Your message dated Wed, 20 Dec 2017 09:20:26 +0000 with message-id <e1eray6-0002lt...@fasolo.debian.org> and subject line Bug#884801: fixed in otrs2 6.0.3-1 has caused the Debian Bug report #884801, regarding otrs2: CVE-2017-17476: OSA-2017-10: Session hijacking to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 884801: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=884801 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: otrs2 Version: 3.3.9-3 Severity: grave Tags: patch security upstream Hi From https://www.otrs.com/security-advisory-2017-10-security-update-otrs-framework/ > An attacker can send a specially prepared email to an OTRS system. If > this system has cookie support disabled, and a logged in agent clicks a > link in this email, the session information could be leaked to external > systems, allowing the attacker to take over the agent’s session. Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: otrs2 Source-Version: 6.0.3-1 We believe that the bug you reported is fixed in the latest version of otrs2, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 884...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Patrick Matthäi <pmatth...@debian.org> (supplier of updated otrs2 package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Wed, 20 Dec 2017 09:25:55 +0100 Source: otrs2 Binary: otrs2 otrs Architecture: source all Version: 6.0.3-1 Distribution: unstable Urgency: high Maintainer: Patrick Matthäi <pmatth...@debian.org> Changed-By: Patrick Matthäi <pmatth...@debian.org> Description: otrs - Open Ticket Request System (OTRS 6) otrs2 - Open Ticket Request System Closes: 884801 Changes: otrs2 (6.0.3-1) unstable; urgency=high . * New upstream release. - This fixes OSA-2017-10, also known as CVE-2017-17476: A session hijacking vulnerability. Closes: #884801 * Merge 3.3.18-1+deb8u3, 3.3.18-1+deb8u4, 5.0.16-1+deb9u4 and 5.0.16-1+deb9u5 changelog. * Bump Standards-Version to 4.1.2 (no changes required). Checksums-Sha1: a1677d560237c175d4c30ef0c8ea5e17a3f83a5c 1789 otrs2_6.0.3-1.dsc 75f10e8e42bc6e3e077a05d53fd8c07e879d0475 24314514 otrs2_6.0.3.orig.tar.bz2 ca313c316b79392907e377660f43d77cf07a7cd2 28244 otrs2_6.0.3-1.debian.tar.xz 0dc2801df2e3e82d32ba1adaca420465a1d5b70f 9504500 otrs2_6.0.3-1_all.deb e301e6fa41ddebdf2d0d62b94b4716a4d8c46edc 6077 otrs2_6.0.3-1_amd64.buildinfo e5a4842f79ead6b413df00bf764ad78fe9af2189 233812 otrs_6.0.3-1_all.deb Checksums-Sha256: 09648e0670f56e369ba99be8a7c3a9763eff618651a6b2eaa0ecbeb389ee860c 1789 otrs2_6.0.3-1.dsc de4ee3e0aa1e4501551fc7af4a45cdd2686e5be1a61a9ecf601aa1b61e821cfb 24314514 otrs2_6.0.3.orig.tar.bz2 70b53e902126ff7c859e318105f8c116a47143be20ccaace62e801ba6011635e 28244 otrs2_6.0.3-1.debian.tar.xz ee40f0a94722d1da713e01cc8e01e5e865500f37dbc5e78f434abb894c68380a 9504500 otrs2_6.0.3-1_all.deb 000cc127322695229918472ae63ceace251057e70463ad0ca1e2ca083d43fd2f 6077 otrs2_6.0.3-1_amd64.buildinfo 6131539d671557cae0a525200c6e9b9354669142e86f767597910f562472142a 233812 otrs_6.0.3-1_all.deb Files: 3d906962101dc97e69089888de9deb41 1789 non-free/web optional otrs2_6.0.3-1.dsc 32961cd15798e713ed65fc371789772c 24314514 non-free/web optional otrs2_6.0.3.orig.tar.bz2 ad8e34382a18a50832972b28b073cec5 28244 non-free/web optional otrs2_6.0.3-1.debian.tar.xz ba0e073a4e53dcf03fe7edec6099a5c7 9504500 non-free/web optional otrs2_6.0.3-1_all.deb 25298da8398360a259d01fe843bde397 6077 non-free/web optional otrs2_6.0.3-1_amd64.buildinfo 9c44a6198485f81c8804102986fd6edc 233812 non-free/web optional otrs_6.0.3-1_all.deb -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEWKA9xYJCWk3IuQ4TEtmwSpDL2OQFAlo6KKcACgkQEtmwSpDL 2OTV8RAAk8twiyhuCoqqxRa2Ld0WQ4rj3hQkyOQN3EYxgzTlb9imjT9tH8W8PGzi Rqui28fWodiQ4L1CEmGHHl8YUJpjBDFFckf3e1s9Q6dRusIMzqP806ZJB1n4mRPw whpk8S9mx0B4p6E+8q0CmAEUyPPqM91OAzT+O/WsYrO0Zqte0ZAcosU73EoxqyBs D2WSXe97DAufgVF3A9Arl/Jn93ayV2CT6lDaQ9/bPGG6MfyWEDSsTJLASraw9Kla dQadpmjPmX0FQTXvFE4aR6etG5ehVGqWzCj647hwpEXB7ZfWYkE7HBSUEOOGsGzr Hb4jNLFPcFxsANiYUX7wCqzbP64kZd9HRScubFdqCIaq0hN0O0bcWWb5xXcdY6Dl xN9+uS8zMfB5CQY50UnNQxw58FrEKy1i2Loohe82mh6s2xPAIA9HJUMXnJAeSiC9 eCdUMpObridAoiWQNFK9miP9W1eQbLe8GZ0qww+oxrtkVv7Y9GH9t0KkVrq3pM2j lR17OgP5u4FWIo3e9UDeFMP8wE/FaAjFotY8LiUSR1MwaJAuJqZZKdjzumuyBdHK ijoNFaRHmI+vEmtz6LW9gUZDr0S0JOTSyJmydE46UdlP7KuS3WUSJ1lby+yGlR27 pELgKyWzhqyF84RQeCDWiyNPyk3hsawhMZy6AwV7lOCysi0vWSI= =6KWT -----END PGP SIGNATURE-----
--- End Message ---
