lp:debian/squeeze/otrs2

Related source package recipes

No recipes using this branch. (?)

Create packaging recipe

Related snap packages

Related bugs

Related blueprints

42. By Patrick Matthäi <email address hidden> on 2014-02-20

* Add patch 23-security-osa-2014-01 which fixes CVE-2014-1694, also known as
  OSA-2014-01:
  An attacker that managed to take over the session of a logged in customer
  could create tickets and/or send follow-ups to existing tickets due to
  missing challenge token checks.
* Add patch 24-security-osa-2014-02 which fixes CVE-2014-1471, also known as
  OSA-2014-02:
  An attacker with a valid customer or agent login could inject SQL in
  the ticket search URL.

41. By Patrick Matthäi <email address hidden> on 2013-08-02

[ Salvatore Bonaccorso ]
* Add 19-security-osa-2012-03.diff patch.
  CVE-2012-4751: Fix XSS vulnerability. An attacker could send a specially
  prepared HTML email to OTRS which would cause JavaScript code to be
  executed in users browser while displaying the email.
* Add 20-security-osa-2013-01.diff.
  CVE-2013-2625: Fix privilege escalation in object linking handling. An
  attacker with a valid agent login could manipulate URLs in the object
  linking mechanism to see titles of tickets and other objects that are
  not obliged to be seen. Furthermore, links to objects without permission
  can be placed and removed.

[ Patrick Matthäi ]
* Add 21-security-osa-2013-04.diff.
  CVE-2013-4088: An attacker with a valid agent login could manipulate URLs
  in the ticket watch mechanism to see contents of tickets they are not
  permitted to see.
* Add 22-security-osa-2013-05.diff.
  CVE-2013-4717: An attacker with a valid agent login could manipulate URLs
  leading to SQL injection.

40. By Patrick Matthäi <email address hidden> on 2012-08-23

* Add upstream patch 17-security-osa-2012-01 from OSA-2012-01, which fixes a
  XSS vulnerability described in CVE-2012-2582 when using the Internet
  Explorer on viewing e-mails.
* Add upstream patch 18-security-tag-nesting to improve HTML security to
  detect tag nasting.

39. By Patrick Matthäi <email address hidden> on 2011-05-05

[ Thomas Mueller ]
* Add security patch:
  - 16-security-osa-2011-01.diff
    * Title: Several XSS attacks possible
    * CVE: CVE-2011-1518
    * Upstream information: http://otrs.org/advisory/OSA-2011-01-en/

[ Patrick Matthäi ]
* Fix bug with upgrades from Lenny to Squeeze, because of an missing sanity
  check in preinst.
  Closes: #625605

38. By Patrick Matthäi <email address hidden> on 2010-11-27

* Change debian/watch, to only show 2.x.x releases.
* Do not rely on umask. Set the needed mode explicitly in debian/postinst.

37. By Patrick Matthäi <email address hidden> on 2010-11-08

* Fix an error (unknown command in postinst) with initial installations, if
  postgres is used as backend. Thanks to Munroe Sollog for providing
  additional information.
* ZZZAuto.pm is not available with new installations, where OTRS later fails.
  Again much thanks to Munroe Sollog for helping to debug and test it!
  Closes: #601734

36. By Patrick Matthäi <email address hidden> on 2010-10-26

* New upstream release.
  - Fixes a XSS attack in AgentTicketZoom from HTML e-mails described in
    OSA-2010-03.

35. By Patrick Matthäi <email address hidden> on 2010-09-20

* New upstream bugfix releases.
  - Refreshed patches 13-dont-chown-links.diff and 05-opt.diff.
  - Fixes multiple XSS and denial of service vulnerabilities mentioned in
    OSA-2010-02.

34. By Patrick Matthäi <email address hidden> on 2010-08-09

* Strip out yui from the source in the dfsg version.
  Closes: #591196
* Depend on libjs-yui and link to this package, instead of using the embedded
  yui version. This changes make the flash ticket statistics unuseable!
  Closes: #592146

33. By Patrick Matthäi <email address hidden> on 2010-07-31

* Bump Standards-Version to 3.9.1 (no changes needed).
* Remove quilt from build depends.
* Move libdbd-mysql-perl | libdbd-pg-perl, libgd-text-perl and
  libgd-graph-perl packages from recommends to depends.
  Closes: #591003
* Replace hardcoded perl dependency with ${perl:Depends}.