Your message dated Fri, 24 Nov 2017 11:02:23 +0000 with message-id <e1eibkv-000gmz...@fasolo.debian.org> and subject line Bug#882370: fixed in otrs2 3.3.18-1+deb8u2 has caused the Debian Bug report #882370, regarding otrs2: CVE-2017-16664: OSA-2017-07: privilege escalation to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 882370: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=882370 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: otrs2 Version: 3.3.9-1 Severity: grave Tags: patch security upstream fixed-upstream Hi, the following vulnerability was published for otrs2. CVE-2017-16664[0]: | Code injection exists in Kernel/System/Spelling.pm in Open Ticket | Request System (OTRS) 5 before 5.0.24, 4 before 4.0.26, and 3.3 before | 3.3.20. In the agent interface, an authenticated remote attackeer can | execute shell commands as the webserver user via URL manipulation. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2017-16664 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16664 [1] https://www.otrs.com/security-advisory-2017-07-security-update-otrs-framework/ Please adjust the affected versions in the BTS as needed. Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: otrs2 Source-Version: 3.3.18-1+deb8u2 We believe that the bug you reported is fixed in the latest version of otrs2, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 882...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Patrick Matthäi <pmatth...@debian.org> (supplier of updated otrs2 package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Wed, 22 Nov 2017 15:03:02 +0100 Source: otrs2 Binary: otrs2 otrs Architecture: source all Version: 3.3.18-1+deb8u2 Distribution: jessie-security Urgency: high Maintainer: Patrick Matthäi <pmatth...@debian.org> Changed-By: Patrick Matthäi <pmatth...@debian.org> Description: otrs - Open Ticket Request System (OTRS 3) otrs2 - Open Ticket Request System Closes: 882370 Changes: otrs2 (3.3.18-1+deb8u2) jessie-security; urgency=high . * Add patch 16-OSA-2017-06 which fixes OSA-2017-06, also known as CVE-2017-15864: An attacker who is logged into OTRS as an agent can request special URLs from OTRS which can lead to the disclosure of any configuration information, including database credentials. * Add patch 17-OSA-2017-07 which fixes OSA-2017-07, also known as CVE-2017-16664: An attacker who is logged into OTRS as an agent can request special URLs from OTRS which can lead to the execution of shell commands with the permissions of the web server user. Closes: #882370 Checksums-Sha1: 27c9cca1a50b3571b03f61eded065025e9616b84 1820 otrs2_3.3.18-1+deb8u2.dsc acf3b42b22a0abd76e6e6640d1eb1aa5bda2e6fc 40360 otrs2_3.3.18-1+deb8u2.debian.tar.xz 923c79ad2769a451b15bd75de3fc9ed5a333050b 5644592 otrs2_3.3.18-1+deb8u2_all.deb 287c43a90c60c5617ef7a7e3d443ba2b3f55dd46 188454 otrs_3.3.18-1+deb8u2_all.deb Checksums-Sha256: 7f2fd625275993aba9841b85231f8a4eca1388e7447d23277db3239ce1521bd5 1820 otrs2_3.3.18-1+deb8u2.dsc b5b01ce9fcd8f92ef92f8454c98f2622af54bcaa4b438cfca0da5f816cb6daa0 40360 otrs2_3.3.18-1+deb8u2.debian.tar.xz fc43ed2e1242cefaa5040005e7974272106e89cdb7bc14fc7faac452716c286c 5644592 otrs2_3.3.18-1+deb8u2_all.deb d9c099a91f6d78701f7fc1bc5a50139719f5104d8e0eb11e5d25b9c26dbaacf8 188454 otrs_3.3.18-1+deb8u2_all.deb Files: 8dc8728850d446d72c07b604002b5ca8 1820 web optional otrs2_3.3.18-1+deb8u2.dsc 8fd520cb5ad031c5f14e7dc90e79cecf 40360 web optional otrs2_3.3.18-1+deb8u2.debian.tar.xz 3f4aa9fe0505a273fc2293a6587b1822 5644592 web optional otrs2_3.3.18-1+deb8u2_all.deb b917bfe33ff6bbc4c6b3781c8f8a54c1 188454 web optional otrs_3.3.18-1+deb8u2_all.deb -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEWKA9xYJCWk3IuQ4TEtmwSpDL2OQFAloVlZ8ACgkQEtmwSpDL 2OR4aBAAj82Mk/grW0u9V57FyVGBIjUQV9kdqen3upXbuBopaaKzfcR7UpTknzOy TUdy99Dup3Yxr/OOEQYv3vaoTjKj/cAAqfFp8crVZTEsFDOfjfRxbp7gXvHVXShf hUj9LVYS3Tzy7wzv5cGa+cH9cvlLCDzoqG5RudJxN6XjKnIgnbn6IiTxI1Jz+2u7 FPiTEvjMDCH5I6A9DwDBKCQBTXfKKjcyHsZvzAaxnK+lapbj1kjeJ5w4+MQTNkUv FLsTQNzztnr83yR6ZCpfKteP4TpYICysgiEZeigqlGp5lpp95rhLq/A9/mu6quKi NiC9JIqh9FEEXJJgD6FS/pF8T4eUfeuFJSLzsWflQGk+jFvh02LFQOpeVQUKgj91 jxW2V+D98F0pPgiwKYV8rD4Mh9P6z6DJtspdDYaTrXUMAHePeyKWC9w9+vXs+jR3 9ZcnprxEo+fWARJFDruL+SjqRHdKZFDyTNeN8WOkmNRhUw3m5f0g8zy0F6mzIYRO yP3SG2WjTnIZ9bY6Vt71Bozby+oIwk22JTUCPNa45sNI8mYudWUVlF4krvZTb9Jf Ofz0/omZV2N7NP/LoqqYCD4ObRl0DUQsvoxZ5yXH6AcLZS1JO0FS9AV+AHVJcS2K OiaeQBOdTIjOVg281TnJPIOVrS21xbKYxunDyJ43+KUylUK2Pk8= =+skt -----END PGP SIGNATURE-----
--- End Message ---
