Recommended update for otrs (moderate)

An update that fixes 18 vulnerabilities is now available.

Description:

Otrs was updated to 5.0.42, fixing lots of bugs and security issues:

 https://community.otrs.com/otrs-community-edition-5s-patch-level-42/

• CVE-2020-1773 boo#1168029 OSA-2020-10:
  • Session / Password / Password token leak An attacker with the ability
    to generate session IDs or password reset tokens, either by being able
    to authenticate or by exploiting OSA-2020-09, may be able to predict
    other users session IDs, password reset tokens and automatically
    generated passwords.
• CVE-2020-1772 boo#1168029 OSA-2020-09:
  • Information Disclosure It’s possible to craft Lost Password requests
    with wildcards in the Token value, which allows attacker to retrieve
    valid Token(s), generated by users which already requested new
    passwords.
• CVE-2020-1771 boo#1168030 OSA-2020-08:
  • Possible XSS in Customer user address book Attacker is able craft an
    article with a link to the customer address book with malicious
    content (JavaScript). When agent opens the link, JavaScript code is
    executed due to the missing parameter encoding.
• CVE-2020-1770 boo#1168031 OSA-2020-07:
  • Information disclosure in support bundle files Support bundle
    generated files could contain sensitive information that might be
    unwanted to be disclosed.
• CVE-2020-1769 boo#1168032 OSA-2020-06:
  • Autocomplete in the form login screens In the login screens (in agent
    and customer interface), Username and Password fields use
    autocomplete, which might be considered as security issue.

Update to 5.0.41
https://community.otrs.com/otrs-community-edition-5s-patch-level-41/
* bug#14912 - Installer refers to non-existing documentation

• added code to upgrade OTRS from 4 to 5

  READ UPGRADING.SUSE

  • steps 1 to 4 are done by rpm pkg
  • steps 5 to END need to be done manually cause of DB backup

Update to 5.0.40

 https://community.otrs.com/otrs-community-edition-5s-patch-level-40/

• CVE-2020-1766 boo#1160663 OSA-2020-02: Improper handling of uploaded
  inline images Due to improper handling of uploaded images it is possible
  in very unlikely and rare conditions to force the agents browser to
  execute malicious javascript from a special crafted SVG file rendered as
  inline jpg file.

  • CVE-2020-1765, OSA-2020-01: Spoofing of From field in several screens
    An improper control of parameters allows the spoofing of the from
    fields of the following screens: AgentTicketCompose,
    AgentTicketForward, AgentTicketBounce and AgentTicketEmailOutbound
  • run bin/otrs.Console.pl Maint::Config::Rebuild after the upgrade

• Update 5.0.39
  https://community.otrs.com/otrs-community-edition-5s-patch-level-39/

• CVE-2019-18180 boo#1157001 OSA-2019-15: Denial of service OTRS can be
  put into an endless loop by providing filenames with
  overly long extensions. This applies to the PostMaster (sending in
  email) and also upload (attaching files to mails, for example).

• CVE-2019-18179 OSA-2019-14: Information Disclosure An attacker who is
  logged into OTRS as an agent is able to list tickets assigned to other
  agents, which are in the queue where attacker doesn’t have permissions.

Update to 5.0.38
https://community.otrs.com/release-notes-otrs-5s-patch-level-38/

• CVE-2019-16375, boo#1156431 OSA-2019-13: Stored XXS An attacker who is
  logged into OTRS as an agent or customer user with appropriate
  permissions can create a carefully crafted string containing malicious
  JavaScript code as an article body. This malicious code is executed when
  an agent compose an answer to the original article.

Update to 5.0.37
https://community.otrs.com/release-notes-otrs-5s-patch-level-37/

• CVE-2019-13458, boo#1141432, OSA-2019-12:

  Information Disclosure An attacker who is logged into OTRS as an agent
  user with appropriate permissions can leverage OTRS tags in templates in
  order to disclose hashed user passwords.

• CVE-2019-13457, boo#1141431, OSA-2019-11:

  Information Disclosure A customer user can use the search results to
  disclose information from their “company” tickets (with the same
  CustomerID), even when CustomerDisableCompanyTicketAccess setting is
  turned on.

• CVE-2019-12746, boo#1141430, OSA-2019-10:

  Session ID Disclosure A user logged into OTRS as an agent might
  unknowingly disclose their session ID by sharing the link of an embedded
  ticket article with third parties. This identifier can be then potentially
  abused in order to impersonate the agent user.

Update to 5.0.36

 https://community.otrs.com/release-notes-otrs-5s-patch-level-36/

• CVE-2019-12497, boo#1137614, OSA-2019-09: Information Disclosure In the
  customer or external frontend, personal information of agents can be
  disclosed like Name and mail address in external notes.

• CVE-2019-12248, boo#1137615, OSA-2019-08: Loading External Image
  Resources An attacker could send a malicious email to an OTRS system. If
  a logged in agent user quotes it, the email could cause the browser to
  load external image resources.

Update to 5.0.35

 https://community.otrs.com/release-notes-otrs-5s-patch-level-35/

• CVE-2019-10067, boo#1139406, OSA-2019-05:

  Reflected and Stored XSS An attacker who is logged into OTRS as an agent
  user with appropriate permissions may manipulate the URL to cause
  execution of JavaScript in the context of OTRS.

• CVE-2019-9892, boo#1139406, OSA-2019-04:

  XXE Processing An attacker who is logged into OTRS as an agent user with
  appropriate permissions may try to import carefully crafted Report
  Statistics XML that will result in reading of arbitrary files of OTRS
  filesystem.

• update missing CVE for OSA-2018-10, OSA-2019-01

Update to 5.0.34

• https://community.otrs.com/release-notes-otrs-5s-patch-level-34/

• CVE-2019-9752, boo#1122560, OSA-2019-01: Stored XSS An attacker who is
  logged into OTRS as an agent or a customer user may upload a carefully
  crafted resource in order to cause execution
  of JavaScript in the context of OTRS.

Update to 5.0.33

• https://community.otrs.com/release-notes-otrs-5s-patch-level-33/

Update to 5.0.26

• https://www.otrs.com/release-notes-otrs-5s-patch-level-26
• https://www.otrs.com/release-notes-otrsitsm-module-5s-patch-level-26/

• remove obsolete

• otrs-scheduler.service
• otrs-scheduler.init

Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or “zypper patch”.

Alternatively you can run the command listed for your product:

• openSUSE Leap 15.1:

  zypper in -t patch openSUSE-2020-551=1

• openSUSE Backports SLE-15-SP1:

  zypper in -t patch openSUSE-2020-551=1

• openSUSE Backports SLE-15:

  zypper in -t patch openSUSE-2020-551=1