OTOBO Release Notes

OTOBO 10.1.5 – a security patch

18 August 2022

Security-related:

As in OTOBO 10.1.3 we have fixed vulnerabilities enabling attackers with Admin rights in the system to gain extended permissions with this security patch.

• In systems with ConfigLevel settings, OTOBO admins or attackers with admin rights were able to bypass their restrictions.
• OTOBO admins and attackers with OTOBO admin rights were able to inject code via ACLs.

Thanks to Tim Püttmann (maxence) for reporting those issues.

Criticality: Medium (5.6)

Also new: Bug fixes and miscellanious updates

• Update of JavaScript libraries (systems with manual changes in the SysConfig: see below)
• Bug fix: Calendar appointments were not visible with deactivated SessionUseCookie
• Update S/MIME handling for newer OpenSSL versions (e.g. Ubuntu 22.04)
  Note: Some legacy algorithms for certs have been removed
• Bug fix: Fixed ProcessWidgetDynamicFields overwriting the settings of dynamic fields for AgentTicketZoom
• Updated S3 support
• Bug fix: Fixed subaction-specific access restrictions in the customer interface
• Bug fix: Corrected hiding of a single selected queue via Autoselect
• Enabled translation of footer links
• Bug fix: Fixed path if no own template is used in kerberos.
• Bug fix: Tickets got locked on FollowUp even if the owner was root@localhost
• Bug fix: Fixed a bug in LDAP groups to OTOBO roles synchronization

Please update your system.

Changes to SysConfig options

JavaScript

As in OTOBO 10.1.3, several Javasript libraries have been updated with this patch.
They are defined in the SysConfig options "Loader::Agent::CommonJS###000-Framework" and "Loader::Customer::CommonJS###000-Framework".

In case you changed these options manually in the SysConfig (which we do NOT recommend), it will not be possible to automatically update them.

In this case, please note down your changes, reset your settings, run the update and manually adapt the option again, if needed.