Bug#983876: unblock: otrs2/6.0.32-1

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#983876: unblock: otrs2/6.0.32-1
From: Patrick Matthäi <pmatthaei@debian.org>
Date: Tue, 02 Mar 2021 16:58:29 +0100
Message-id: <[🔎] 161470070900.20767.10104533608263216307.reportbug@srv1.linux-dev.org>
Reply-to: Patrick Matthäi <pmatthaei@debian.org>, 983876@bugs.debian.org

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Hello release team,

I try to citize from my mails to the security team:, it's about #982927:


Yesterday I had a videocall with the owner and lead developer of OTOBO. They
want to support me keeping the otrs2 source package in a good shape for
Bullseye, so that users of the package dont have to worry now.
Kicking the package out of Debian would not be optimal.
They also showed me https://github.com/znuny/Znuny (https://www.znuny.com/) - they
also forked OTRS CE 6 and fixing bugs and security bugs, also all known open bugs
in CVE/Debian atm. So the plan would be now:
* Switch the source of the otrs2 package to the znuny one, so that we have releases
  based on an open(source) maintained safe codebase => can I get the go from you for that?
* otrs packaging at all is obsolete for bullseye+1. I will package otobo, also with
  otobo support, and we will work on a easy way so that users later can migrate
  from otrs to otobo
We also spoke about the open security issues, there is indeed one in the CKEditor, but:
#980891:
They way otrs uses this library it should not be possible to attack the user, mostly only the attacker himself
#982586:
Thats a wrong information from the OTRS AG, because it does not affect otrs 6 CE.
It depends on that you use an external interface, which is available in OTRS 7 and 8
(not free) and maybe in the not-free otrs 6 package via addon, but not in the community edition, which is also packaged in Debian.

XXXXXX itself is not helpful at all anymore and just wrote me **************
I hope switching as fast as possible to the znuny fork for the otrs2 source package is also an option for you, I dont want to release bullseye without it 


-----

I just uploaded the otrs2 6.0.32 package to experimental.  Could I have your ACK for bullseye? :-)

-- System Information:
Debian Release: 10.8
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'proposed-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.19.0-14-amd64 (SMP w/2 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Reply to:

Follow-Ups:
- Bug#983876: marked as done (unblock: otrs2/6.0.32-1)
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>
- Processed: Re: Bug#983876: unblock: otrs2/6.0.32-1
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>
- Bug#983876: marked as done (unblock: otrs2/6.0.32-1)
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>

Prev by Date: Bug#983857: marked as done (nmu: uhd_4.0.0.0-4)
Next by Date: Bug#983876: marked as done (unblock: otrs2/6.0.32-1)
Previous by thread: Bug#983857: marked as done (nmu: uhd_4.0.0.0-4)
Next by thread: Bug#983876: marked as done (unblock: otrs2/6.0.32-1)
Index(es):
- Date
- Thread