[Git][security-tracker-team/security-tracker][master] Reserve DLA-3551-1 for otrs2
Guilhem Moulin (@guilhem)
guilhem at debian.org
Wed Aug 30 23:50:37 BST 2023
Guilhem Moulin pushed to branch master at Debian Security Tracker / security-tracker
Commits:
ec73b88a by Guilhem Moulin at 2023-08-31T00:50:10+02:00
Reserve DLA-3551-1 for otrs2
- - - - -
3 changed files:
- data/CVE/list
- data/DLA/list
- data/dla-needed.txt
Changes:
=====================================
data/CVE/list
=====================================
@@ -47077,7 +47077,6 @@ CVE-2022-4427 (Improper Input Validation vulnerability in OTRS AG OTRS, OTRS AG
- znuny 6.4.5-1
- otrs2 <removed>
[bullseye] - otrs2 <no-dsa> (Non-free not supported)
- [buster] - otrs2 <no-dsa> (Non-free not supported)
NOTE: https://www.znuny.org/en/advisories/zsa-2022-07
CVE-2022-4426 (The Mautic Integration for WooCommerce WordPress plugin before 1.0.3 d ...)
NOT-FOR-US: WordPress plugin
@@ -140807,7 +140806,6 @@ CVE-2021-41184 (jQuery-UI is the official jQuery user interface library. Prior t
[stretch] - jqueryui <no-dsa> (Minor issue)
- otrs2 6.3.1-1
[bullseye] - otrs2 <no-dsa> (Non-free not supported)
- [buster] - otrs2 <no-dsa> (Non-free not supported)
[stretch] - otrs2 <no-dsa> (Non-free not supported)
NOTE: https://github.com/jquery/jquery-ui/security/advisories/GHSA-gpqq-952q-5327
NOTE: https://github.com/jquery/jquery-ui/commit/effa323f1505f2ce7a324e4f429fa9032c72f280
@@ -140820,7 +140818,6 @@ CVE-2021-41183 (jQuery-UI is the official jQuery user interface library. Prior t
[stretch] - jqueryui <no-dsa> (Minor issue)
- otrs2 6.3.1-1
[bullseye] - otrs2 <no-dsa> (Non-free not supported)
- [buster] - otrs2 <no-dsa> (Non-free not supported)
[stretch] - otrs2 <no-dsa> (Non-free not supported)
NOTE: https://github.com/jquery/jquery-ui/security/advisories/GHSA-j7qv-pgf6-hvh4
NOTE: https://bugs.jqueryui.com/ticket/15284
@@ -140835,7 +140832,6 @@ CVE-2021-41182 (jQuery-UI is the official jQuery user interface library. Prior t
[stretch] - jqueryui <no-dsa> (Minor issue)
- otrs2 6.3.1-1
[bullseye] - otrs2 <no-dsa> (Non-free not supported)
- [buster] - otrs2 <no-dsa> (Non-free not supported)
[stretch] - otrs2 <no-dsa> (Non-free not supported)
NOTE: https://github.com/jquery/jquery-ui/security/advisories/GHSA-9gj3-hwp5-pmwc
NOTE: https://github.com/jquery/jquery-ui/commit/32850869d308d5e7c9bf3e3b4d483ea886d373ce
@@ -153744,7 +153740,6 @@ CVE-2021-36100 (Specially crafted string in OTRS system configuration can allow
- znuny <not-affected> (Fixed before initial upload to archive as src:znuny)
- otrs2 6.3.2-1
[bullseye] - otrs2 <no-dsa> (Non-free not supported)
- [buster] - otrs2 <no-dsa> (Non-free not supported)
NOTE: https://www.znuny.org/en/releases/znuny-6-3-2
NOTE: https://www.znuny.org/en/advisories/zsa-2022-02
NOTE: https://github.com/znuny/Znuny/commit/309ec536540201a5b2741314e928c54a792bb845 (rel-6_0_41)
@@ -153775,7 +153770,6 @@ CVE-2021-36092 (It's possible to create an email which contains specially crafte
NOTE: actionable information, also see https://github.com/znuny/Znuny/issues/128 and #993846
CVE-2021-36091 (Agents are able to list appointments in the calendars without required ...)
- otrs2 6.0.32-6 (bug #991593)
- [buster] - otrs2 <no-dsa> (Non-free not supported)
[stretch] - otrs2 <no-dsa> (Non-free not supported)
NOTE: https://otrs.com/release-notes/otrs-security-advisory-2021-14/
NOTE: https://github.com/znuny/Znuny/commit/e268f9a7b75e8c7f63c36517ea5affe3ae0a9632 (rel-6_1_1)
@@ -191534,7 +191528,6 @@ CVE-2020-35851 (HGiga MailSherlock does not validate specific parameters properl
NOT-FOR-US: HGiga MailSherlock
CVE-2021-21443 (Agents are able to list customer user emails without required permissi ...)
- otrs2 6.0.32-6 (bug #991593)
- [buster] - otrs2 <no-dsa> (Non-free not supported)
[stretch] - otrs2 <no-dsa> (Non-free not supported)
- znuny <not-affected> (Fixed before initial upload to Debian)
NOTE: https://otrs.com/release-notes/otrs-security-advisory-2021-13/
@@ -191543,21 +191536,18 @@ CVE-2021-21442 (In the project create screen it's possible to inject malicious J
NOT-FOR-US: OTRS TimeAccounting module
CVE-2021-21441 (There is a XSS vulnerability in the ticket overview screens. It's poss ...)
- otrs2 6.0.32-5 (bug #989992)
- [buster] - otrs2 <no-dsa> (Non-free not supported)
[stretch] - otrs2 <no-dsa> (Non-free not supported)
- znuny <not-affected> (Fixed before initial upload to Debian)
NOTE: https://otrs.com/release-notes/otrs-security-advisory-2021-11/
NOTE: Fixed by: https://github.com/znuny/Znuny/commit/48b8d2bc85280d702bd0d21783f5d31e2fa5fa51 (rel-6_0_34)
CVE-2021-21440 (Generated Support Bundles contains private S/MIME and PGP keys if cont ...)
- otrs2 6.0.32-6 (bug #991593)
- [buster] - otrs2 <no-dsa> (Non-free not supported)
[stretch] - otrs2 <no-dsa> (Non-free not supported)
- znuny <not-affected> (Fixed before initial upload to Debian)
NOTE: https://otrs.com/release-notes/otrs-security-advisory-2021-10/
NOTE: https://github.com/znuny/Znuny/commit/c5c90087d4187da5c456a80289fa088a19511934 (rel-6_1_1)
CVE-2021-21439 (DoS attack can be performed when an email contains specially designed ...)
- otrs2 6.0.32-5 (bug #989992)
- [buster] - otrs2 <no-dsa> (Non-free not supported)
[stretch] - otrs2 <no-dsa> (Non-free not supported)
- znuny <not-affected> (Fixed before initial upload to Debian)
NOTE: https://otrs.com/release-notes/otrs-security-advisory-2021-09/
@@ -192660,7 +192650,6 @@ CVE-2021-21252 (The jQuery Validation Plugin provides drop-in validation for you
- civicrm 5.50.1+dfsg1-1 (bug #980892)
[bullseye] - civicrm <no-dsa> (Minor issue)
- otrs2 6.0.32-4 (bug #980891)
- [buster] - otrs2 <ignored> (Non-free not supported)
[stretch] - otrs2 <ignored> (Non-free not supported)
- phpmyadmin 4:5.0.4+dfsg2-2
[stretch] - phpmyadmin <no-dsa> (Minor issue; barely an issue in the phpmyadmin package)
@@ -248622,7 +248611,6 @@ CVE-2020-11023 (In jQuery versions greater than or equal to 1.0.3 and before 3.5
- node-jquery 3.5.0+dfsg-2
[buster] - node-jquery <no-dsa> (Minor issue)
- otrs2 6.0.30-1
- [buster] - otrs2 <ignored> (Non-free not supported)
[stretch] - otrs2 <ignored> (Non-free not supported)
NOTE: https://github.com/jquery/jquery/security/advisories/GHSA-jpcq-cgw6-v4j6
NOTE: https://www.drupal.org/sa-core-2020-002
@@ -248637,7 +248625,6 @@ CVE-2020-11022 (In jQuery versions greater than or equal to 1.2 and before 3.5.0
- drupal7 <removed>
[jessie] - drupal7 <not-affected> (Vulnerable code not embedded)
- otrs2 6.0.30-1
- [buster] - otrs2 <ignored> (Non-free not supported)
[stretch] - otrs2 <ignored> (Non-free not supported)
NOTE: https://github.com/jquery/jquery/security/advisories/GHSA-gxr4-xjj5-5px2
NOTE: https://github.com/jquery/jquery/commit/1d61fd9407e6fbe82fe55cb0b938307aa0791f77
@@ -273746,7 +273733,6 @@ CVE-2020-1777 (Agent names that participates in a chat conversation are revealed
NOTE: https://otrs.com/release-notes/otrs-security-advisory-2020-15/
CVE-2020-1776 (When an agent user is renamed or set to invalid the session belonging ...)
- otrs2 6.0.29-1
- [buster] - otrs2 <ignored> (Non-free not supported)
[stretch] - otrs2 <ignored> (Non-free not supported)
NOTE: https://otrs.com/release-notes/otrs-security-advisory-2020-13/
NOTE: Fixed in 7.0.18, 6.0.29
@@ -273757,14 +273743,12 @@ CVE-2020-1775 (BCC recipients in mails sent from OTRS are visible in article det
CVE-2020-1774 (When user downloads PGP or S/MIME keys/certificates, exported file has ...)
{DLA-2198-1}
- otrs2 6.0.28-1 (bug #959448)
- [buster] - otrs2 <ignored> (Non-free not supported)
[stretch] - otrs2 <ignored> (Non-free not supported)
NOTE: https://otrs.com/release-notes/otrs-security-advisory-2020-11/
NOTE: Fixed in 7.0.17, 6.0.28
NOTE: OTRS6: https://github.com/OTRS/otrs/commit/ff725cbea77f03fa296bb13f93f5b07086920342
CVE-2020-1773 (An attacker with the ability to generate session IDs or password reset ...)
- otrs2 6.0.27-1
- [buster] - otrs2 <ignored> (Non-free not supported)
[stretch] - otrs2 <ignored> (Non-free not supported)
[jessie] - otrs2 <no-dsa> (Too intrusive to backport)
NOTE: https://otrs.com/release-notes/otrs-security-advisory-2020-10/
@@ -273774,7 +273758,6 @@ CVE-2020-1773 (An attacker with the ability to generate session IDs or password
CVE-2020-1772 (It's possible to craft Lost Password requests with wildcards in the To ...)
{DLA-2198-1}
- otrs2 6.0.27-1
- [buster] - otrs2 <ignored> (Non-free not supported)
[stretch] - otrs2 <ignored> (Non-free not supported)
NOTE: https://otrs.com/release-notes/otrs-security-advisory-2020-09/
NOTE: Fixed in 7.0.16, 6.0.27, 5.0.42
@@ -273782,7 +273765,6 @@ CVE-2020-1772 (It's possible to craft Lost Password requests with wildcards in t
NOTE: OTRS5: https://github.com/OTRS/otrs/commit/2628464f659c39fafbc32147d569553eb07d41d7
CVE-2020-1771 (Attacker is able craft an article with a link to the customer address ...)
- otrs2 6.0.27-1
- [buster] - otrs2 <ignored> (Non-free not supported)
[stretch] - otrs2 <ignored> (Non-free not supported)
[jessie] - otrs2 <not-affected> (Vulnerable code introduced in later version)
NOTE: https://otrs.com/release-notes/otrs-security-advisory-2020-08/
@@ -273791,7 +273773,6 @@ CVE-2020-1771 (Attacker is able craft an article with a link to the customer add
CVE-2020-1770 (Support bundle generated files could contain sensitive information tha ...)
{DLA-2198-1}
- otrs2 6.0.27-1
- [buster] - otrs2 <ignored> (Non-free not supported)
[stretch] - otrs2 <ignored> (Non-free not supported)
NOTE: https://otrs.com/release-notes/otrs-security-advisory-2020-07/
NOTE: Fixed in 7.0.16, 6.0.27, 5.0.42
@@ -273799,7 +273780,6 @@ CVE-2020-1770 (Support bundle generated files could contain sensitive informatio
NOTE: OTRS5: https://github.com/OTRS/otrs/commit/d37defe6592992e886cc5cc8fec444d34875fd4d
CVE-2020-1769 (In the login screens (in agent and customer interface), Username and P ...)
- otrs2 6.0.27-1
- [buster] - otrs2 <ignored> (Non-free not supported)
[stretch] - otrs2 <ignored> (Non-free not supported)
[jessie] - otrs2 <no-dsa> (https://lists.debian.org/debian-lts/2020/04/msg00040.html)
NOTE: https://otrs.com/release-notes/otrs-security-advisory-2020-06/
@@ -273812,14 +273792,12 @@ CVE-2020-1768 (The external frontend system uses numerous background calls to th
CVE-2020-1767 (Agent A is able to save a draft (i.e. for customer reply). Then Agent ...)
