Bug#983876: unblock: otrs2/6.0.32-1
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
Hello release team,
I try to citize from my mails to the security team:, it's about #982927:
Yesterday I had a videocall with the owner and lead developer of OTOBO. They
want to support me keeping the otrs2 source package in a good shape for
Bullseye, so that users of the package dont have to worry now.
Kicking the package out of Debian would not be optimal.
They also showed me https://github.com/znuny/Znuny (https://www.znuny.com/) - they
also forked OTRS CE 6 and fixing bugs and security bugs, also all known open bugs
in CVE/Debian atm. So the plan would be now:
* Switch the source of the otrs2 package to the znuny one, so that we have releases
based on an open(source) maintained safe codebase => can I get the go from you for that?
* otrs packaging at all is obsolete for bullseye+1. I will package otobo, also with
otobo support, and we will work on a easy way so that users later can migrate
from otrs to otobo
We also spoke about the open security issues, there is indeed one in the CKEditor, but:
#980891:
They way otrs uses this library it should not be possible to attack the user, mostly only the attacker himself
#982586:
Thats a wrong information from the OTRS AG, because it does not affect otrs 6 CE.
It depends on that you use an external interface, which is available in OTRS 7 and 8
(not free) and maybe in the not-free otrs 6 package via addon, but not in the community edition, which is also packaged in Debian.
XXXXXX itself is not helpful at all anymore and just wrote me **************
I hope switching as fast as possible to the znuny fork for the otrs2 source package is also an option for you, I dont want to release bullseye without it
-----
I just uploaded the otrs2 6.0.32 package to experimental. Could I have your ACK for bullseye? :-)
-- System Information:
Debian Release: 10.8
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'proposed-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 4.19.0-14-amd64 (SMP w/2 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Reply to: