Accepted otrs2 6.0.16-2+deb10u1 (source) into oldoldstable

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sun, 20 Aug 2023 13:02:36 +0200
Source: otrs2
Architecture: source
Version: 6.0.16-2+deb10u1
Distribution: buster-security
Urgency: high
Maintainer: Patrick Matthäi <pmatthaei@debian.org>
Changed-By: Guilhem Moulin <guilhem@debian.org>
Closes: 945251 959448 980891 989992 991593
Changes:
 otrs2 (6.0.16-2+deb10u1) buster-security; urgency=high
 .
   * Non-maintainer upload by the LTS Security Team.
   * Fix CVE-2019-11358 (OSA-2020-05): Prototype Pollution vulnerability in
     embedded jQuery 3.2.1 could allow sending drafted messages as wrong agent.
   * Fix CVE-2019-12248 (OSA-2019-08): An attacker could send a malicious email
     to an OTRS system.  If a logged in agent user quotes it, the email could
     cause the browser to load external image resources.
   * Fix CVE-2019-12497 (OSA-2019-09): In the customer or external frontend,
     personal information of agents, like Name and mail address in external
     notes, could be disclosed.
   * Fix CVE-2019-12746 (OSA-2019-10): A user logged into OTRS as an agent
     might unknowingly disclose their session ID by sharing the link of an
     embedded ticket article with third parties.  This identifier can be then
     potentially abused in order to impersonate the agent user.
   * Fix CVE-2019-13458 (OSA-2019-12): An attacker who is logged into OTRS as
     an agent user with appropriate permissions can leverage OTRS tags in
     templates in order to disclose hashed user passwords.
   * Fix CVE-2019-16375 (OSA-2019-13): An attacker who is logged into OTRS as
     an agent or customer user with appropriate permissions can create a
     carefully crafted string containing malicious JavaScript code as an
     article body.  This malicious code is executed when an agent compose an
     answer to the original article.
   * Fix CVE-2019-18179 (OSA-2019-14): An attacker who is logged into OTRS as
     an agent is able to list tickets assigned to other agents, which are in
     the queue where attacker doesn’t have permissions.  (Closes: #945251)
   * Fix CVE-2019-18180 (OSA-2019-15): OTRS can be put into an endless loop by
     providing filenames with overly long extensions.  This applies to the
     PostMaster (sending in email) and also upload (attaching files to mails,
     for example).  (Closes: #945251)
   * Fix CVE-2020-1765 (OSA-2020-01): An improper control of parameters allows
     the spoofing of the from fields of the following screens:
     AgentTicketCompose, AgentTicketForward, AgentTicketBounce and
     AgentTicketEmailOutbound.
   * Fix CVE-2020-1766 (OSA-2020-02): Due to improper handling of uploaded
     images it is possible in very unlikely and rare conditions to force the
     agents browser to execute malicious javascript from a special crafted SVG
     file rendered as inline jpg file.
   * Fix CVE-2020-1767 (OSA-2020-03): Agent A is able to save a draft (i.e.,
     for customer reply).  Then Agent B can open the draft, change the text
     completely and send it in the name of Agent A.  For the customer it will
     not be visible that the message was sent by another agent.
   * Fix CVE-2020-1769 (OSA-2020-06): In the login screens (in agent and
     customer interface), Username and Password fields use autocomplete, which
     might be considered as security issue.
   * Fix CVE-2020-1770 (OSA-2020-07): Support bundle generated files could
     contain sensitive information that might be unwanted to be disclosed.
   * Fix CVE-2020-1771 (OSA-2020-08): An attacker is able craft an article with
     a link to the customer address book with malicious content (JavaScript).
     When agent opens the link, JavaScript code is executed due to the missing
     parameter encoding.
   * Fix CVE-2020-1772 (OSA-2020-09): It is possible to craft Lost Password
     requests with wildcards in the Token value, which allows attacker to
     retrieve valid Token(s), generated by users which already requested new
     passwords.
   * Fix CVE-2020-1773 (OSA-2020-10): An attacker with the ability to generate
     session IDs or password reset tokens, either by being able to authenticate
     or by exploiting CVE-2020-1772, may be able to predict other users session
     IDs, password reset tokens and automatically generated passwords.  The fix
     adds ‘libmath-random-secure-perl’ to otrs2' Depends.
   * Fix CVE-2020-1774 (OSA-2020-11): When user downloads PGP or S/MIME
     keys/certificates, exported file has same name for private and public
     keys.  It is therefore possible to mix them and to send private key to the
     third-party instead of public key.  (Closes: #959448)
   * Fix CVE-2020-1776 (OSA-2020-13): When an agent user is renamed or set to
     invalid the session belonging to the user is keept active.  The session
     can not be used to access ticket data in the case the agent is invalid.
   * Fix CVE-2020-11022 (OSA-2020-14): Potential XSS vulnerability in embedded
     jQuery 3.2.1's htmlPrefilter and related methods.  The fix requires
     patching embedded copies of fullcalendar (3.4.0), fullcalendar-scheduler
     (1.6.2) and spectrum (1.8.0).
   * Fix CVE-2020-11023 (OSA-2020-14): Potential XSS vulnerability in embedded
     jQuery 3.2.1 when appending HTML containing option elements.
   * Fix CVE-2021-21252: Regular Expression Denial of Service (ReDoS)
     vulnerability in in embedded jQuery-validate 1.16.0.  (Closes: #980891)
   * Fix CVE-2021-21439 (OSA-2021-09/ZSA-2021-03): DoS attack can be performed
     when an email contains specially designed URL in the body.  It can lead to
     the high CPU usage and cause low quality of service, or in extreme case
     bring the system to a halt.  (Closes: #989992)
   * Fix CVE-2021-21440 (OSA-2021-10/ZSA-2021-08): Generated Support Bundles
     contains private S/MIME and PGP keys if containing folder is not hidden.
     Also secrets and PIN for the keys are not masked properly.  (Closes:
     #991593)
   * Fix CVE-2021-21441 (OSA-2021-11/ZSA-2021-06): There is a XSS vulnerability
     in the ticket overview screens.  It is possible to collect various
     information by having an e-mail shown in the overview screen.  An attack
     can be performed by sending specially crafted e-mail to the system and it
     does not require any user intraction.  (Closes: #989992)
   * Fix CVE-2021-21443 (OSA-2021-13/ZSA-2021-09): Agents are able to list
     customer user emails without required permissions in the bulk action
     screen.  (Closes: #991593)
   * Fix CVE-2021-36091 (OSA-2021-14/ZSA-2021-10): Agents are able to list
     appointments in the calendars without required permissions.  (Closes:
     #991593)
   * Fix CVE-2021-36100 (ZSA-2022-02): A specially crafted string in the system
     configuration allows execution of arbitrary system command.
   * Fix CVE-2021-41182 (ZSA-2022-01): XSS vulnerability in the `altField`
     option of the Datepicker widget in embedded jQuery-UI 1.12.1.
   * Fix CVE-2021-41183 (ZSA-2022-01): XSS vulnerability in `*Text` options of
     the Datepicker widget in embedded jQuery-UI 1.12.1.
   * Fix CVE-2021-41184 (ZSA-2022-01): XSS vulnerability in the `of` option of
     the `.position()` util in embedded jQuery-UI 1.12.1.
   * Fix CVE-2022-4427 (ZSA-2022-07): SQL injection vulnerability in
     Kernel::System::Ticket::TicketSearch, which can be exploited using the web
     service operation "TicketSearch".
   * Fix CVE-2023-38060: Improper Input Validation vulnerability in the
     ContentType parameter for attachments on TicketCreate or TicketUpdate
     operations.
   * Install empty var/log directory with dh_installdirs not dh_install.
   * Add DEP-8 tests with upstream's unit tests and (disabled in debci due to
     flakiness and Policy reasons) Selenium tests.
   * Update S/MIME unit test certificates with the ones from Znuny 6.0.44.  The
     old ones were failing tests as they had expired.
Checksums-Sha1:
 cd7937f1849914965b7a23104a0bea3a18dc825f 2390 otrs2_6.0.16-2+deb10u1.dsc
 90d9749f6b8705712aa02094b49b556c2f6999b9 25013240 otrs2_6.0.16.orig.tar.bz2
 ceaf95a01a78a9daa1a81d490a7f860f3f5d65e0 374092 otrs2_6.0.16-2+deb10u1.debian.tar.xz
 d8127a2a97e16ad973c9c0065ea91c2c19c3fe39 5800 otrs2_6.0.16-2+deb10u1_amd64.buildinfo
Checksums-Sha256:
 09aaa22dc816c34b6b71f2127daadd52505d001c6c9f0c8367d4b5f58d11f5c8 2390 otrs2_6.0.16-2+deb10u1.dsc
 7ec2e235bc0312b1be61b1707ce7d68db8a791e4b9d276e9af8157892969ffcd 25013240 otrs2_6.0.16.orig.tar.bz2
 0ca863e96f23b409e7ddc57451a675387d56d82609ce8d74bcda217b6354e83d 374092 otrs2_6.0.16-2+deb10u1.debian.tar.xz
 fb21a489b8a436871e4183752b14749746d4ff48630d9f06b4f22e738d1aa6d3 5800 otrs2_6.0.16-2+deb10u1_amd64.buildinfo
Files:
 825da45587977bb0201b076a0061c3c0 2390 non-free/web optional otrs2_6.0.16-2+deb10u1.dsc
 5edd2d4c51cb11b87e77d6482dcac2fc 25013240 non-free/web optional otrs2_6.0.16.orig.tar.bz2
 ea8ff9098509ad6502766ef5f1d05931 374092 non-free/web optional otrs2_6.0.16-2+deb10u1.debian.tar.xz
 de476bc179574847b39e9c617cbef4bb 5800 non-free/web optional otrs2_6.0.16-2+deb10u1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEERpy6p3b9sfzUdbME05pJnDwhpVIFAmTiALQACgkQ05pJnDwh
pVIv6A/+KKnBiVV5SZpqzwZfrQbcqrqRLLwJTSTlMyGddQOYVLG/h3nkUoJftdSH
a8e0pLHM3EnRXw9idSmnugJ/hp7XpOsNH9/4XnknC9PNql/RmkGEygCccxcEkbpG
4HlJS4+nYYaJ9DdNemqGvjcTR6PYcKhXQm5ULd0GYuW6IufawN0QC9G87QKvZHi+
oPSptGmibOlPl91L5gsh9sBup3Qu5nuhurGN3dQ7BJYMShmELCKRj6itqDKRTI+K
hw9Rbv2UEaeTEVQLPQrF/5WVtfKGCkqDDa12NnKrJ1gYdTlrRahNEFbxAud/x/F1
lcOtr8HOXXTc034awlvmjo3UfeBuMKJukr9hvnKBaL5zGocGiDWkN/+v66zVERWA
fk5F8Cu7KIgoPL08obLAhiLgo+20ywEMkFi4ZEthE9t02H5vfYpg5ZRoKthShECX
q4CyHup+rgWYuDpxNg4h7DuRyqKgDlCBUuJCsDtIqQFfJs3yfsASPr9sRFH+tT52
hkUQiPmAefOKu+aktRa9gz4HiMhYcbOEuywZuoNcG6QYESclyeFZxd4uEYF6+Smv
rO85pYdtOqhq7hYOo7N5Qw9z0So7Mmsv4EF1R9Nf0lL90lb1WbL7FFcmmdUouvw6
N9NL6r8GyDkQXhybJ+0j13zmwwbB0+l8N7CPacu15K+8+iwIgBE=
=l1Rt
-----END PGP SIGNATURE-----