Debian Bug report logs -
#993846
otrs2: CVE-2021-36096 CVE-2021-36095 CVE-2021-36094 CVE-2021-36093
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, codehelp@debian.org, team@security.debian.org, Patrick Matthäi <pmatthaei@debian.org>:
Bug#993846; Package otrs2.
(Tue, 07 Sep 2021 07:51:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Neil Williams <codehelp@debian.org>:
New Bug report received and forwarded. Copy sent to codehelp@debian.org, team@security.debian.org, Patrick Matthäi <pmatthaei@debian.org>.
(Tue, 07 Sep 2021 07:51:03 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: otrs2
Version: 6.0.36-2
Severity: important
Tags: security upstream
Hi,
The following vulnerabilities were published for otrs2. Couldn't
find any Znuny references yet.
CVE-2021-36096[0]
Generated Support Bundles contains private S/MIME and PGP keys if
containing folder is not hidden. This issue affects: OTRS AG ((OTRS))
Community Edition 6.0.x version 6.0.1 and later versions. OTRS AG OTRS
7.0.x version 7.0.28 and prior versions; 8.0.x version 8.0.15 and prior
versions.
https://otrs.com/release-notes/otrs-security-advisory-2021-10/
CVE-2021-36095[1]
Malicious attacker is able to find out valid user logins by using the
"lost password" feature. This issue affects: OTRS AG ((OTRS)) Community
Edition version 6.0.1 and later versions. OTRS AG OTRS 7.0.x version
7.0.28 and prior versions.
https://otrs.com/release-notes/otrs-security-advisory-2021-18/
CVE-2021-36094[2]
It's possible to craft a request for appointment edit screen, which
could lead to the XSS attack. This issue affects: OTRS AG ((OTRS))
Community Edition 6.0.x version 6.0.1 and later versions. OTRS AG OTRS
7.0.x version 7.0.28 and prior versions.
https://otrs.com/release-notes/otrs-security-advisory-2021-17/
CVE-2021-36093[3]
It's possible to create an email which can be stuck while being
processed by PostMaster filters, causing DoS. This issue affects: OTRS
AG ((OTRS)) Community Edition 6.0.x version 6.0.1 and later versions.
OTRS AG OTRS 7.0.x version 7.0.28 and prior versions; 8.0.x version
8.0.15 and prior versions.
https://otrs.com/release-notes/otrs-security-advisory-2021-16/
[0] https://security-tracker.debian.org/tracker/CVE-2021-36096
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36096
[1] https://security-tracker.debian.org/tracker/CVE-2021-36095
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36095
[2] https://security-tracker.debian.org/tracker/CVE-2021-36094
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36094
[3] https://security-tracker.debian.org/tracker/CVE-2021-36093
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36093
-- System Information:
Debian Release: 10.10
APT prefers oldstable-updates
APT policy: (500, 'oldstable-updates'), (500, 'oldstable')
Architecture: amd64 (x86_64)
Kernel: Linux 4.19.0-17-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB:en (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Tue Sep 7 16:20:57 2021;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon