Author: Patrick Matthäi
Revision Date: 2015-10-01 14:57:24 UTC

New upstream release.

Author: Patrick Matthäi
Revision Date: 2015-10-01 14:57:24 UTC

New upstream release.

Author: Patrick Matthäi
Revision Date: 2015-04-13 19:20:40 UTC

* New upstream release.
  - Refresh hunky patch 08-usable-apache-config.
* Merge 3.3.9-3~bpo70+1 changelog.
* Also add virtual-mysql-server to suggests.
  Closes: #781975

Author: Patrick Matthäi
Revision Date: 2015-01-07 10:11:37 UTC

Add patch 37-CVE-2014-9324 which fixes CVE-2014-9324, also known as
OSA-2014-06:
An attacker with valid OTRS credentials could access and manipulate ticket
data of other users via the GenericInterface, if a ticket webservice is
configured and not additionally secured.

Author: Patrick Matthäi
Revision Date: 2014-12-18 19:02:56 UTC

Add patch 16-CVE-2014-9324.diff which fixes CVE-2014-9324, also known as
OSA-2014-06:
An attacker with valid OTRS credentials could access and manipulate ticket
data of other users via the GenericInterface, if a ticket webservice is
configured and not additionally secured.

Author: Patrick Matthäi
Revision Date: 2014-02-20 13:33:07 UTC

* Add patch 23-security-osa-2014-01 which fixes CVE-2014-1694, also known as
  OSA-2014-01:
  An attacker that managed to take over the session of a logged in customer
  could create tickets and/or send follow-ups to existing tickets due to
  missing challenge token checks.
* Add patch 24-security-osa-2014-02 which fixes CVE-2014-1471, also known as
  OSA-2014-02:
  An attacker with a valid customer or agent login could inject SQL in
  the ticket search URL.

Author: Patrick Matthäi
Revision Date: 2010-02-08 00:03:27 UTC

* Added patch fix-sql-injection.diff, which adds missing security quoting in
  SQL statements. Authenticated users may become administrative privileges.
  This fixes CVE-2010-0438.
* Change maintainer also in security upload (for further users questions).