Your message dated Mon, 25 Dec 2017 10:33:36 +0000
with message-id <[email protected]>
and subject line Bug#883774: fixed in otrs2 3.3.18-1+deb8u3
has caused the Debian Bug report #883774,
regarding otrs2: CVE-2017-16921: Remote code execution
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
883774: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=883774
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: otrs2
Version: 5.0.16-1
Severity: grave
Tags: patch security upstream
Control: found -1 3.3.9-3
Hi,
the following vulnerability was published for otrs2.
The issue is related to improper handling of PGP parameters, as such I
think the issue is as well present back in the 3.3.x series (they are
not mentioned in the advisories since the 3.3.x series are not
supported anymore upstream).
CVE-2017-16921[0]:
OSA-2017-09: Remote code execution
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-16921
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16921
[1]
https://www.otrs.com/security-advisory-2017-09-security-update-otrs-framework/
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: otrs2
Source-Version: 3.3.18-1+deb8u3
We believe that the bug you reported is fixed in the latest version of
otrs2, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Patrick Matthäi <[email protected]> (supplier of updated otrs2 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Wed, 13 Dec 2017 13:11:19 +0100
Source: otrs2
Binary: otrs2 otrs
Architecture: source all
Version: 3.3.18-1+deb8u3
Distribution: jessie-security
Urgency: high
Maintainer: Patrick Matthäi <[email protected]>
Changed-By: Patrick Matthäi <[email protected]>
Description:
otrs - Open Ticket Request System (OTRS 3)
otrs2 - Open Ticket Request System
Closes: 883774
Changes:
otrs2 (3.3.18-1+deb8u3) jessie-security; urgency=high
.
* Add patch 18-OSA-2017-08:
This fixes OSA-2017-08, also known as CVE-2017-16854: An attacker who is
logged into OTRS as a customer can use the ticket search form to disclose
internal article information of their customer tickets.
* Add patch 19-OSA-2017-09:
This fixes OSA-2017-09, also known as CVE-2017-16921: An attacker who is
logged into OTRS as an agent can manipulate form parameters and execute
arbitrary shell commands with the permissions of the OTRS or web server
user.
Closes: #883774
Checksums-Sha1:
adfb032f863a63dc2fddd8e5d5ee4c0de50c48e6 1820 otrs2_3.3.18-1+deb8u3.dsc
586934b555250a8387b8ca018aa17c266436640c 42492
otrs2_3.3.18-1+deb8u3.debian.tar.xz
ee2fb3ced7b2c6d6814c690be596a1c41b964198 5644830 otrs2_3.3.18-1+deb8u3_all.deb
5e1d318549841427a87c3d7815dcc2823fb2df27 188570 otrs_3.3.18-1+deb8u3_all.deb
Checksums-Sha256:
379e01840e1e2acfb27e6443e4099f8f7726daa51c267280c43d691f23a52e5a 1820
otrs2_3.3.18-1+deb8u3.dsc
9c7b081847769995b0559dbe8272fbfde79cb19a9104efccd42ba801b799da36 42492
otrs2_3.3.18-1+deb8u3.debian.tar.xz
6bdaf1f9a3cec91078467ab427174665051b343b685a87d8519b2088eccbaac3 5644830
otrs2_3.3.18-1+deb8u3_all.deb
274b1f11de7aa85ff9532d29116ba8a6cfe68c73a61c9919eb7c2cf1a7a249f8 188570
otrs_3.3.18-1+deb8u3_all.deb
Files:
12d2f41d20c75f9f926f2d32cbbbd1de 1820 web optional otrs2_3.3.18-1+deb8u3.dsc
84e756a3bd4460d36e2fd1127b67f158 42492 web optional
otrs2_3.3.18-1+deb8u3.debian.tar.xz
7fd68cc52ca3596e6ee96f170abfcd48 5644830 web optional
otrs2_3.3.18-1+deb8u3_all.deb
b5b08d40514e59f2f747f514dd6de725 188570 web optional
otrs_3.3.18-1+deb8u3_all.deb
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEWKA9xYJCWk3IuQ4TEtmwSpDL2OQFAloyM+gACgkQEtmwSpDL
2OQX9w//Z+ZnXHqzSB35xWHvtrFzbOOnLYjCxbfH/2UMto3eYPtT+rAzTkBfcNVz
WiJZQKw96mmbYb1mvZIhwLG5puL+0tm2n1//xTj0UWszPNhrZXX+brIZmUu+NYle
aTm9Nij5BqHzsTUL3GcxQ4yElzcW/iXYccAJs2NIQDsXDcnl7+xzg9GvUhZIL87Q
3zVqe0cdHuBffz2aYU+3gQRYeF8XYR6d7lYmJHwelzKchhPep1XCEZ/HZ96/QUgC
/x3Ma4uPRr5Bl92FDw+upikIl+BYrrhDhjlNhf/zuvixdLsnbJQ3vv5YT0khnP3m
fsW1wCQGnD6fKAPmqpHaxguLaEM42IfeYsd96NfgVTQtaefIP+9e2dttwRpLBOng
ruCOrJkKFXUJMRqmRgdf6V/1v7qmbdawOHVYwZT43gq+7C0pq+7KIkdZ4PBc0hFI
mFHaVCaEiA41mcG6EmEJtKqCJlMytgSb01QeAaKcd/IH1YUqBI0HhbkYF2nvEvtg
xM3nAj5sFi7/Q8Bz5/Mmj4MQeDmSjFTzJw89mPVqDNruyF2G9M9PZWqzknigNVUr
Xqmrlp6pL7Tpc1cZGO6Vo8zd4mubO1mS4uoZq8lHlCHa414OEI6OVuDAE0sTu5Bh
rRwMk7o00Am023pCyWMT9VkIwc5cQtGpcNcDL5wp0ymtHSHOPAw=
=EJTS
-----END PGP SIGNATURE-----
--- End Message ---
