On 2017-06-08 11:02, Debian Queue Viewer wrote:
Version in base suite: 3.3.9-3
Base version: otrs2_3.3.9-3
Target version: otrs2_3.3.9-3+deb8u1
[...]
+otrs2 (3.3.9-3+deb8u1) jessie-security; urgency=high
+
+ * Add patch 17-CVE-2017-9324:
+ This fixes OSA-2017-03, also known as CVE-2017-9324: An attacker
with
+ agent permission is capable by opening a specific URL in a browser
to
+ gain administrative privileges / full access. Afterward, all
system
+ settings can be read and changed.
+ Closes: #864319
I'm afraid that I'm confused by this upload.
It claims to be for stable-security, but was uploaded directly to
ftp-master. If it's for security, then it should have been uploaded to
the security queues.
If, on the other hand, this was intended for proposed-updates then a)
the distribution should be "jessie", not "jessie-security" and b) it
should have been discussed in a p-u bug, not simply uploaded.
Regards,
Adam
