otrs-5.0.42-bp150.2.10.1

- Update to 6.0.27
  https://community.otrs.com/otrs-community-edition-6-patch-level-27/
- fix for
  * boo#1168029 (CVE-2020-1773, OSA-2020-10)
    Session / Password / Password token leak
    An attacker with the ability to generate session IDs or password
    reset tokens, either by being able to authenticate or by exploiting
    OSA-2020-09, may be able to predict other users session IDs,
    password reset tokens and automatically generated passwords.
  * boo#1168029 (CVE-2020-1772, OSA-2020-09)
    Information Disclosure
    It’s possible to craft Lost Password requests with wildcards in
    the Token value, which allows attacker to retrieve valid Token(s),
    generated by users which already requested new passwords.
  * boo#1168030 (CVE-2020-1771, OSA-2020-08)
    Possible XSS in Customer user address book
    Attacker is able craft an article with a link to the customer
    address book with malicious content (JavaScript). When agent opens
    the link, JavaScript code is executed due to the missing parameter
    encoding.
  * boo#1168031 (CVE-2020-1770, OSA-2020-07)
    Information disclosure in support bundle files
    Support bundle generated files could contain sensitive information
    that might be unwanted to be disclosed.
  * boo#1168032 (CVE-2020-1769, OSA-2020-06)
    Autocomplete in the form login screens
    In the login screens (in agent and customer interface), Username
    and Password fields use autocomplete, which might be considered
    as security issue.
- Update to 6.0.26
  https://community.otrs.com/otrs-community-edition-6-patch-level-26/
  * (CVE-2019-11358, OSA-2020-05)
    Possible to send drafted messages as wrong agent
    OTRS use jquery version 3.2.1, which is vulnerable to the prototype
    pollution attack. For more information, please read following
    article https://snyk.io/test/npm/jquery/3.2.1

- Update to 6.0.25
  https://community.otrs.com/otrs-community-edition-6-patch-level-25/
- fix for boo#1160663
  * (CVE-2020-1767, OSA-2020-03)
    Possible to send drafted messages as wrong agent
    Agent A is able to save a draft (i.e. for customer reply). Then
    Agent B can open the draft, change the text completely and send
    it in the name of Agent A. For the customer it will not be
    visible that the message was sent by another agent.
  * (CVE-2020-1766, OSA-2020-02)
    Improper handling of uploaded inline images
    Due to improper handling of uploaded images it is possible in very
    unlikely and rare conditions to force the agents browser to execute
    malicious javascript from a special crafted SVG file rendered as
    inline jpg file.
  * (CVE-2020-1765, OSA-2020-01)
    Spoofing of From field in several screens
    An improper control of parameters allows the spoofing of the from
    fields of the following screens:
    AgentTicketCompose, AgentTicketForward, AgentTicketBounce and
    AgentTicketEmailOutbound
  * run bin/otrs.Console.pl Maint::Config::Rebuild after the upgrade
- update itsm-update.sh
  * add Reject for *6.0.?.opm files

- Update 6.0.24
  https://community.otrs.com/otrs-community-edition-6-patch-level-24/
- fix for boo#1157001
  * (CVE-2019-18180, OSA-2019-15)
    Denial of service
    OTRS can be put into an endless loop by providing filenames with
    overly long extensions. This applies to the PostMaster
    (sending in email) and also upload
    (attaching files to mails, for example).
  * (CVE-2019-18179, OSA-2019-14)
    Information Disclosure
    An attacker who is logged into OTRS as an agent is able to list
    tickets assigned to other agents, which are in the queue where
    attacker doesn’t have permissions.

- Update to 6.0.23
  https://community.otrs.com/otrs-community-edition-6-patch-level-23/
- fix for boo#1156431
  * (CVE-2019-16375, OSA-2019-13)
    Stored XXS
    An attacker who is logged into OTRS as an agent or customer user
    with appropriate permissions can create a carefully crafted
    string containing malicious JavaScript code as an article body.
    This malicious code is executed when an agent compose an answer
    to the original article.

- Update to 6.0.20
  https://community.otrs.com/release-notes-otrs-6-patch-level-20/
- fix for boo#1141432
  * (CVE-2019-13458, OSA-2019-12)
    Information Disclosure
    An attacker who is logged into OTRS as an agent user with
    appropriate permissions can leverage OTRS tags in templates in
    order to disclose hashed user passwords.
- fix for boo#1141431
  * (CVE-2019-13457, OSA-2019-11)
    Information Disclosure
    A customer user can use the search results to disclose information
    from their “company” tickets (with the same CustomerID), even when
    CustomerDisableCompanyTicketAccess setting is turned on.
- fix for boo#1141430
  * (CVE-2019-12746, OSA-2019-10)
    Session ID Disclosure
    A user logged into OTRS as an agent might unknowingly disclose
    their session ID by sharing the link of an embedded ticket article
    with third parties. This identifier can be then potentially abused
    in order to impersonate the agent user.

- Update to 6.0.19
  https://community.otrs.com/release-notes-otrs-6-patch-level-19/
- fix for boo#1137614
  * (CVE-2019-12497, OSA-2019-09)
    Information Disclosure
    In the customer or external frontend, personal information of agents
    can be disclosed like Name and mail address in external notes.
- fix for boo#1137615
  * (CVE-2019-12248, OSA-2019-08)
    Loading External Image Resources
    An attacker could send a malicious email to an OTRS system. If a
    logged in agent user quotes it, the email could cause the browser
    to load external image resources.
- Update to 6.0.18
  https://community.otrs.com/release-notes-otrs-6-patch-level-18/
- fix for boo#1139406
  * (CVE-2019-10066, OSA-2019-06)
    Stored XSS
    An attacker who is logged into OTRS as an agent with appropriate
    permissions may create a carefully crafted calendar appointment
    in order to cause execution of JavaScript in the context of OTRS.
- fix for boo#1139406
  * (CVE-2019-10067, OSA-2019-05)
    Reflected and Stored XSS
    An attacker who is logged into OTRS as an agent user with appropriate
    permissions may manipulate the URL to cause execution of JavaScript
    in the context of OTRS.
- fix for boo#1139406
  * (CVE-2019-9892, OSA-2019-04)
    XXE Processing
    An attacker who is logged into OTRS as an agent user with appropriate
    permissions may try to import carefully crafted Report Statistics XML
    that will result in reading of arbitrary files of OTRS filesystem.
- Update to 6.0.17
  https://community.otrs.com/release-notes-otrs-6-patch-level-17/
- fix for boo#1129755
  * (CVE-2019-9751, OSA-2019-02)
    XSS
    An attacker who is logged into OTRS as an admin user may manipulate
    the URL to cause execution of JavaScript in the context of OTRS.
- rebase otrs-perm_test.patch

- fix changes file (chronological order)
- update missing CVE for OSA-2018-10, OSA-2019-01

- Update to 5.0.34
  * https://community.otrs.com/release-notes-otrs-5s-patch-level-34/
- fix for boo#1122560
  * (CVE-2019-9752, OSA-2019-01)
    Stored XSS
    An attacker who is logged into OTRS as an agent or a customer user
    may upload a carefully crafted resource in order to cause execution
    of JavaScript in the context of OTRS.
- Update to 5.0.33
  * https://community.otrs.com/release-notes-otrs-5s-patch-level-33/

- Update to 5.0.26
  * https://www.otrs.com/release-notes-otrs-5s-patch-level-26
  * https://www.otrs.com/release-notes-otrsitsm-module-5s-patch-level-26/
- remove obsolete
  * otrs-scheduler.service
  * otrs-scheduler.init

- Update to 5.0.32
  * https://community.otrs.com/release-notes-otrs-5s-patch-level-32/
- fix for boo#1116004
  * (CVE-2018-20800, OSA-2018-10)
    Data loss during migration
    Users updating to OTRS 6.0.13 (also patchlevel updates) or 5.0.31
    (only major updates) will experience data loss in their agent
    preferences table.
- fix for boo#1115416
  * (CVE-2018-19141, OSA-2018-09)
    Privilege Escalation
    An attacker who is logged into OTRS as an admin user may manipulate
    the URL to cause execution of JavaScript in the context of OTRS.
  * (CVE-2018-19143, OSA-2018-07)
    Remote File Deletion
    An attacker who is logged into OTRS as a user may manipulate the
    submission form to cause deletion of arbitrary files that the
    OTRS web server user has write access to.

- fix changelog
  * update 3.3.9 with 3.3.9 data
  * add missing update info for OTRS::ITSM
- update itsm-3.3.9 Source

- Update to 5.0.30
  * https://community.otrs.com/release-notes-otrs-5s-patch-level-30/
  * https://community.otrs.com/release-notes-otrs-5s-patch-level-29/
- fix for boo#1109822 (CVE-2018-16586, OSA-2018-05)
  * Loading External Image or CSS Resources
    An attacker could send a malicious email to an OTRS system. If a
    logged in user opens it, the email could cause the browser to
    load external image or CSS resources.
- fix for boo#1109823 (CVE-2018-16587, OSA-2018-04)
  * Remote File Deletion
    An attacker could send a malicious email to an OTRS system. If a user
    with admin permissions opens it, it causes deletions of arbitrary
    files that the OTRS web server user has write access to.
- fix for boo#1103800 (CVE-2018-14593, OSA-2018-03)
  * Privilege Escalation
    An attacker who is logged into OTRS as a user may escalate their
    privileges by accessing a specially crafted URL.
- improve itsm-update.sh
- fix permissions file
  * @OTRS_ROOT@/var/tmp -> @OTRS_ROOT@/var/tmp/

- Update to 5.0.28
  * Renamed 'OTRS Free' to '((OTRS)) Community Edition'.
  * https://github.com/OTRS/otrs/blob/rel-5_0_28/CHANGES.md
- improve itsm-update.sh
- fix otrs.service
  * remove otrs-scheduler.service from [Unit]After

- fix wrong fillup_only call

- fix for boo#1073747 (CVE-2017-17476, OSA-2017-10)
  * Session hijacking
    An attacker can send a specially prepared email to an OTRS system.
    If this system has cookie support disabled, and a logged in agent
    clicks a link in this email, the session information could be
    leaked to external systems, allowing the attacker to take over
    the agent?s session.
- Update to 4.0.28
  * https://github.com/OTRS/otrs/blob/rel-4_0_28/CHANGES.md
- improve itsm-update.sh

- fix for boo#1071797 (CVE-2017-16921, OSA-2017-09)
  * Remote code execution:
    An attacker who is logged into OTRS as an agent can manipulate
    form parameters and execute arbitrary shell commands with the
    permissions of the OTRS or web server user.
- fix for boo#1071799 (CVE-2017-16854, OSA-2017-08)
  * Information Disclosure:
    An attacker who is logged into OTRS as a customer can use the
    ticket search form to disclose internal article information
    of their customer tickets.
- Update to 4.0.27
  * https://github.com/OTRS/otrs/blob/rel-4_0_27/CHANGES.md

- Replace references to /var/adm/fillup-templates with new
  %_fillupdir macro (boo#1069468)

- fix for boo#1069391 (CVE-2017-16664, OSA-2017-07)
  * vulnerabilities discovered in the OTRS framework:
    An attacker who is logged into OTRS as an agent can request special
    URLs from OTRS which can lead to the execution of shell commands
    with the permissions of the web server user.
- Update to 4.0.26
  * Improved handling of spell checker.
  * https://github.com/OTRS/otrs/blob/rel-4_0_26/CHANGES.md
- improve itsm-update.sh
  * only package latest packages (<10)
- rebase patches
  * otrs-httpd_conf.patch
  * otrs-perm_test.patch
- fix permissions (SLE 11)

- improve itsm-update.sh to provide
  * current and previous itsm packages
  * exclude PreRelease packages (*x.y.9?.opm)
- replace itsm tarball so generated

- fix and make universal itsm-update.sh
- replace itsm tarball so generated

- fix for boo#1059691 (CVE-2017-14635)
  * Code Injection / Privilege Escalation OTRS
- Update to 4.0.25
  * Improved validation in statistic import and export.
    see OSA-2017-04 (Code Injection / Privilege Escalation OTRS)
  * for more info see https://www.otrs.com/release-notes-otrs-4-patch-level-25/

- Update to 4.0.24
  * for more info see https://www.otrs.com/release-notes-otrs-4-patch-level-24/
- update UPGRADING.SUSE, otrs.README.??, ZZZAuto.pm
- rework/rebase patches
  * otrs-httpd_conf.patch
  * otrs-perm_test.patch
- add systemd service files and helper
  * otrs.service, otrs.service.helper.sh
  * otrs-scheduler.service
- rework permissions
  * add otrs.permissions file for var/tmp, cause 'otrs' and 'wwwrun'
    are writing there

- fix for boo#1043086
  * Incorrect Access Control in OTRS
- Update to 3.3.17 2017-06-06
  * Improved SecureMode detection in Installer.
    see OSA-2017-03 (CVE-2017-9324)
  * Bug#12753 - Function "SystemDataGroupGet" has problems with empty
    values in oracle.
  * Bug#9941 - Articles with multi-byte characters that claim to be
    UTF-8 will not display in the browser.
  * Bug#7961 - customer search should not return results for internal
    articles.
    see OSA-2017-02
  * Bug#12391 - Base64 encoded image does not display in article.
  * Bug#12461 - Chrome can not display attached PDF files since 5.0.14.

- fix for boo#1008017
  * execution of JavaScript in OTRS context by opening malicious attachment
- Update to 3.3.16
  * Improved sandboxing of displayed attachments.
    see OSA-2016-02 (CVE-2016-9139)
  * Added package verification information to otrs.PackageManager.pl,
    use bin/otrs.PackageManager.pl -a list -e (to show package verification
    information) or bin/otrs.PackageManager.pl -a list -e -c
    (to show package verification information deleting the cache before).
  * Bug#11959 ? 500 Can?t connect to www.otrs.com/product.xml:443.
  * Bug#11870 ? Missing quoting in Layout::AgentQueueListOption().
  * Bug#11802 ? Customer user can get access to all ticket data.
- fix ZZZAuto.pm
  * do not replace existing file (manually merge needed for ITSM)

- fix itsm package
  * version is 3.3.14
- rebase otrs-3.3.15-perm_test.patch to otrs-perm_test.patch
- merge otrs-httpd_conf-apache2_4.patch into otrs-httpd_conf.patch

- Update to 3.3.15
  * HTML emails not properly displayed (parts missing).
  * Fixed a nasty JSON::XS crash on some platforms.
  * Updated CPAN module Proc::Daemon to version 0.21.
  * TransitionAction TicketLockSet typo, thanks to Torsten Thau (c.a.p.e. IT).
  * auto reply with DynamicFields from webservice.
  * Added option to package manager list action, to show deployment info of installed packages.
  * Reply in process ticket on webrequest article  fills customer mail into "cc" instead of "to".
- Changes 3.3.14
  * Package installation/uninstallation leads to endless loop.
  * Lang parameter not correctly validated.
  * Search for multiple ticket numbers with GenericInterface.
- Changes 3.3.13
  * Updated translation files.
  * Refresh bug on process client interface using ie8
  * Adding email recipients via addressbook does not update customer information.
  * Wrong column encoding in Kernel::System::Notification::NotificationGet().
  * Generic Agent ticket actions can't be unselect.
  * GI: Use of uninitialized value in string ne at AdminGenericInterfaceWebservice.pm.
  * Reply in process ticket on webrequest article  fills customer mail into "cc" instead of "to".
  * Download button for dashboard stats visible even if no permissions for AgentStats exist..
  * Invalid utf-8 parameters not filtered sufficciently.
  * DynamicField Filter in AgentDashboard accepts only one value.
  * Can't select customer and/or public interface in AdminACL.
  * Incorrect utf8 in ZZZAuto.pm (via SysConfig) also for hash keys.
  * Added possibility to turn of SSL certificate validation.
  * SLA can not be set over Free Fields Dialog.
  * Not possible to change customer.
  * Error from GenericInterface using SOAP and TicketGet operation.
  * Fixed problem with missing TimeObject in GenericInterface/Event/Handler.pm.
  * Updated CPAN module Crypt::PasswdMD5 to version 1.40 to fix problems with perl 5.20.
- Changes 3.3.12
  * Ticket owner is not shown regardless what is configured, thanks to Renee Bäcker.
  * Adressbook search does not permit to add contacts via click.
  * Wrong sortation of Ticket Overview settings.
  * Missing translations in Dashboard and TicketOverview settings.
  * Internal Server Error, instead of warning.
  * Dashlet: Filter Attributes with more then one CustomerID doesn't work.
  * SQL error with "0 oracle" for article body in Ticket Search.
  * Incorrect utf8 in ZZZAuto.pm (via SysConfig).
  * ProcessManagement: TransitionAction delete does not check if is used.
  * GPG option 0xlong breaks decryption of emails.
  * ORA-03113 Error after scheduler start.
  * /etc/init.d/otrs running httpd is not detected on CentOS 7.
  * Unable to change password in customer interface.
  * Dynamic Field shown information in customer interface is not consistent with agent interface.
  * Error: No Process configured! - Agent interface.
  * Error while splitting ticket.
  * ActivityDialogEntityID not working in ACLs from Process screens reducing States.
- Rebased otrs-perm.patch as otrs-3.3.15-perm_test.patch
- Added itsm-update.sh, a script to update the itsm source we use
- Updated sources
  * otrs.README.de
  * otrs.README.en
  * UPGRADING.SuSE -> UPGRADING.SUSE
  * ZZZAuto.pm

- fix for boo#910988 (CVE-2014-9324)
- update to 3.3.11
  fix for OSA-2014-06 (CVE-2014-9324)
  * Updated translations, thanks to all translators.
  * Bug#10904 ? Upon entering CIC, search only returns hits during
    the first search.
  * Bug#10944 ? Multiple selection in Tree Selection also affects
    filtered elements.
  * Follow-up fix for Bug#6284 ? Problem with unicode characters
    when using FastCGI.
  * Bug#10830 ? Textarea Limitation in Generic Agent.
  * Bug#10920 ? ProcessManagement: Deleting Activities from canvas
    does not update process layout.
  * Bug#10801 ? Editor is extremely slow with large articles.
  * Enhanced Permission Checks in GenericInterface Ticket Connector.
  * Bug#10634 ? ProcessManagement: Can not use an arbitrary email
    address as a CustomerUser.
  * Bug#10839 ? ACL cannot set possible TicketType in
    AgentTicketPhone and AgentTicketEmail.
  * Bug#10776 ? Medium and Large view don?t indicate active
    filters.
  * Bug#10808 ? Set of pending time is not working at all in
    Frontend::Agent::Ticket::ViewNote.
  * Bug#10892 ? TicketActionsPerTicket open multiple popups at
    TicketOverview.
  * Bug#10857 ? JS added too often in AgentTicketOverviewSmall.
  * Bug#10639 ? Set of pending time/state not working properly
    (process management).
  * Bug#10893 ? Missing log name partitions in Service Center.
  * Bug#10879 ? GenericInterfae: TicketSearch operation does not
    take escalation parameters.
  * Bug#10812 ? SOAP Response is always in version SOAP 1.2.
  * Bug#10083 ? SMIME and Email address detection is case sensitive
    (for the right part)..
  * Bug#10826 ? German ? Translation Problem.
  * Bug#10678 ? Dates off by one on area diagram in dashboard widget.
  * Bug#7369 ? LinkQoute fails for some characters in hash or
    parameter.
  * Bug#8404 ? Wrong sorting of responses dropdown in TicketZoom.
  * Bug#8781 ? 508 Compliance: In Ticket Overviews the title
    attribute of large view link is incorrect.
  * Bug#10669 ? Maxlength validation of textarea dynamic fields does
    not work correctly in IE.
  * Bug#10471 ? Missing translations for tooltips of
    TicketOverviewSmall columns.
  * Bug#10850 ? Double-quoted special characters in title of dynamic
    field sidebar output in TicketZoom.
  * Bug#10805 ? Open tickets in 3 days show right function but wrong
    number.
  * Bug#10845 ? No date search if TimeInputFormat is Input.
  * Bug#10706 ? dashboard settings are lost by different user login.
  * Bug#10577 ? Service Center does not show MOD_PERL version on
    Ubuntu 14.04.
  * Bug#10679 ? Texts in notification tags loose their empty lines
    and spaces.

- One more fix after fix bashisms in previous commit

- fix bashisms in post script

- fix changelog
  * update 3.3.9 with 3.3.9 data
  * add missing update info for OTRS::ITSM
- update itsm-3.3.9 Source

- Update to 3.3.9:
  https://github.com/OTRS/otrs/blob/rel-3_3_9/CHANGES.md
  * Bug#10697 - Column name in CSV report of stats is lowercase.
  * Bug#10652 - Process tickets without any articles create empty
    lines in AgentTicketSearch CSV result file.
  * Bug#10607 - SQL Box can change the database.
  * Bug#10700 - Bugfix: TimeUnits not written if E-Mail is sent via
    BulkAction.
  * Bug#10699 - Cannot add new customer (company).
  * Bug#10497 - CustomerUser secondary database access opens multitude
    of database connections.
  * Bug#9756 - Owner will be set after QueueMove screen AND undo.
  * Bug#10606 - Dynamic fields in dashboard overview are empty.
  * Updated Danish translation, thanks to Lars Jørgensen.
  * Bug#10670 - It is possible to start the scheduler more than once.
  * Bug#10515 - Problem with column filter sorting
  * Bug#10598 - Field tags not parsed properly in auto response subject.
  * Bug#10658 - Issue with multiple customer company backends.
  * Bug#10622 - eMail address only with uppercases - wrong display.
  * Bug#10596 - Manual Generic Agent Run doesn't show archived tickets
    as affected.
  * Bug#10601 - ExternalTicketNumberRecognition produces errors in log
    file.
  * Bug#9851 - Unlocking a ticket in the small view results in
    AgentTicketZoom.
  * Bug#10612 - Wrong Time in DashboardField "Changed", thanks to S7.
  * Bug#10595 - Standard Replies are false sorted in Ticket Zoom
    select box.
  * Bug#10534 - Wildcard hacking the customer information center,
    thanks to S7.
  * Bug#10597 - Process list description column doesn't support line
    breaks, thanks to S7.
  * Bug#10586 - In Customer Portal no attachments are shown.
  * Bug#6601 - Changing search options changes order of fields, thanks
    to S7.
  * Bug#10246 - ProcessManagement: ConditionLinking OR in a Transition
    doesn't work.
  * Bug#10559 - "Previous Owner" don't use the FirstnameLastnameOrder
    configuration.
  * Bug#10532 - PostMasterMailbox.pl hangs parsing mails.
  * Bug#10578 - Service selection in GA Ticket Action allows multi
    select.
- update OTRS::ITSM to 3.3.9
  * Bug#10330 ? ITSM Impact field displayed with Key instead of Value.

- update to 3.3.8
  * Bug#10524 ? Internal Dynamic Fields in Activity Dialog.
  * Bug#10562 ? Inconsistent displaying of ?CustomerID? value.
  * Bug#10508 ? (Agent|Customer)TicketProcess javascript errors when
    uploading attachments/having server errors.
  * Bug#10521 ? OutputFilterText AutoLink CVE.
  * Bug#10430 ? backup.pl doesn?t work with PostgreSQL unix sockets.
  * Bug#5012 ? Merging a watched ticket into another should ?transfer?
    the Watch status to the final ticket, thanks to Michiel Beijen!
  * Bug#10544 ? Upgrade to OTRS 3.3.7 breaks connection to external
    customer user tables.
  * Bug#10535 ? ACLListGet() produces DB warning message.
  * Bug#10163 ? Subject shows only 30 characters.
  * Bug#10519 ? Opening and closing popups in ProcessManagement leads
    to performance issues.
  * Bug#10513 ? Some SupportData Plugin Identifiers ends with ::.
  * Bug#8494 ? Possibility to split quotes in rich text editor.
  * Bug#10491 ? CIC not always accessible via TicketZoom.
  * Bug#10427 ? Bulk action locks tickets ? cancel keeps them locked.
- update OTRS::ITSM to 3.3.8
  * Bug# 10558 ? Slow CI search for classes with a large MaxCount on
    a value and sub values.
  * Bug# 10570 ? Deleting ITSM Change search templates does not work.

- add otrs-httpd_conf-apache2_4.patch to fix httpd.conf for apache 2.4
  * Apache2 on OpenSuSE v.13.1 has the mod_access_compat.c module
    statically compiled into the Apache2 core. This means it can't
    be unloaded and the older pre-2.4 access directives must be
    used. Since it is not advised to mix pre and post 2.4 access
    methods the configuration file had to be modified to look for
    this static module and load pre-2.4 directives if found on
    Apache 2.4. It should be forward compatible if the mod_access
    compat.c module become dynamic in the future and is not loaded.