Your message dated Fri, 24 Nov 2017 11:02:07 +0000 with message-id <e1eibkf-000ggy...@fasolo.debian.org> and subject line Bug#882370: fixed in otrs2 5.0.16-1+deb9u3 has caused the Debian Bug report #882370, regarding otrs2: CVE-2017-16664: OSA-2017-07: privilege escalation to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 882370: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=882370 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: otrs2 Version: 3.3.9-1 Severity: grave Tags: patch security upstream fixed-upstream Hi, the following vulnerability was published for otrs2. CVE-2017-16664[0]: | Code injection exists in Kernel/System/Spelling.pm in Open Ticket | Request System (OTRS) 5 before 5.0.24, 4 before 4.0.26, and 3.3 before | 3.3.20. In the agent interface, an authenticated remote attackeer can | execute shell commands as the webserver user via URL manipulation. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2017-16664 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16664 [1] https://www.otrs.com/security-advisory-2017-07-security-update-otrs-framework/ Please adjust the affected versions in the BTS as needed. Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: otrs2 Source-Version: 5.0.16-1+deb9u3 We believe that the bug you reported is fixed in the latest version of otrs2, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 882...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Patrick Matthäi <pmatth...@debian.org> (supplier of updated otrs2 package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Wed, 22 Nov 2017 15:16:23 +0100 Source: otrs2 Binary: otrs2 otrs Architecture: source all Version: 5.0.16-1+deb9u3 Distribution: stretch-security Urgency: high Maintainer: Patrick Matthäi <pmatth...@debian.org> Changed-By: Patrick Matthäi <pmatth...@debian.org> Description: otrs - Open Ticket Request System (OTRS 5) otrs2 - Open Ticket Request System Closes: 882370 Changes: otrs2 (5.0.16-1+deb9u3) stretch-security; urgency=high . * Add patch 17-CVE-2017-16664: This fixes OSA-2017-07, also known as CVE-2017-16664: An attacker who is logged into OTRS as an agent can request special URLs from OTRS which can lead to the execution of shell commands with the permissions of the web server user. Closes: #882370 Checksums-Sha1: 302bea080cc1a77886e2b4ecd627f382d2bdfde8 1838 otrs2_5.0.16-1+deb9u3.dsc 898049f899bd8859fa2c17df1bc4ec2bc13c614c 49600 otrs2_5.0.16-1+deb9u3.debian.tar.xz 7c17549665d3808200bfc3107800b17f8255d89c 7052652 otrs2_5.0.16-1+deb9u3_all.deb b4fc5e5e50c747594e3bc73fe7a106e4a1571168 7244 otrs2_5.0.16-1+deb9u3_amd64.buildinfo 97da148da8d1b6fe7db6004b827618ca6b17fe27 213116 otrs_5.0.16-1+deb9u3_all.deb Checksums-Sha256: 9effda6496f6f98f42a43a0b4eeaf458d6e4f1b9e185e8e036d830e50a7131b3 1838 otrs2_5.0.16-1+deb9u3.dsc 12a56d047f3c6c41adf7dc4469bf8b18e415dfef39da0106fef32acd9fdcebb5 49600 otrs2_5.0.16-1+deb9u3.debian.tar.xz ec18c5f49bd863233908048b7f87aed061bba727e57130875ab9789b1d709be4 7052652 otrs2_5.0.16-1+deb9u3_all.deb 02a5ec25cbbc41417510c05437222c84151d03c06abaed7ef75db7ab17ea268a 7244 otrs2_5.0.16-1+deb9u3_amd64.buildinfo e3ae8c205d8c7e848f1d85bae41e82b79b04b6e44a467c5593fb5993badd2764 213116 otrs_5.0.16-1+deb9u3_all.deb Files: e4879549dcfb7d821484cee9e206a827 1838 non-free/web optional otrs2_5.0.16-1+deb9u3.dsc 412cee7efd05a7c7b78a9e9e4dcc1122 49600 non-free/web optional otrs2_5.0.16-1+deb9u3.debian.tar.xz afcc90c2acb9e20840c4cc0ee64373f4 7052652 non-free/web optional otrs2_5.0.16-1+deb9u3_all.deb 7858e3e3ae32418b719d757077baf0ca 7244 non-free/web optional otrs2_5.0.16-1+deb9u3_amd64.buildinfo 0abb3bb7c1d2ce9ea18328413aa413a0 213116 non-free/web optional otrs_5.0.16-1+deb9u3_all.deb -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEWKA9xYJCWk3IuQ4TEtmwSpDL2OQFAloVlZ8ACgkQEtmwSpDL 2OQRShAAgnxySc+3sB+FNWllsu9vX+NbfYyBLzwbLMxF+mFFXS+iem/Aa/UJ0Pk2 zRHNQZXB42nxljseL2KLRhgz4E4Lgh89NJ6ev69Ls+OXVJvmhUh6bFzEK5t1Feat R2QOJXtp8gjnOs6+vVh/DEjAb8TKdYop6WdJJprob4/BjuLpEd5hAD1PkYHNgC/F Xt+w4y6/1+AaZXqIjVfUp7w/XYibRHlBJF+BO3zqvo0U+GCEJ+ZUSwkrZ1mUAGru d4uX+07ctY/wid4IlDZNisbhzhzvmMRTaJXBEjgjCQ9yJe6hmHHwqS/F/r7V3eLq Bv0SDGhjiBpdK3LCNZlN7SJf2H74MQTNZfD17quaRDeo3RXnkMLw0/zZujtxFJ9w kF2O3WZMbLRbHLf/0JXrUemC+PTJUiOo7lk2Mm/NA4oZ+LCfoJ1akL0HMP5mH5+r OKM06pq9OnAjgWHhm643ggY7LpkahhEJFeoPHBb/5rIdgPBuBNd5d8W9gxwzHqON 1kreEcUDTlKdRL4Y/hkMcRv5lDiDLbfNWRpu2clbKPT0YegXUfMbrCQxfFjRkYh2 akCLW6ev3Mg9P6HSMYfuTIrm9vLqqtciuQPazOQ4AfAeLsHHP9nwqDWHzsZQlSkH eu6ppHQo0Xk0gqsvd4oW2VEpVlfBIQUs7BSOsm+QUDUVhW5YT3A= =x7af -----END PGP SIGNATURE-----
--- End Message ---