{DLA-2079-1}
- otrs2 6.0.25-1
- [buster] - otrs2 <ignored> (Non-free not supported)
[stretch] - otrs2 <ignored> (Non-free not supported)
NOTE: https://otrs.com/release-notes/otrs-security-advisory-2020-03/
NOTE: https://github.com/OTRS/otrs/commit/5f488fd6c809064ee49def3a432030258d211570
CVE-2020-1766 (Due to improper handling of uploaded images it is possible in very unl ...)
{DLA-2079-1}
- otrs2 6.0.25-1
- [buster] - otrs2 <ignored> (Non-free not supported)
[stretch] - otrs2 <ignored> (Non-free not supported)
NOTE: https://otrs.com/release-notes/otrs-security-advisory-2020-02/
NOTE: https://github.com/OTRS/otrs/commit/128078b0bb30f601ed97d4a13906644264ee6013 (OTRS6)
@@ -273827,7 +273805,6 @@ CVE-2020-1766 (Due to improper handling of uploaded images it is possible in ver
CVE-2020-1765 (An improper control of parameters allows the spoofing of the from fiel ...)
{DLA-2079-1}
- otrs2 6.0.25-1
- [buster] - otrs2 <ignored> (Non-free not supported)
[stretch] - otrs2 <ignored> (Non-free not supported)
NOTE: https://otrs.com/release-notes/otrs-security-advisory-2020-01/
NOTE: https://github.com/OTRS/otrs/commit/d146d4997cbd6e1370669784c6a2ec8d64655252 (OTRS6)
@@ -280855,7 +280832,6 @@ CVE-2019-18181 (In CloudVision Portal all releases in the 2018.1 and 2018.2 Code
NOT-FOR-US: CloudVision Portal
CVE-2019-18180 (Improper Check for filenames with overly long extensions in PostMaster ...)
- otrs2 6.0.24-1 (bug #945251)
- [buster] - otrs2 <ignored> (Non-free not supported)
[stretch] - otrs2 <ignored> (Non-free not supported)
[jessie] - otrs2 <not-affected> (vulnerable code not present)
NOTE: https://community.otrs.com/security-advisory-2019-15-security-update-for-otrs-framework/
@@ -280864,7 +280840,6 @@ CVE-2019-18180 (Improper Check for filenames with overly long extensions in Post
CVE-2019-18179 (An issue was discovered in Open Ticket Request System (OTRS) 7.0.x thr ...)
{DLA-2053-1}
- otrs2 6.0.24-1 (bug #945251)
- [buster] - otrs2 <ignored> (Non-free not supported)
[stretch] - otrs2 <ignored> (Non-free not supported)
NOTE: https://community.otrs.com/security-advisory-2019-14-security-update-for-otrs-framework/
NOTE: OTRS 6.0: https://github.com/OTRS/otrs/commit/fa6bf8ceed157f10791f9e199058db79b924c351
@@ -285586,7 +285561,6 @@ CVE-2019-16376
RESERVED
CVE-2019-16375 (An issue was discovered in Open Ticket Request System (OTRS) 7.0.x thr ...)
- otrs2 6.0.23-1
- [buster] - otrs2 <ignored> (Non-free not supported)
[stretch] - otrs2 <ignored> (Non-free not supported)
[jessie] - otrs2 <no-dsa> (Minor issue)
NOTE: https://community.otrs.com/security-advisory-2019-13-security-update-for-otrs-framework/
@@ -296129,7 +296103,6 @@ CVE-2019-13459
CVE-2019-13458 (An issue was discovered in Open Ticket Request System (OTRS) 7.0.x thr ...)
{DLA-1877-1}
- otrs2 6.0.20-1
- [buster] - otrs2 <ignored> (Non-free not supported)
[stretch] - otrs2 <ignored> (Non-free not supported)
NOTE: https://community.otrs.com/security-advisory-2019-12-security-update-for-otrs-framework/
NOTE: OTRS 6.0: https://github.com/OTRS/otrs/commit/69430f260d52e5a7afc185048da0cfc2eef2659a
@@ -298187,7 +298160,6 @@ CVE-2019-12747 (TYPO3 8.x through 8.7.26 and 9.x through 9.5.7 allows Deserializ
CVE-2019-12746 (An issue was discovered in Open Ticket Request System (OTRS) Community ...)
