[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Fwd: Re: [Ticket#2017092834000757] Bug#876462: otrs2: CVE-2017-14635: Code Injection / Privilege Escalation OTRS

Am 28.09.2017 um 12:55 schrieb Patrick Matthäi:
> Uff, that is pretty much :/
> -------- Weitergeleitete Nachricht --------
> Betreff: 	Re: [Ticket#2017092834000757] Bug#876462: otrs2:
> CVE-2017-14635: Code Injection / Privilege Escalation OTRS
> Datum: 	Thu, 28 Sep 2017 10:15:49 +0000
> Von: 	Dusan Vuckovic via OTRS Security Team <security@otrs.org>
> Organisation: 	OTRS AG
> An: 	pmatthaei@debian.org
> Hello Patrick,
> all related commits for OTRS 5 fix regarding this vulnerability are
> listed below:
>   * https://github.com/OTRS/otrs/commit/a4093dc404fcbd87b235b31c72913141672f2a85
>   * https://github.com/OTRS/otrs/commit/00bcc89dc2443b5d8b34a0908e224373926aa618
>   * https://github.com/OTRS/otrs/commit/b69c2533c951fa72bfe238f255ce76352f054897
>   * https://github.com/OTRS/otrs/commit/b92ec17196ac3e1fdcab40fbb16dbb602d5d52b5
> However, to avoid unwanted side effects, we recommend a complete update.


Yesterday I also sent an e-mail to security@otrs.org and got a reply
from Jens Bothe. He confirmed to me that


is the fix for CVE-2017-14635. I assume the other commits are not
strictly needed to fix the issue but are general improvements and bug
fixes. However he also suggested to upgrade to the latest patch level.
In case of Wheezy that would be 3.3.18. Since OTRS is a web application
I'm going to find out which approach makes more sense. For Sid/Buster we
can just package the latest upstream release.



Attachment: signature.asc
Description: OpenPGP digital signature

Reply to: