Am 28.09.2017 um 16:23 schrieb Markus Koschany: > Am 28.09.2017 um 12:55 schrieb Patrick Matthäi: >> Uff, that is pretty much :/ >> >> >> >> -------- Weitergeleitete Nachricht -------- >> Betreff: Re: [Ticket#2017092834000757] Bug#876462: otrs2: >> CVE-2017-14635: Code Injection / Privilege Escalation OTRS >> Datum: Thu, 28 Sep 2017 10:15:49 +0000 >> Von: Dusan Vuckovic via OTRS Security Team <security@otrs.org> >> Organisation: OTRS AG >> An: pmatthaei@debian.org >> >> >> >> Hello Patrick, >> >> all related commits for OTRS 5 fix regarding this vulnerability are >> listed below: >> >> * https://github.com/OTRS/otrs/commit/a4093dc404fcbd87b235b31c72913141672f2a85 >> * https://github.com/OTRS/otrs/commit/00bcc89dc2443b5d8b34a0908e224373926aa618 >> * https://github.com/OTRS/otrs/commit/b69c2533c951fa72bfe238f255ce76352f054897 >> * https://github.com/OTRS/otrs/commit/b92ec17196ac3e1fdcab40fbb16dbb602d5d52b5 >> >> However, to avoid unwanted side effects, we recommend a complete update. >> > [...] > > Yesterday I also sent an e-mail to security@otrs.org and got a reply > from Jens Bothe. He confirmed to me that > > https://github.com/OTRS/otrs/commit/a4093dc404fcbd87b235b31c72913141672f2a85 > > is the fix for CVE-2017-14635. I assume the other commits are not > strictly needed to fix the issue but are general improvements and bug > fixes. However he also suggested to upgrade to the latest patch level. > In case of Wheezy that would be 3.3.18. Since OTRS is a web application > I'm going to find out which approach makes more sense. For Sid/Buster we > can just package the latest upstream release. > > Regards, > > Markus > ok, so we have: sid: fixed testing: vuln => fixed after migration stable: I have prepared 5.0.16-1+deb9u2, if it is ok I would upload it (see stretch.diff.gz) old-stable: there are many patches based on this changes. So I also would prefer a update to the latest 3.3.x for jessie, like in wheezy. I have prepared a 3.3.18-x for Jessie, see jessie-3.3-update.diff.gz. It builds and "should" work, but I can not test it now. old-old-stable: You can use my work based on jessie, but there are some problems I see: - you have to drop the libjs-jquery-ui dependency, the removal of it in debian/rules, links in otrs2.links, patch 12 and 13, maybe more.. - fonts-font-awesome is not in oos, so same as for libjs-jquery (rules, links and so on) I hope this is enough to get it work. -- /* Mit freundlichem Gruß / With kind regards, Patrick Matthäi GNU/Linux Debian Developer Blog: http://www.linux-dev.org/ E-Mail: pmatthaei@debian.org patrick@linux-dev.org */
Attachment:
jessie-3.3-update.diff.gz
Description: GNU Zip compressed data
Attachment:
stretch.diff.gz
Description: GNU Zip compressed data
Attachment:
signature.asc
Description: OpenPGP digital signature