Your message dated Sun, 24 Dec 2017 13:06:19 +0000 with message-id <e1et5yt-0006oq...@fasolo.debian.org> and subject line Bug#883774: fixed in otrs2 5.0.16-1+deb9u4 has caused the Debian Bug report #883774, regarding otrs2: CVE-2017-16921: Remote code execution to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 883774: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=883774 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: otrs2 Version: 5.0.16-1 Severity: grave Tags: patch security upstream Control: found -1 3.3.9-3 Hi, the following vulnerability was published for otrs2. The issue is related to improper handling of PGP parameters, as such I think the issue is as well present back in the 3.3.x series (they are not mentioned in the advisories since the 3.3.x series are not supported anymore upstream). CVE-2017-16921[0]: OSA-2017-09: Remote code execution If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2017-16921 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16921 [1] https://www.otrs.com/security-advisory-2017-09-security-update-otrs-framework/ Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: otrs2 Source-Version: 5.0.16-1+deb9u4 We believe that the bug you reported is fixed in the latest version of otrs2, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 883...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Patrick Matthäi <pmatth...@debian.org> (supplier of updated otrs2 package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Thu, 07 Dec 2017 13:51:47 +0100 Source: otrs2 Binary: otrs2 otrs Architecture: source all Version: 5.0.16-1+deb9u4 Distribution: stretch-security Urgency: high Maintainer: Patrick Matthäi <pmatth...@debian.org> Changed-By: Patrick Matthäi <pmatth...@debian.org> Description: otrs - Open Ticket Request System (OTRS 5) otrs2 - Open Ticket Request System Closes: 883774 Changes: otrs2 (5.0.16-1+deb9u4) stretch-security; urgency=high . * Add patch 19-CVE-2017-16921: This fixes OSA-2017-09, also known as CVE-2017-16921: An attacker who is logged into OTRS as an agent can manipulate form parameters and execute arbitrary shell commands with the permissions of the OTRS or web server user. Closes: #883774 * Add patch 18-CVE-2017-16854: This fixes OSA-2017-08, also known as CVE-2017-16854: An attacker who is logged into OTRS as a customer can use the ticket search form to disclose internal article information of their customer tickets. Checksums-Sha1: b90b280cfba8c0d3fd997e90e7f21eb567c629f4 1838 otrs2_5.0.16-1+deb9u4.dsc 7eeec0cc2589a7f60b1ab667a68f3de8dfdcb69f 52152 otrs2_5.0.16-1+deb9u4.debian.tar.xz f58783ec93abcd393a358faaac83018bf07c3250 7053752 otrs2_5.0.16-1+deb9u4_all.deb 17489cbc3e469f5e0481b47c2f2cb44d2745d76d 7279 otrs2_5.0.16-1+deb9u4_amd64.buildinfo ec45137c9b38e67d5be87a7c95a46240e1d1bb45 213212 otrs_5.0.16-1+deb9u4_all.deb Checksums-Sha256: 87a516cb0f449aee5fd11e4b5d152c1631211ea9a713582d58df1aaad2318832 1838 otrs2_5.0.16-1+deb9u4.dsc 39c63d62e493170b47feef78be0f38100c5717838fb7c375ad30b1cc583a431a 52152 otrs2_5.0.16-1+deb9u4.debian.tar.xz 5962af54dabba02c7eedb70f4bb9031d9a5ed469b7aae9454dba1f845adccb85 7053752 otrs2_5.0.16-1+deb9u4_all.deb 3c0e68d4afdcff7c50d77abc7eed1a8f9b8aaa73ac0e25fcbe6850ab88b9709c 7279 otrs2_5.0.16-1+deb9u4_amd64.buildinfo 28a297166d8f728edd2fe9612dc81cf51b609ad8ca1259f41dc93beb950a08e1 213212 otrs_5.0.16-1+deb9u4_all.deb Files: 62fe6b57e57280b0b680a6a97490dd31 1838 non-free/web optional otrs2_5.0.16-1+deb9u4.dsc bbdc224d8646474decab84dc81afbe45 52152 non-free/web optional otrs2_5.0.16-1+deb9u4.debian.tar.xz 75733df4f0b955d9e133cbc330818b7e 7053752 non-free/web optional otrs2_5.0.16-1+deb9u4_all.deb 4bf2258579e06ffc2855a6e2a29fa5bf 7279 non-free/web optional otrs2_5.0.16-1+deb9u4_amd64.buildinfo eca8a54d47f6bf2166ae1a53a435b989 213212 non-free/web optional otrs_5.0.16-1+deb9u4_all.deb -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEWKA9xYJCWk3IuQ4TEtmwSpDL2OQFAloyM+gACgkQEtmwSpDL 2OQ+bA//VwaCMiqhVhqWxn3YrQlMWa7btgtyrwSwhsH/kL9+tD6ubY+7BO3PMDe0 UVCR00BTnueb2FoNHZrcJUEA9KRv/TtO9P+H5qrPJlUPZOs8x91zYmpihk5ILTwc 3L6IdOwQgKPaDmdRaDZ0KkKHBtQjilk4NxSnUOGxsKF0Abvbf76wIW1VW5yqmiaU l9VQmZ8a2BEFIV+7Sa841vk3Vf5InlxLzyJLnvsROo2uwkEsqzIQAut7bo+POZqS rJPZ+RplSPJIIW1GoM8GEcLcnPc7HzW3xgzEcEBGeI0vUjZx0YhWQnwWJOg0M4N1 nTNfZe36/lNriMyNh4EKFVxqtUDjJC7sr/51MxPTUuu63iNx9vyikmKCBPhnOebF yv8209U25UHiuqYs5YjqlapOtobL2HQasZsf4E9vetJ/OE4C83UXXUj8ZoYM3Q4I VJ/0DGiAeY8YhLLLt1qSNOOB0jNUiW2UrTU3Ex3JP7UKb0OMZ6ArDs8gYYPHdYPR 2iKYE+9FsZ2LI+vUcUgwg2a65V0xFDZpGJY9qQvAlmVQiH1EwIcwnf4HDj3UlBZ8 2XCeGD5ooOCWFScaHZJF5duM5KPQ7LeyQqXyH7zG2X6CmXEuWNc7iNKQetxDR3gH MtfYdbV5H6rlTmBrIBA8E4Zk9M6UjOR9xVLyxbdjzOa6SEkorA8= =zydQ -----END PGP SIGNATURE-----
--- End Message ---
