Am 28.09.2017 um 12:55 schrieb Patrick Matthäi: > Uff, that is pretty much :/ > > > > -------- Weitergeleitete Nachricht -------- > Betreff: Re: [Ticket#2017092834000757] Bug#876462: otrs2: > CVE-2017-14635: Code Injection / Privilege Escalation OTRS > Datum: Thu, 28 Sep 2017 10:15:49 +0000 > Von: Dusan Vuckovic via OTRS Security Team <security@otrs.org> > Organisation: OTRS AG > An: pmatthaei@debian.org > > > > Hello Patrick, > > all related commits for OTRS 5 fix regarding this vulnerability are > listed below: > > * https://github.com/OTRS/otrs/commit/a4093dc404fcbd87b235b31c72913141672f2a85 > * https://github.com/OTRS/otrs/commit/00bcc89dc2443b5d8b34a0908e224373926aa618 > * https://github.com/OTRS/otrs/commit/b69c2533c951fa72bfe238f255ce76352f054897 > * https://github.com/OTRS/otrs/commit/b92ec17196ac3e1fdcab40fbb16dbb602d5d52b5 > > However, to avoid unwanted side effects, we recommend a complete update. > [...] Yesterday I also sent an e-mail to security@otrs.org and got a reply from Jens Bothe. He confirmed to me that https://github.com/OTRS/otrs/commit/a4093dc404fcbd87b235b31c72913141672f2a85 is the fix for CVE-2017-14635. I assume the other commits are not strictly needed to fix the issue but are general improvements and bug fixes. However he also suggested to upgrade to the latest patch level. In case of Wheezy that would be 3.3.18. Since OTRS is a web application I'm going to find out which approach makes more sense. For Sid/Buster we can just package the latest upstream release. Regards, Markus
Attachment:
signature.asc
Description: OpenPGP digital signature