[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Fwd: Re: [Ticket#2017092834000757] Bug#876462: otrs2: CVE-2017-14635: Code Injection / Privilege Escalation OTRS

Am 30.09.2017 um 21:24 schrieb Patrick Matthäi:
> Oh yeah this ugly issue / change..
> @security team:
> IMHO we have got onl the two options to remove support for otrs2 in oos
> or to update it to the most recent 3.3.x version. I know many companies
> who are using the offical Debian packages from otrs, but yeah not the
> wheezy one anymore ;)So we should took the risk to update to 3.3.x
> upstream, the upgrade path from < 3.3x to >= 3.3.x is ugly for most
> MySQL users, because of the old default storage engine. But realy I do
> not realy care about users which would yell about that now about 4 years..

Adding the security team to CC again.

I have released the OTRS update for Wheezy. The Jessie update must use a
version number which is > 3.3.18-1~deb7u1 now. I also recommend to
upgrade to the latest supported upstream release of OTRS3.

There was another issue with the maintenance mode when I upgraded from
3.1.17 to 3.3.18. I had to remove the maintenance.html files in
/etc/otrs/ and /var/lib/otrs/httpd/htdocs to be able to log into OTRS
again. I didn't want to mess with these files but I documented this step
in README.Debian.

Just FYI: I came across the official OTRS documentation and saw that
they recommend against using the official Debian packages. [1] Maybe
this should be discussed with them.




Attachment: signature.asc
Description: OpenPGP digital signature

Reply to: