Your message dated Sun, 12 Nov 2017 15:34:22 +0000 with message-id <e1eduh8-000fp4...@fasolo.debian.org> and subject line Bug#876462: fixed in otrs2 5.0.16-1+deb9u2 has caused the Debian Bug report #876462, regarding otrs2: CVE-2017-14635: Code Injection / Privilege Escalation OTRS to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 876462: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=876462 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: otrs2 Version: 3.3.9-3 Severity: grave Tags: upstream security Hi, the following vulnerability was published for otrs2. CVE-2017-14635[0]: | In Open Ticket Request System (OTRS) 3.3.x before 3.3.18, 4.x before | 4.0.25, and 5.x before 5.0.23, remote authenticated users can leverage | statistics-write permissions to gain privileges via code injection. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2017-14635 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14635 [1] https://www.otrs.com/security-advisory-2017-04-security-update-otrs-versions/ Unfortunately the patches are not referenced, so must be researched in the repository. Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: otrs2 Source-Version: 5.0.16-1+deb9u2 We believe that the bug you reported is fixed in the latest version of otrs2, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 876...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Patrick Matthäi <pmatth...@debian.org> (supplier of updated otrs2 package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Mon, 06 Nov 2017 15:22:44 +0100 Source: otrs2 Binary: otrs2 otrs Architecture: source all Version: 5.0.16-1+deb9u2 Distribution: stretch-security Urgency: high Maintainer: Patrick Matthäi <pmatth...@debian.org> Changed-By: Patrick Matthäi <pmatth...@debian.org> Description: otrs - Open Ticket Request System (OTRS 5) otrs2 - Open Ticket Request System Closes: 876462 Changes: otrs2 (5.0.16-1+deb9u2) stretch-security; urgency=high . * Add patch 16-CVE-2017-14635: This fixes OSA-2017-04, also known as CVE-2017-14635: An attacker who is logged into OTRS as an agent with write permissions for statistics can inject arbitrary code into the system. This can lead to serious problems like privilege escalation, data loss, and denial of service. Closes: #876462 Checksums-Sha1: 5655db3601cf33f09ea61489f08278d6bf2534f6 1838 otrs2_5.0.16-1+deb9u2.dsc 5538c2b9138a0b6d5816ff034507dd5ce26abf8d 19417591 otrs2_5.0.16.orig.tar.bz2 07a432686256089532a2eae170cd41c9e95aeea8 49336 otrs2_5.0.16-1+deb9u2.debian.tar.xz 960222a0fe0bf4d45cfc007d346c4daa07c738dd 7053058 otrs2_5.0.16-1+deb9u2_all.deb 102937f5fbb265d12bb03462a7c033f064ad2b74 7244 otrs2_5.0.16-1+deb9u2_amd64.buildinfo 7f076896f13bf4bf58302d75bfb8aff9a6595623 213016 otrs_5.0.16-1+deb9u2_all.deb Checksums-Sha256: 65e92d009a89eefc3f63d3548d854b49d7bb7c7e3635823bee136ae0b3308f5d 1838 otrs2_5.0.16-1+deb9u2.dsc ddec039990c1bdfc27299ab175eff3e1665aa99ba48050f7f2dde480b28f4029 19417591 otrs2_5.0.16.orig.tar.bz2 41f0e5896b4e6c057cdc832284d300d783111d1a0bda07d273aab162cf5ec9f5 49336 otrs2_5.0.16-1+deb9u2.debian.tar.xz e4d8e1e7859f360dce30a4fbf91e82ead507610c3ebace0e492f64bcf59b93e3 7053058 otrs2_5.0.16-1+deb9u2_all.deb 27dca46f41693309b5c7b612c93d77f34bc235bf1f9f84332b24acfbb29f8e11 7244 otrs2_5.0.16-1+deb9u2_amd64.buildinfo dbd387ecf16b9314a361b3405e9b7864bbff7eb17d05e947270e6d6066bf7843 213016 otrs_5.0.16-1+deb9u2_all.deb Files: 86ce04c7c2f5062cf263223bd1a373c9 1838 non-free/web optional otrs2_5.0.16-1+deb9u2.dsc 9fe21e6993bcac71247fdcaf5e1f4e55 19417591 non-free/web optional otrs2_5.0.16.orig.tar.bz2 66cd6c830e1844ae341f8182d64b8f5a 49336 non-free/web optional otrs2_5.0.16-1+deb9u2.debian.tar.xz 62d6b4e61ba29715a47e12ea7a912a4d 7053058 non-free/web optional otrs2_5.0.16-1+deb9u2_all.deb 56d00a735d6c411f884f5fbc462ac74d 7244 non-free/web optional otrs2_5.0.16-1+deb9u2_amd64.buildinfo 1494511f24abab4e879e33a38b278b99 213016 non-free/web optional otrs_5.0.16-1+deb9u2_all.deb -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEWKA9xYJCWk3IuQ4TEtmwSpDL2OQFAloAcc8ACgkQEtmwSpDL 2OTSNw/9GAwal8NbhrRyNn1RvxWF8msT48ES0NFUL0gmc0jQTRPtsEY1c01wV2Hm jiAHhRcfM3CUxQuF7gO/EazVDcotl8JunHOFvqgiOiJG+fSpkJK9l7DoWGLtba88 BtYlaAuuwrAAhm9YOilNKMrrOKspOhAL4F8o7P/V61X7W9IOjfIuCeAijP47BCX2 p6MwNBfNhF7L9fNoVLMoZMgUMpkkvEgUx1tJSf4lX1dOLlnPOiDAKtuB5zcQuorb jwu9MHPKWUGo6qVoKJ7KLyjrKgmTWxpbYsI0Yfr2IZWdwLwqhaqWcD7wQv/7A0xo 99dwoEwKh9+aXD4169W0sR3VJElJxO3bSK/sYNXJfSJOGo5XxASi1x+zDLOaBFU2 CI4xUTICEHxZ1gV0iCvJL8oS0jUyd8XXtRO30GiegC/OQ1sKTPu4TLEfJLGVF817 7LlpfSsE8styOc3vrO+CFxTj/2TICy4fC5Pe14+aunO5uAz2rFlNarmyfwNCafuo GRTw7gImeOCEVDo9iwSjdq/OOKWhHfyh6xpZx7YErVvq8VvXdkFvmVolYHonxNKM OjYAKvJw7HD3VZAyWg0VCyh8pOJ9/nyb09eij7OPDCOxiIidd/+WuPlh18TaqX4Y Vw1s9UeVAptq78EtZuww6hUmUwsozbhLksIuX2ajjbO7o1IU9Ko= =IWgL -----END PGP SIGNATURE-----
--- End Message ---
