SECURITY ADVISORY

OTOBO 11.0.8 – Security Patch

[Security | medium] Preventing the use of an insecure hash algorithm in the password history prevents individuals with Admin rights or access to the database’s password table from reading passwords [#4181]
[Security | low] Fixing a vulnerability that allowed authenticated OTOBO agents to launch potential DOS attacks [#4046]
[Security | low] Using a cryptographically secure method to generate the ‘Shared Secret’ for two-factor authentication prevents it from being intercepted during transmission [#4181]
[Security | low] Allowing the inclusion of a SysConfig option enables verification of the host key during email processing [#4181]

[Change/Enhancement] Return to original paragraph formatting without additional whitespace is again closer to MS conventions. Optimized inclusion of tables and images. Optimized display of cited emails. Handling paragraphs can be done via the following SysConfig options: Frontend::RichText::DefaultCSS or CustomerFrontend::RichText::DefaultCSS or, set them directly in the following files: var/httpd/htdocs/skins/Agent/default/css/RichTextArticleContent.css and var/httpd/htdocs/skins/Customer/default/css/RichTextArticleContent.css
[Enhancement] The dynamic fields of the OTOPar package DynamicFieldOTOBOAgents for OTOBO 10 can be changed to the agent dynamic fields of the OTOBO 11 standard via the console command Admin::DynamicField::IntegrateOTOBOAgentDynamicFields (this is done automatically during Upgrade from OTOBO 10.1) [#3908]
[Enhancement] Enable sending custom headers with request and responses in the Webservices [#3982]
[Enhancement] Add console command Maint::GenericInterface::TriggerInvoker to trigger Webservice Invoker manually [#3914]
[Enhancement] Translate Reference dynamic field values where applicable [#3958]
[Enhancement] Allow sending and receiving arrays in the Generic Interface [#4099]
[Enhancement] Add option for showing mandatory field (*) explanation in forms [#3954]

We recommend that you fix the vulnerabilities and benefit from the latest improvements. Please update your system.

A comprehensive overview of all present and past changes.

[Bugfix] DynamicField Script: The error “Bad value in PreviewTriggers” when emptying the “Preview Triggers” option has been resolved [#4121]
[Bugfix] It is now ensured that links from merged tickets are transferred to the newly merged ticket and vice versa, ensuring seamless connectivity [#4114]
[Bugfix] The issue with different behavior when using a multi-line DynamicField TextArea in ArticleCreate transition action and TicketCreate transition action has been resolved [#4110]
[Bugfix] The popup window for editing the calendar date in “Term Edit” has been restored [#3955]
[Bugfix] The time tracking calculation issue during article editing has been addressed [#3939]
[Bugfix] The incorrect calculation of SolutionInMin statistics due to a wrong calculation of the solution duration has been resolved [#3897]
[Bugfix] The permanent display of DynamicFieldWidget in AgentTicketZoom, even when no dynamic field is assigned to the ticket, has been addressed [#3829]
[Bugfix] A UI issue with read-only Richtext dynamic fields has been resolved [#3824]
[Bugfix] The function for empty field values in DynamicField Reference Agent has been restored [#3719]
More…

As a support customer, you require assistance with the security patch. Please contact us through your access in the support portal.