{DLA-1877-1}
- otrs2 6.0.20-1
- [buster] - otrs2 <ignored> (Non-free not supported)
[stretch] - otrs2 <ignored> (Non-free not supported)
NOTE: https://community.otrs.com/security-advisory-2019-10-security-update-for-otrs-framework/
NOTE: OTRS 6: https://github.com/OTRS/otrs/commit/fab16a8e54aaf033f460e5f98c673248f29ea49c
@@ -298766,7 +298738,6 @@ CVE-2019-12498 (The WP Live Chat Support plugin before 8.0.33 for WordPress acce
CVE-2019-12497 (An issue was discovered in Open Ticket Request System (OTRS) 7.0.x thr ...)
{DLA-1816-1}
- otrs2 6.0.19-1
- [buster] - otrs2 <ignored> (Non-free not supported)
[stretch] - otrs2 <ignored> (Non-free not supported)
NOTE: https://community.otrs.com/security-advisory-2019-09-security-update-for-otrs-framework/
NOTE: OTRS 6: https://github.com/OTRS/otrs/commit/f8bcf08dfc5f06915c1352c07e5f626f9b5ecfc2
@@ -299512,7 +299483,6 @@ CVE-2019-12249
CVE-2019-12248 (An issue was discovered in Open Ticket Request System (OTRS) 7.0.x thr ...)
{DLA-1816-1}
- otrs2 6.0.19-1
- [buster] - otrs2 <ignored> (Non-free not supported)
[stretch] - otrs2 <ignored> (Non-free not supported)
NOTE: https://community.otrs.com/security-advisory-2019-08-security-update-for-otrs-framework/
NOTE: OTRS 6: https://github.com/OTRS/otrs/commit/4e06ef439c33e7d90af16451719415c780e0c29c
@@ -302374,7 +302344,6 @@ CVE-2019-11358 (jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other
- node-jquery 2.2.4+dfsg-4 (bug #927466)
- mediawiki 1:1.31.2-1
- otrs2 6.0.26-1
- [buster] - otrs2 <ignored> (Non-free not supported)
[stretch] - otrs2 <ignored> (Non-free not supported)
NOTE: https://www.drupal.org/sa-core-2019-006
NOTE: https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/
=====================================
data/DLA/list
=====================================
@@ -1,3 +1,6 @@
+[31 Aug 2023] DLA-3551-1 otrs2 - security update
+ {CVE-2019-11358 CVE-2019-12248 CVE-2019-12497 CVE-2019-12746 CVE-2019-13458 CVE-2019-16375 CVE-2019-18179 CVE-2019-18180 CVE-2020-1765 CVE-2020-1766 CVE-2020-1767 CVE-2020-1769 CVE-2020-1770 CVE-2020-1771 CVE-2020-1772 CVE-2020-1773 CVE-2020-1774 CVE-2020-1776 CVE-2020-11022 CVE-2020-11023 CVE-2021-21252 CVE-2021-21439 CVE-2021-21440 CVE-2021-21441 CVE-2021-21443 CVE-2021-36091 CVE-2021-36100 CVE-2021-41182 CVE-2021-41183 CVE-2021-41184 CVE-2022-4427 CVE-2023-38060}
+ [buster] - otrs2 6.0.16-2+deb10u1
[30 Aug 2023] DLA-3550-1 opendmarc - security update
[buster] - opendmarc 1.3.2-6+deb10u4
[29 Aug 2023] DLA-3549-1 ring - security update
=====================================
data/dla-needed.txt
=====================================
@@ -131,12 +131,6 @@ orthanc (gladk)
NOTE: 20230812: Experimental issue-based workflow: please self-assign and follow https://salsa.debian.org/lts-team/lts-updates-tasks/-/issues/41
NOTE: 20230812: Check DSA-5473-1 (Beuc/front-desk)
--
-otrs2 (guilhem)
- NOTE: 20230811: Added by Front-Desk (Beuc)
- NOTE: 20230811: Experimental issue-based workflow: please self-assign and follow https://salsa.debian.org/lts-team/lts-updates-tasks/-/issues/32
- NOTE: 20230811: Lots of CVEs have been marked no-dsa or ignored (Non-free not supported),
- NOTE: 20230811: but this is a sponsored package, so they need to be fixed. (Beuc/front-desk)
---
php7.3 (guilhem)
NOTE: 20230820: Added by Front-Desk (ta)
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ec73b88ae36dbfa04ba1e1759eef46a9befa7789
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ec73b88ae36dbfa04ba1e1759eef46a9befa7789
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20230830/6646284a/attachment-0001.htm>
More information about the debian-security-tracker-commits
mailing list