Security update for otrs SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2020:1888-1 Final 1 1 2020-11-09T19:24:17Z current 2020-11-09T19:24:17Z 2020-11-09T19:24:17Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for otrs This update for otrs fixes the following issues: - otrs was updated to 6.0.30 (OSA-2020-14 boo#1178434) - CVE-2020-11022, CVE-2020-11023: Vulnerability in third-party library - jquery OTRS uses jquery version 3.4.1, which is vulnerable to cross-site scripting (XSS). The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-2020-1888 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/Q4QSMZXUNVYKSR2VDCHWASQTIS4WW2JC/ E-Mail link for openSUSE-SU-2020:1888-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1178434 SUSE Bug 1178434 https://www.suse.com/security/cve/CVE-2020-11022/ SUSE CVE CVE-2020-11022 page https://www.suse.com/security/cve/CVE-2020-11023/ SUSE CVE CVE-2020-11023 page SUSE Package Hub 15 SP1 SUSE Package Hub 15 SP2 openSUSE Leap 15.1 openSUSE Leap 15.2 otrs-6.0.30-bp152.2.11.1 otrs-doc-6.0.30-bp152.2.11.1 otrs-itsm-6.0.30-bp152.2.11.1 otrs-6.0.30-bp152.2.11.1 as a component of SUSE Package Hub 15 SP1 otrs-doc-6.0.30-bp152.2.11.1 as a component of SUSE Package Hub 15 SP1 otrs-itsm-6.0.30-bp152.2.11.1 as a component of SUSE Package Hub 15 SP1 otrs-6.0.30-bp152.2.11.1 as a component of SUSE Package Hub 15 SP2 otrs-doc-6.0.30-bp152.2.11.1 as a component of SUSE Package Hub 15 SP2 otrs-itsm-6.0.30-bp152.2.11.1 as a component of SUSE Package Hub 15 SP2 otrs-6.0.30-bp152.2.11.1 as a component of openSUSE Leap 15.1 otrs-doc-6.0.30-bp152.2.11.1 as a component of openSUSE Leap 15.1 otrs-itsm-6.0.30-bp152.2.11.1 as a component of openSUSE Leap 15.1 otrs-6.0.30-bp152.2.11.1 as a component of openSUSE Leap 15.2 otrs-doc-6.0.30-bp152.2.11.1 as a component of openSUSE Leap 15.2 otrs-itsm-6.0.30-bp152.2.11.1 as a component of openSUSE Leap 15.2 In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0. CVE-2020-11022 SUSE Package Hub 15 SP1:otrs-6.0.30-bp152.2.11.1 SUSE Package Hub 15 SP1:otrs-doc-6.0.30-bp152.2.11.1 SUSE Package Hub 15 SP1:otrs-itsm-6.0.30-bp152.2.11.1 SUSE Package Hub 15 SP2:otrs-6.0.30-bp152.2.11.1 SUSE Package Hub 15 SP2:otrs-doc-6.0.30-bp152.2.11.1 SUSE Package Hub 15 SP2:otrs-itsm-6.0.30-bp152.2.11.1 openSUSE Leap 15.1:otrs-6.0.30-bp152.2.11.1 openSUSE Leap 15.1:otrs-doc-6.0.30-bp152.2.11.1 openSUSE Leap 15.1:otrs-itsm-6.0.30-bp152.2.11.1 openSUSE Leap 15.2:otrs-6.0.30-bp152.2.11.1 openSUSE Leap 15.2:otrs-doc-6.0.30-bp152.2.11.1 openSUSE Leap 15.2:otrs-itsm-6.0.30-bp152.2.11.1 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/Q4QSMZXUNVYKSR2VDCHWASQTIS4WW2JC/ https://www.suse.com/security/cve/CVE-2020-11022.html CVE-2020-11022 https://bugzilla.suse.com/1173090 SUSE Bug 1173090 https://bugzilla.suse.com/1178434 SUSE Bug 1178434 https://bugzilla.suse.com/1190663 SUSE Bug 1190663 In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing <option> elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0. CVE-2020-11023 SUSE Package Hub 15 SP1:otrs-6.0.30-bp152.2.11.1 SUSE Package Hub 15 SP1:otrs-doc-6.0.30-bp152.2.11.1 SUSE Package Hub 15 SP1:otrs-itsm-6.0.30-bp152.2.11.1 SUSE Package Hub 15 SP2:otrs-6.0.30-bp152.2.11.1 SUSE Package Hub 15 SP2:otrs-doc-6.0.30-bp152.2.11.1 SUSE Package Hub 15 SP2:otrs-itsm-6.0.30-bp152.2.11.1 openSUSE Leap 15.1:otrs-6.0.30-bp152.2.11.1 openSUSE Leap 15.1:otrs-doc-6.0.30-bp152.2.11.1 openSUSE Leap 15.1:otrs-itsm-6.0.30-bp152.2.11.1 openSUSE Leap 15.2:otrs-6.0.30-bp152.2.11.1 openSUSE Leap 15.2:otrs-doc-6.0.30-bp152.2.11.1 openSUSE Leap 15.2:otrs-itsm-6.0.30-bp152.2.11.1 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/Q4QSMZXUNVYKSR2VDCHWASQTIS4WW2JC/ https://www.suse.com/security/cve/CVE-2020-11023.html CVE-2020-11023 https://bugzilla.suse.com/1173090 SUSE Bug 1173090 https://bugzilla.suse.com/1178434 SUSE Bug 1178434 https://bugzilla.suse.com/1190660 SUSE Bug 1190660