[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Fwd: Re: [Ticket#2017092834000757] Bug#876462: otrs2: CVE-2017-14635: Code Injection / Privilege Escalation OTRS




Am 29.09.2017 um 19:51 schrieb Markus Koschany:
> Am 29.09.2017 um 12:11 schrieb Markus Koschany:
>> Am 29.09.2017 um 10:10 schrieb Patrick Matthäi:
>> [...]
>>> old-old-stable: You can use my work based on jessie, but there are some
>>> problems I see:
>>> - you have to drop the libjs-jquery-ui dependency, the removal of it in
>>> debian/rules, links in otrs2.links, patch 12 and 13, maybe more..
>>> - fonts-font-awesome is not in oos, so same as for libjs-jquery (rules,
>>> links and so on)
>>>
>>> I hope this is enough to get it work.
>> Thank you for working on CVE-2017-14635. I have come to the conclusion
>> that it is simpler and less intrusive to rebase the patches for 3.1.17
>> in Wheezy than to upgrade to the latest patch level because of the
>> reasons you have mentioned above. But the rest makes sense and I think
>> the security team will follow up on that.
> Hi,
>
> It turned out that the patches are incomplete and adding new statistics
> doesn't work anymore. I could fix one obvious error message from
> Apache's error.log but there is only very little information for
> debugging the issue. Next I tried 3.3.18 with your changes. After fixing
> the aforementioned issues the MySQL database update fails like that:
>
> applying upgrade script for 3.1.7+dfsg1-8+deb7u6 -> 3.2.0
> Trying to connect to database
> Connected
> Your storage engine is InnoDB
> These tables use a different storage engine
>
> [List of tables]
>
> Apparently version 3.1.7 used the MyISAM engine which now conflicts with
> the new default InnoDB database. I know how it could be fixed by hand
> but I don't think this is the recommended Debian way. Do you have
> encountered such a problem before? It is probably related to the files
> in debian/schema, a missing patch or a maintainer script. Any ideas?
>
From README.Debian:
```
 13 Upgrading to MySQL >= 5.5:
 14 --------------------------
 15
 16 Since MySQL 5.5 changed its default storage engine from MyISAM to
InnoDB you
 17 might encounter problems on upgrading OTRS from the
 18 'otrs.Console.pl Maint::Database::Check' script.
 19
 20 Here you will find additional notes about this problem:
 21     https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=707075
 22
 23 Here you will find a possible solution:
 24    
http://blog.otrs.org/2013/02/20/about-otrs-mysql-myisam-and-innodb-storage-engines/
```

This issue made me headaches in the past. #690306 is also related to
that. There wasn't a clean Debian only way without doing headaches to
sysadmins.. On the other side, if they upgrade to jessie later they will
trigger this again.

-- 
/*
Mit freundlichem Gruß / With kind regards,
 Patrick Matthäi
 GNU/Linux Debian Developer

  Blog: http://www.linux-dev.org/
E-Mail: pmatthaei@debian.org
        patrick@linux-dev.org
*/


Attachment: signature.asc
Description: OpenPGP digital signature


Reply to: