Hello community, here is the log from the commit of package otrs for openSUSE:Factory checked in at 2019-07-02 15:18:17 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/otrs (Old) and /work/SRC/openSUSE:Factory/.otrs.new.4615 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "otrs" Tue Jul 2 15:18:17 2019 rev:64 rq:712523 version:6.0.19 Changes: -------- --- /work/SRC/openSUSE:Factory/otrs/otrs.changes 2019-03-26 15:40:51.668290233 +0100 +++ /work/SRC/openSUSE:Factory/.otrs.new.4615/otrs.changes 2019-07-02 15:18:23.886740556 +0200 @@ -1,0 +2,63 @@ +Sat Jun 29 10:55:31 UTC 2019 - chris@computersalat.de + +- Update to 6.0.19 + https://community.otrs.com/release-notes-otrs-6-patch-level-19/ +- fix for boo#1137614 + * (CVE-2019-12497, OSA-2019-09) + Information Disclosure + In the customer or external frontend, personal information of agents + can be disclosed like Name and mail address in external notes. +- fix for boo#1137615 + * (CVE-2019-12248, OSA-2019-08) + Loading External Image Resources + An attacker could send a malicious email to an OTRS system. If a + logged in agent user quotes it, the email could cause the browser + to load external image resources. +- Update to 6.0.18 + https://community.otrs.com/release-notes-otrs-6-patch-level-18/ +- fix for boo#1139406 + * (CVE-2019-10066, OSA-2019-06) + Stored XSS + An attacker who is logged into OTRS as an agent with appropriate + permissions may create a carefully crafted calendar appointment + in order to cause execution of JavaScript in the context of OTRS. +- fix for boo#1139406 + * (CVE-2019-10067, OSA-2019-05) + Reflected and Stored XSS + An attacker who is logged into OTRS as an agent user with appropriate + permissions may manipulate the URL to cause execution of JavaScript + in the context of OTRS. +- fix for boo#1139406 + * (CVE-2019-9892, OSA-2019-04) + XXE Processing + An attacker who is logged into OTRS as an agent user with appropriate + permissions may try to import carefully crafted Report Statistics XML + that will result in reading of arbitrary files of OTRS filesystem. +- Update to 6.0.17 + https://community.otrs.com/release-notes-otrs-6-patch-level-17/ +- fix for boo#1129755 + * (CVE-2019-9751, OSA-2019-02) + XSS + An attacker who is logged into OTRS as an admin user may manipulate + the URL to cause execution of JavaScript in the context of OTRS. +- rebase otrs-perm_test.patch + +------------------------------------------------------------------- +Sat Jun 22 22:33:42 UTC 2019 - chris@computersalat.de + +- fix changes file (chronological order) +- update missing CVE for OSA-2018-10, OSA-2019-01 + +------------------------------------------------------------------- +Fri Feb 22 07:29:57 UTC 2019 - Franck Bui <fbui@suse.com> + +- Drop use of $FIRST_ARG in .spec + + The use of $FIRST_ARG was probably required because of the + %service_* rpm macros were playing tricks with the shell positional + parameters. This is bad practice and error prones so let's assume + that no macros should do that anymore and hence it's safe to assume + that positional parameters remains unchanged after any rpm macro + call. + +------------------------------------------------------------------- @@ -24 +87 @@ - * (CVE-n/a, OSA-2019-01) + * (CVE-2019-9752, OSA-2019-01) @@ -62 +125 @@ - * (CVE-n/a, OSA-2018-10) + * (CVE-2018-20800, OSA-2018-10) Old: ---- itsm-6.0.16.tar.bz2 otrs-6.0.16.tar.bz2 New: ---- itsm-6.0.19.tar.bz2 otrs-6.0.19.tar.bz2 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ otrs.spec ++++++ --- /var/tmp/diff_new_pack.hJmjPs/_old 2019-07-02 15:18:26.354744345 +0200 +++ /var/tmp/diff_new_pack.hJmjPs/_new 2019-07-02 15:18:26.358744352 +0200 @@ -23,8 +23,8 @@ Name: otrs -%define otrs_ver 6.0.16 -%define itsm_ver 6.0.16 +%define otrs_ver 6.0.19 +%define itsm_ver 6.0.19 %define itsm_min 6 %define otrs_root /srv/%{name} %define otrsdoc_dir_files AUTHORS* CHANGES* COPYING* CREDITS README* UPGRADING.SUSE doc @@ -343,7 +343,7 @@ /usr/sbin/a2enmod version >/dev/null %endif # Update ? -if [ ${FIRST_ARG:-0} -gt 1 ]; then +if [ $1 -gt 1 ]; then # OTRS_ROOT changed from /opt to /srv if [ -f /opt/%{name}/Kernel/Config.pm.rpmsave ]; then mv /opt/%{name}/Kernel/Config.pm.rpmsave %{otrs_root}/Kernel/ @@ -355,7 +355,7 @@ fi fi # if rpm is not in update mode -if ! [ ${FIRST_ARG:-0} -gt 1 ]; then +if ! [ $1 -gt 1 ]; then if [ -z "${YAST_IS_RUNNING}" ]; then if [ -n "$LC_ALL" ]; then lang="$LC_ALL" ++++++ itsm-6.0.16.tar.bz2 -> itsm-6.0.19.tar.bz2 ++++++ /work/SRC/openSUSE:Factory/otrs/itsm-6.0.16.tar.bz2 /work/SRC/openSUSE:Factory/.otrs.new.4615/itsm-6.0.19.tar.bz2 differ: char 11, line 1 ++++++ otrs-6.0.16.tar.bz2 -> otrs-6.0.19.tar.bz2 ++++++ /work/SRC/openSUSE:Factory/otrs/otrs-6.0.16.tar.bz2 /work/SRC/openSUSE:Factory/.otrs.new.4615/otrs-6.0.19.tar.bz2 differ: char 11, line 1 ++++++ otrs-perm_test.patch ++++++ --- /var/tmp/diff_new_pack.hJmjPs/_old 2019-07-02 15:18:26.518744597 +0200 +++ /var/tmp/diff_new_pack.hJmjPs/_new 2019-07-02 15:18:26.518744597 +0200 @@ -2,7 +2,7 @@ =================================================================== --- Kernel/System/Package.pm.orig +++ Kernel/System/Package.pm -@@ -4319,7 +4319,6 @@ sub _FileSystemCheck { +@@ -4321,7 +4321,6 @@ sub _FileSystemCheck { } my @Filepaths = (