OTOBO Release note

OTOBO 10.0.12 – Security Patch

21 August 2021


  • Files from the directories stated in the SysConfig options SMIME::PrivatePath and SMIME::CertPath are no longer included in the Support bundle if they are within the OTOBO directory (CVE-2021-21440).
  • Authenticated agents can no longer list emails of ticket recipients or appointments from calendards they are not entitled to access (CVE-2021-36091, CVE-2021-21443).
  • Updates for outdated packages in the docker base image (Perl, Elasticsearch, MariaDB und Redis)
  • Nach Aktivieren von “DisableCustomerCompanyTickets” werden Tickets nicht mehr in der Elasticsearch Schnellsuche angezeigt

Criticality: Low to middle.

Also new:

  • New in OTOBO 10.0.12 is the possibility to define complex settings for Elasticsearch: They can be adapted via Kernel/Config.pm (see Elasticsearch::IndexTemplate in Defaults.pm). Please use ElasticSearch::IndexSettings### instead of ArticleIndexCreationSettings for more complex settings.
  • GNU Screen was added to Docker images
  • Lets Encrypt Certbot was added to Docker images
  • Default maximum number of dynamic fields shown per page set to a higher value
  • Migration enhancements (check for invalid NULL values in the source database, shortening columns when migrating from PostgreSQL to MariaDB, issues with DirectBlob feature resolved, call ResetAutoIncrementField)
  • Various bug fixes (Agent email can be equal to username now, Customer Frontend state selector no longer jumps when ACL is active, CustomerUser changes can be used to trigger ACLs now, and more ...)
  • New translations

Please update as soon as possible.