny/commit/02ac202c624bfccfd97e7f4ea95e0fd4adcf7a07 (rel-6_0_41)
 CVE-2021-36099
 	RESERVED
 CVE-2021-36098
@@ -151824,7 +151824,7 @@ CVE-2021-36091 (Agents are able to list appointments in the calendars without re
 	[buster] - otrs2 <no-dsa> (Non-free not supported)
 	[stretch] - otrs2 <no-dsa> (Non-free not supported)
 	NOTE: https://otrs.com/release-notes/otrs-security-advisory-2021-14/
-	NOTE: https://github.com/znuny/Znuny/commit/e268f9a7b75e8c7f63c36517ea5affe3ae0a9632
+	NOTE: https://github.com/znuny/Znuny/commit/e268f9a7b75e8c7f63c36517ea5affe3ae0a9632 (rel-6_1_1)
 	NOTE: Reference is for OTRS, no reference for znuny yet (in bullseye src:otrs2 is the znuny fork)
 CVE-2021-3632 (A flaw was found in Keycloak. This vulnerability allows anyone to regi ...)
 	NOT-FOR-US: Keycloak
@@ -189524,9 +189524,9 @@ CVE-2021-21443 (Agents are able to list customer user emails without required pe
 	- otrs2 6.0.32-6 (bug #991593)
 	[buster] - otrs2 <no-dsa> (Non-free not supported)
 	[stretch] - otrs2 <no-dsa> (Non-free not supported)
+	- znuny <not-affected> (Fixed before initial upload to Debian)
 	NOTE: https://otrs.com/release-notes/otrs-security-advisory-2021-13/
-	NOTE: https://github.com/znuny/Znuny/commit/48ee5532911be5453cc8bed1e437a64c21bcc072
-	NOTE: Reference is for OTRS, no reference for znuny yet (in bullseye src:otrs2 is the znuny fork)
+	NOTE: https://github.com/znuny/Znuny/commit/48ee5532911be5453cc8bed1e437a64c21bcc072 (rel-6_1_1)
 CVE-2021-21442 (In the project create screen it's possible to inject malicious JS code ...)
 	NOT-FOR-US: OTRS TimeAccounting module
 CVE-2021-21441 (There is a XSS vulnerability in the ticket overview screens. It's poss ...)
@@ -189535,21 +189535,21 @@ CVE-2021-21441 (There is a XSS vulnerability in the ticket overview screens. It'
 	[stretch] - otrs2 <no-dsa> (Non-free not supported)
 	- znuny <not-affected> (Fixed before initial upload to Debian)
 	NOTE: https://otrs.com/release-notes/otrs-security-advisory-2021-11/
-	NOTE: Fixed by: https://github.com/znuny/Znuny/commit/48b8d2bc85280d702bd0d21783f5d31e2fa5fa51 (znuny 6.0.34)
+	NOTE: Fixed by: https://github.com/znuny/Znuny/commit/48b8d2bc85280d702bd0d21783f5d31e2fa5fa51 (rel-6_0_34)
 CVE-2021-21440 (Generated Support Bundles contains private S/MIME and PGP keys if cont ...)
 	- otrs2 6.0.32-6 (bug #991593)
 	[buster] - otrs2 <no-dsa> (Non-free not supported)
 	[stretch] - otrs2 <no-dsa> (Non-free not supported)
+	- znuny <not-affected> (Fixed before initial upload to Debian)
 	NOTE: https://otrs.com/release-notes/otrs-security-advisory-2021-10/
-	NOTE: https://github.com/znuny/Znuny/commit/c5c90087d4187da5c456a80289fa088a19511934
-	NOTE: Reference is for OTRS, no reference for znuny yet (in bullseye src:otrs2 is the znuny fork)
+	NOTE: https://github.com/znuny/Znuny/commit/c5c90087d4187da5c456a80289fa088a19511934 (rel-6_1_1)
 CVE-2021-21439 (DoS attack can be performed when an email contains specially designed  ...)
 	- otrs2 6.0.32-5 (bug #989992)
 	[buster] - otrs2 <no-dsa> (Non-free not supported)
 	[stretch] - otrs2 <no-dsa> (Non-free not supported)
 	- znuny <not-affected> (Fixed before initial upload to Debian)
 	NOTE: https://otrs.com/release-notes/otrs-security-advisory-2021-09/
-	NOTE: Fixed by: https://github.com/znuny/Znuny/commit/b67e43f73dbb3c029504a082c7807677ed091d23 (znuny 6.0.33)
+	NOTE: Fixed by: https://github.com/znuny/Znuny/commit/b67e43f73dbb3c029504a082c7807677ed091d23 (rel-6_0_33)
 CVE-2021-21438 (Agents are able to see linked FAQ articles without permissions (define ...)
 	NOT-FOR-US: OTRS FAQ addon (and OTRS 7 which is proprietary)
 CVE-2021-21437 (Agents are able to see linked Config Items without permissions, which  ...)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/11547d967b5bc1196bb9aea903d00bfecf28a613...956096234d81caa2c603578351abcb9f518143ff

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/11547d967b5bc1196bb9aea903d00bfecf28a613...956096234d81caa2c603578351abcb9f518143ff
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20230817/ae470928/attachment-0001.htm>

More information about the debian-security-tracker-commits mailing list