[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Fwd: Re: [Ticket#2017092834000757] Bug#876462: otrs2: CVE-2017-14635: Code Injection / Privilege Escalation OTRS

Am 29.09.2017 um 12:11 schrieb Markus Koschany:
> Am 29.09.2017 um 10:10 schrieb Patrick Matthäi:
> [...]
>> old-old-stable: You can use my work based on jessie, but there are some
>> problems I see:
>> - you have to drop the libjs-jquery-ui dependency, the removal of it in
>> debian/rules, links in otrs2.links, patch 12 and 13, maybe more..
>> - fonts-font-awesome is not in oos, so same as for libjs-jquery (rules,
>> links and so on)
>> I hope this is enough to get it work.
> Thank you for working on CVE-2017-14635. I have come to the conclusion
> that it is simpler and less intrusive to rebase the patches for 3.1.17
> in Wheezy than to upgrade to the latest patch level because of the
> reasons you have mentioned above. But the rest makes sense and I think
> the security team will follow up on that.


It turned out that the patches are incomplete and adding new statistics
doesn't work anymore. I could fix one obvious error message from
Apache's error.log but there is only very little information for
debugging the issue. Next I tried 3.3.18 with your changes. After fixing
the aforementioned issues the MySQL database update fails like that:

applying upgrade script for 3.1.7+dfsg1-8+deb7u6 -> 3.2.0
Trying to connect to database
Your storage engine is InnoDB
These tables use a different storage engine

[List of tables]

Apparently version 3.1.7 used the MyISAM engine which now conflicts with
the new default InnoDB database. I know how it could be fixed by hand
but I don't think this is the recommended Debian way. Do you have
encountered such a problem before? It is probably related to the files
in debian/schema, a missing patch or a maintainer script. Any ideas?



Attachment: signature.asc
Description: OpenPGP digital signature

Reply to: