[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Fwd: Re: [Ticket#2017092834000757] Bug#876462: otrs2: CVE-2017-14635: Code Injection / Privilege Escalation OTRS

Am 28.09.2017 um 16:23 schrieb Markus Koschany:
> Am 28.09.2017 um 12:55 schrieb Patrick Matthäi:
>> Uff, that is pretty much :/
>>
>>
>>
>> -------- Weitergeleitete Nachricht --------
>> Betreff: 	Re: [Ticket#2017092834000757] Bug#876462: otrs2:
>> CVE-2017-14635: Code Injection / Privilege Escalation OTRS
>> Datum: 	Thu, 28 Sep 2017 10:15:49 +0000
>> Von: 	Dusan Vuckovic via OTRS Security Team <security@otrs.org>
>> Organisation: 	OTRS AG
>> An: 	pmatthaei@debian.org
>>
>>
>>
>> Hello Patrick,
>>
>> all related commits for OTRS 5 fix regarding this vulnerability are
>> listed below:
>>
>>   * https://github.com/OTRS/otrs/commit/a4093dc404fcbd87b235b31c72913141672f2a85
>>   * https://github.com/OTRS/otrs/commit/00bcc89dc2443b5d8b34a0908e224373926aa618
>>   * https://github.com/OTRS/otrs/commit/b69c2533c951fa72bfe238f255ce76352f054897
>>   * https://github.com/OTRS/otrs/commit/b92ec17196ac3e1fdcab40fbb16dbb602d5d52b5
>>
>> However, to avoid unwanted side effects, we recommend a complete update.
>>
> [...]
>
> Yesterday I also sent an e-mail to security@otrs.org and got a reply
> from Jens Bothe. He confirmed to me that
>
> https://github.com/OTRS/otrs/commit/a4093dc404fcbd87b235b31c72913141672f2a85
>
> is the fix for CVE-2017-14635. I assume the other commits are not
> strictly needed to fix the issue but are general improvements and bug
> fixes. However he also suggested to upgrade to the latest patch level.
> In case of Wheezy that would be 3.3.18. Since OTRS is a web application
> I'm going to find out which approach makes more sense. For Sid/Buster we
> can just package the latest upstream release.
>
> Regards,
>
> Markus
>

ok, so we have:

sid: fixed

testing: vuln => fixed after migration

stable: I have prepared 5.0.16-1+deb9u2, if it is ok I would upload it
(see stretch.diff.gz)

old-stable: there are many patches based on this changes. So I also
would prefer a update to the latest 3.3.x for jessie, like in wheezy. I
have prepared a 3.3.18-x for Jessie, see jessie-3.3-update.diff.gz. It
builds and "should" work, but I can not test it now.

old-old-stable: You can use my work based on jessie, but there are some
problems I see:
- you have to drop the libjs-jquery-ui dependency, the removal of it in
debian/rules, links in otrs2.links, patch 12 and 13, maybe more..
- fonts-font-awesome is not in oos, so same as for libjs-jquery (rules,
links and so on)

I hope this is enough to get it work.

-- 
/*
Mit freundlichem Gruß / With kind regards,
 Patrick Matthäi
 GNU/Linux Debian Developer

  Blog: http://www.linux-dev.org/
E-Mail: pmatthaei@debian.org
        patrick@linux-dev.org
*/

Attachment: jessie-3.3-update.diff.gz
Description: GNU Zip compressed data

Attachment: stretch.diff.gz
Description: GNU Zip compressed data

Attachment: signature.asc
Description: OpenPGP digital signature

Reply to: