Hello community,
here is the log from the commit of package otrs for openSUSE:Factory checked in at 2019-07-02 15:18:17
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/otrs (Old)
and /work/SRC/openSUSE:Factory/.otrs.new.4615 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "otrs"
Tue Jul 2 15:18:17 2019 rev:64 rq:712523 version:6.0.19
Changes:
--------
--- /work/SRC/openSUSE:Factory/otrs/otrs.changes 2019-03-26 15:40:51.668290233 +0100
+++ /work/SRC/openSUSE:Factory/.otrs.new.4615/otrs.changes 2019-07-02 15:18:23.886740556 +0200
@@ -1,0 +2,63 @@
+Sat Jun 29 10:55:31 UTC 2019 - chris@computersalat.de
+
+- Update to 6.0.19
+ https://community.otrs.com/release-notes-otrs-6-patch-level-19/
+- fix for boo#1137614
+ * (CVE-2019-12497, OSA-2019-09)
+ Information Disclosure
+ In the customer or external frontend, personal information of agents
+ can be disclosed like Name and mail address in external notes.
+- fix for boo#1137615
+ * (CVE-2019-12248, OSA-2019-08)
+ Loading External Image Resources
+ An attacker could send a malicious email to an OTRS system. If a
+ logged in agent user quotes it, the email could cause the browser
+ to load external image resources.
+- Update to 6.0.18
+ https://community.otrs.com/release-notes-otrs-6-patch-level-18/
+- fix for boo#1139406
+ * (CVE-2019-10066, OSA-2019-06)
+ Stored XSS
+ An attacker who is logged into OTRS as an agent with appropriate
+ permissions may create a carefully crafted calendar appointment
+ in order to cause execution of JavaScript in the context of OTRS.
+- fix for boo#1139406
+ * (CVE-2019-10067, OSA-2019-05)
+ Reflected and Stored XSS
+ An attacker who is logged into OTRS as an agent user with appropriate
+ permissions may manipulate the URL to cause execution of JavaScript
+ in the context of OTRS.
+- fix for boo#1139406
+ * (CVE-2019-9892, OSA-2019-04)
+ XXE Processing
+ An attacker who is logged into OTRS as an agent user with appropriate
+ permissions may try to import carefully crafted Report Statistics XML
+ that will result in reading of arbitrary files of OTRS filesystem.
+- Update to 6.0.17
+ https://community.otrs.com/release-notes-otrs-6-patch-level-17/
+- fix for boo#1129755
+ * (CVE-2019-9751, OSA-2019-02)
+ XSS
+ An attacker who is logged into OTRS as an admin user may manipulate
+ the URL to cause execution of JavaScript in the context of OTRS.
+- rebase otrs-perm_test.patch
+
+-------------------------------------------------------------------
+Sat Jun 22 22:33:42 UTC 2019 - chris@computersalat.de
+
+- fix changes file (chronological order)
+- update missing CVE for OSA-2018-10, OSA-2019-01
+
+-------------------------------------------------------------------
+Fri Feb 22 07:29:57 UTC 2019 - Franck Bui