[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[SECURITY] [DLA 2198-1] otrs2 security update



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Package        : otrs2
Version        : 3.3.18-1+deb8u15
CVE ID         : CVE-2020-1770 CVE-2020-1772 CVE-2020-1774


Several vulnerabilities have been discovered in otrs2 (Open source
Ticket Request System)

CVE-2020-1770

    Support bundle generated files could contain sensitive information
    that might be unwanted to be disclosed.

CVE-2020-1772

    It’s possible to craft Lost Password requests with wildcards in the
    Token value, which allows attacker to retrieve valid Token(s),
    generated by users which already requested new passwords.

CVE-2020-1774

    When user downloads PGP or S/MIME keys/certificates, exported file
    has same name for private and public keys. Therefore it’s possible
    to mix them and to send private key to the third-party instead of
    public key.

For Debian 8 "Jessie", these problems have been fixed in version
3.3.18-1+deb8u15.

We recommend that you upgrade your otrs2 packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE7xPqJqaY/zX9fJAuhj1N8u2cKO8FAl6rt2gACgkQhj1N8u2c
KO+YXhAAgnXXnXFYtuAw3PfGIbA0VUcIEu3gZAKM/ahCFaILZaN8xN3QFHM84yiH
HAjWH/b+PITvCG81TNcO6xn7DAHsVL3rk1+tmg0TY4rBfo9zfdQHP9CXCxf5GClM
4tUt7X2YishqF/kGgQ2fcEC1bLnghWSMVMQ985WTCyP1AwHlc+0SjHhoU8ABhAiE
ct4w8hxWlvqMsYF8rf1dIBCWoFQUB50PdB6asjCrOEznMn6wNSOsuM9EXszQpSGk
Mho07Syxctmts0FPfMYvBg9eI/5x+tCXMHfKs1pCrmRermlaCEiLLhMznjv0yQdg
zulqMKlqt1+FIwklntY8CptFXDNZpFiuIBFziIiWKHYS6KBXON00K9rbdDd2fluQ
CMFjWnRzxkj1zuzlXNRqXOd1VCy1P+JpsYJ8SO1uL36UiZbjregS3d750yZ8f8MZ
WkuK34hrG666BnBbSnafcvqd9mwkSd1OdekTOt0w2wZMCNSDX4nzFKGd2zFU0lFE
HCDkBCi8mBEHWnyufV0ndIYj93dpD4ssLmjEKQpESXhxZY+nnDLZatigtaSus91P
Ual4R1U9Cy/z0XB3aUiuXUIqijEq+DjDoBlsrL3yD7KkXEz+dH0GqPJmZa7+wcol
uS6j2JzZYB5eM7lJUzljNumN5gI1etnMIXKcx1QKHBCQbiBCXgE=
=QvxW
-----END PGP SIGNATURE-----


Reply to: