1. Forum
  2. Usenet
  3. LINUX.DEBIAN.ANNOUNCE.SEC

  • [SECURITY] [DSA 2867-1] otrs2 security update

    From Salvatore Bonaccorso@1:229/2 to All on Sun Feb 23 21:50:01 2014
    From: [email protected]

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA512

    - ------------------------------------------------------------------------- Debian Security Advisory DSA-2867-1 [email protected] http://www.debian.org/security/ Salvatore Bonaccorso February 23, 2014 http://www.debian.org/security/faq
    - -------------------------------------------------------------------------

    Package : otrs2
    Vulnerability : several
    CVE ID : CVE-2014-1471 CVE-2014-1694

    Several vulnerabilities were discovered in otrs2, the Open Ticket
    Request System. The Common Vulnerabilities and Exposures project
    identifies the following problems:

    CVE-2014-1471

    Norihiro Tanaka reported missing challenge token checks. An attacker
    that managed to take over the session of a logged in customer could
    create tickets and/or send follow-ups to existing tickets due to
    these missing checks.

    CVE-2014-1694

    Karsten Nielsen from Vasgard GmbH discovered that an attacker with a
    valid customer or agent login could inject SQL code through the
    ticket search URL.

    For the oldstable distribution (squeeze), these problems have been fixed in version 2.4.9+dfsg1-3+squeeze5.

    For the stable distribution (wheezy), these problems have been fixed in
    version 3.1.7+dfsg1-8+deb7u4.

    For the testing distribution (jessie) and the unstable distribution
    (sid), these problems have been fixed in version 3.3.4-1.

    We recommend that you upgrade your otrs2 packages.

    Further information about Debian Security Advisories, how to apply
    these updates to your system and frequently asked questions can be
    found at: http://www.debian.org/security/

    Mailing list: [email protected]
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1

    iQIcBAEBCgAGBQJTClzdAAoJEAVMuPMTQ89EkjoP/RbBPM2R1xYqnVkV4Wf9njsJ IKTBGnER1miZ6PlDq6YCxKNkWTLBfflLf4AvpkX7kH6Frh19o6FJYxQ1/qvESfJh zuuOT2fi5b66C2XhYXzsAJ+0fCcnCJSrBcWB8vwhrCqICptwp4TzIQ5WAzBRB3pL cA/DRM/UgT+jZXb68cl27zOJL0D9E8MnOpSImrjh3+Sz3dgeG2UOmE8ZLcaGagDk 04dS5LDEOGRwIjC4+vKU113M4KWW5waP3PgChwBZwr3rjYFo69pZT619QYxoP70g mZtKem30AHBFflqDhhN4b5POtRGpq9WLH3iDNK7RO7DyeE2gs+QN5C5w6Anw8IgH 4ePu4gWwru4F3lCu6jRc06MKqxy35tJLZvcsQY/IOKhV3e1YxfmOuNqEk0VqWCEG rWwOrNaAcRGBE9FFLYsCSFCrkbkrkb/BP6Lz7QZrxRUhz23M1Qj6SKJr3zPX9FPc yCaKn+zhC7tW9gub7Ko0KPv4e5IQJBaBVnnx8ls2c71PQi1RZ9A6a2sdMi8Queir 3fzGK0+pxBcqX1OHHlU3/ScVAAZRBGvLcL8CY23l36wIJ0DSEfnkvQtIVlhk/axZ n40aczl/oAYzU4WmR7iESAA0eNYkUDiR3WyT66Df5Ipq0WXOk8P4826/fhkmM94J Qi2eEVijIJqIo/HjZ51Z
    =/RNB
    -----END PGP SIGNATURE-----


    --
    To UNSUBSCRIBE, email to [email protected]
    with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: http://lists.debian.org/[email protected]

    --- SoupGate-Win32 v1.05
    * Origin: you cannot sedate... all the things you hate (1:229/2)