[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Fwd: Re: [Ticket#2017092834000757] Bug#876462: otrs2: CVE-2017-14635: Code Injection / Privilege Escalation OTRS

Am 29.09.2017 um 19:51 schrieb Markus Koschany:
> Am 29.09.2017 um 12:11 schrieb Markus Koschany:
>> Am 29.09.2017 um 10:10 schrieb Patrick Matthäi:
>> [...]
>>> old-old-stable: You can use my work based on jessie, but there are some
>>> problems I see:
>>> - you have to drop the libjs-jquery-ui dependency, the removal of it in
>>> debian/rules, links in otrs2.links, patch 12 and 13, maybe more..
>>> - fonts-font-awesome is not in oos, so same as for libjs-jquery (rules,
>>> links and so on)
>>> I hope this is enough to get it work.
>> Thank you for working on CVE-2017-14635. I have come to the conclusion
>> that it is simpler and less intrusive to rebase the patches for 3.1.17
>> in Wheezy than to upgrade to the latest patch level because of the
>> reasons you have mentioned above. But the rest makes sense and I think
>> the security team will follow up on that.
> Hi,
> It turned out that the patches are incomplete and adding new statistics
> doesn't work anymore. I could fix one obvious error message from
> Apache's error.log but there is only very little information for
> debugging the issue. Next I tried 3.3.18 with your changes. After fixing
> the aforementioned issues the MySQL database update fails like that:
> applying upgrade script for 3.1.7+dfsg1-8+deb7u6 -> 3.2.0
> Trying to connect to database
> Connected
> Your storage engine is InnoDB
> These tables use a different storage engine
> [List of tables]
> Apparently version 3.1.7 used the MyISAM engine which now conflicts with
> the new default InnoDB database. I know how it could be fixed by hand
> but I don't think this is the recommended Debian way. Do you have
> encountered such a problem before? It is probably related to the files
> in debian/schema, a missing patch or a maintainer script. Any ideas?
From README.Debian:
 13 Upgrading to MySQL >= 5.5:
 14 --------------------------
 16 Since MySQL 5.5 changed its default storage engine from MyISAM to
InnoDB you
 17 might encounter problems on upgrading OTRS from the
 18 'otrs.Console.pl Maint::Database::Check' script.
 20 Here you will find additional notes about this problem:
 21     https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=707075
 23 Here you will find a possible solution:

This issue made me headaches in the past. #690306 is also related to
that. There wasn't a clean Debian only way without doing headaches to
sysadmins.. On the other side, if they upgrade to jessie later they will
trigger this again.

Mit freundlichem Gruß / With kind regards,
 Patrick Matthäi
 GNU/Linux Debian Developer

  Blog: http://www.linux-dev.org/
E-Mail: pmatthaei@debian.org

Attachment: signature.asc
Description: OpenPGP digital signature

Reply to: