all version in portage tree affected. See http://otrs.org/advisory/OSA-2010-02-en/ Also, see http://bugs.gentoo.org/show_bug.cgi?id=308059 Please, mask in profile OR bump
*** Bug 337994 has been marked as a duplicate of this bug. ***
Note not affected version: 2.3.6 2.4.8 3.0.0_beta3
Created attachment 247938 [details] otrs-2.3.6 - fixed version
Created attachment 247939 [details] otrs-2.4.8.ebuild -2.4 series fixed ebuild
Created attachment 247943 [details] files/reconfig-2
Created attachment 247944 [details] files/reconfig-3
Created attachment 247946 [details] files/reconfig-4
Created attachment 247948 [details] files/apache2.patch
Created attachment 247950 [details] files/apache2-2.patch
in overlay rion affected versions removed. available 2.4.8; 2.3.6
CVE-2010-2080 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2080): Multiple cross-site scripting (XSS) vulnerabilities in Open Ticket Request System (OTRS) 2.3.x before 2.3.6 and 2.4.x before 2.4.8 allow remote authenticated users to inject arbitrary web script or HTML via unspecified vectors.
Hrm. Any hope of official Portage seeing version bumps for the various security issues with the versions available? :)
I think this has exceeded time limit even for ~4-rated vulnerability. Should we consider masking the package?
I'd like to even see it punted...
What state at this moment this bug ? In tree commited new (not affected) version
(In reply to comment #15) > What state at this moment this bug ? > In tree commited new (not affected) version The fixed ebuilds lack keywords on some arches.
Fixed software added and vulnerable versions removed by Patrick Lauer via bug 379855. Closing noglsa for ~arch package.