Debian Bug report logs -
#843091
otrs2: CVE-2016-9139
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Thu, 3 Nov 2016 18:51:05 UTC
Severity: important
Tags: fixed-upstream, security, upstream
Found in version otrs2/3.3.9-1
Fixed in version otrs2/5.0.14-1
Done: Patrick Matthäi <pmatthaei@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Patrick Matthäi <pmatthaei@debian.org>:
Bug#843091; Package src:otrs2.
(Thu, 03 Nov 2016 18:51:08 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Patrick Matthäi <pmatthaei@debian.org>.
(Thu, 03 Nov 2016 18:51:08 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: otrs2
Version: 3.3.9-1
Severity: important
Tags: security upstream fixed-upstream
Hi,
the following vulnerability was published for otrs2.
CVE-2016-9139[0]:
|An attacker could trick an authenticated agent or customer into opening
|a malicious attachment which could lead to the execution of JavaScript
|in OTRS context
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2016-9139
[1] https://www.otrs.com/security-advisory-2016-02-security-update-otrs/
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Information forwarded
to debian-bugs-dist@lists.debian.org:
Bug#843091; Package src:otrs2.
(Thu, 03 Nov 2016 20:09:09 GMT) (full text, mbox, link).
Acknowledgement sent
to Patrick Matthäi <pmatthaei@debian.org>:
Extra info received and forwarded to list.
(Thu, 03 Nov 2016 20:09:09 GMT) (full text, mbox, link).
Message #10 received at 843091@bugs.debian.org (full text, mbox, reply):
Am 03.11.2016 um 19:48 schrieb Salvatore Bonaccorso:
> Source: otrs2
> Version: 3.3.9-1
> Severity: important
> Tags: security upstream fixed-upstream
>
> Hi,
>
> the following vulnerability was published for otrs2.
>
> CVE-2016-9139[0]:
> |An attacker could trick an authenticated agent or customer into opening
> |a malicious attachment which could lead to the execution of JavaScript
> |in OTRS context
>
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
>
> For further information see:
>
> [0] https://security-tracker.debian.org/tracker/CVE-2016-9139
> [1] https://www.otrs.com/security-advisory-2016-02-security-update-otrs/
>
> Please adjust the affected versions in the BTS as needed.
>
Hi,
yeah already saw it and stable is affected also. Upstream says the
severity is low and I also would say IMHO that this is no candidate for
a jessie security update. What do you think?
Reply sent
to Patrick Matthäi <pmatthaei@debian.org>:
You have taken responsibility.
(Wed, 09 Nov 2016 10:39:17 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Wed, 09 Nov 2016 10:39:17 GMT) (full text, mbox, link).
Message #15 received at 843091-close@bugs.debian.org (full text, mbox, reply):
Source: otrs2
Source-Version: 5.0.14-1
We believe that the bug you reported is fixed in the latest version of
otrs2, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 843091@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Patrick Matthäi <pmatthaei@debian.org> (supplier of updated otrs2 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Wed, 09 Nov 2016 10:06:51 +0100
Source: otrs2
Binary: otrs2 otrs
Architecture: source all
Version: 5.0.14-1
Distribution: unstable
Urgency: high
Maintainer: Patrick Matthäi <pmatthaei@debian.org>
Changed-By: Patrick Matthäi <pmatthaei@debian.org>
Description:
otrs - Open Ticket Request System (OTRS 5)
otrs2 - Open Ticket Request System
Closes: 843091
Changes:
otrs2 (5.0.14-1) unstable; urgency=high
.
* New upstream release.
- Fixes CVE-2016-9139, also known as OSA-2016-02: An attacker could trick
an authenticated agent or customer into opening a malicious attachment
which could lead to the execution of JavaScript in OTRS context.
Closes: #843091
* Adjust linitian overrides.
Checksums-Sha1:
15f52ab89426e68d2d24bdfc394fa36106b07fad 1796 otrs2_5.0.14-1.dsc
937d4b0768f1ef3c50771ce21bbf62bbc064184e 19350822 otrs2_5.0.14.orig.tar.bz2
a47e67f15ef9422dd0ebfaf6a28fd0d2557723e9 44784 otrs2_5.0.14-1.debian.tar.xz
4c893ef1274a9c551d0d9b2b6433e5c223cda113 6484 otrs2_5.0.14-1_20161109T090840z-750258a2.buildinfo
a808b0824597cf6dab210c5dca98466e26b6c3a2 6997370 otrs2_5.0.14-1_all.deb
36fe2cb0c998c18359271a87d533fcfd74224df8 210236 otrs_5.0.14-1_all.deb
Checksums-Sha256:
1adb15410c486258877d33dc5be5b9c86b15f0fc6c496e83bc80c04286112216 1796 otrs2_5.0.14-1.dsc
aaa5d3be55d69d665fef4a2c24c6c901afd338492ca7cfe278782a4041367019 19350822 otrs2_5.0.14.orig.tar.bz2
98a189f72f60f9d05af18458c410fc995bcfdc7f44ee5a9242ff29d7c27118e7 44784 otrs2_5.0.14-1.debian.tar.xz
a037c49204146598a4fd972ac07b2427a82fb87ef1f023e97abc839fa1e24243 6484 otrs2_5.0.14-1_20161109T090840z-750258a2.buildinfo
0bb53f6e1ecc86b4c4a12c64f644256a1d803ffb3a08964f29c129e682a169dd 6997370 otrs2_5.0.14-1_all.deb
ef1aa746433d4834b65ea39787de8e694979df78d718ed27f6e0f6ad3bf67170 210236 otrs_5.0.14-1_all.deb
Files:
a69af0c4bacf895bbd558811e313e1d3 1796 non-free/web optional otrs2_5.0.14-1.dsc
00a8694b5fb65934f4cb281d1c2842a1 19350822 non-free/web optional otrs2_5.0.14.orig.tar.bz2
58ea7850ba7eb081f13a6cace5e2bb94 44784 non-free/web optional otrs2_5.0.14-1.debian.tar.xz
750258a22ee3101adb912e5dfc80da3f 6484 non-free/web optional otrs2_5.0.14-1_20161109T090840z-750258a2.buildinfo
2b385892f51e902239db36353a233fa6 6997370 non-free/web optional otrs2_5.0.14-1_all.deb
b93848d1edac579fbe6d59ad34576157 210236 non-free/web optional otrs_5.0.14-1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCAAGBQJYIvjZAAoJEBLZsEqQy9jk4gsP+gJ6HwtuBLPvpnPJtCvqFbFv
hGd3Jkw57jlii6r9EADWPm8V2omJ01nomgHTZ4QbZfr0/Mo2kC4RF1akrPkGkDZI
YFfbO6m9JVJrsHhYyZQzuzhwK22h8Dp5080ClU1Vsl10m2YCPKFCK8z4BdiQ5VCD
G2xsxtDQa2qljNIWaWDH3A2MC+y9yIOvIj8WhilRVdXn2nE3pKtM1zlViaxZ1h+B
rJ3fCowSCCLNTSV3pofIGpOoLEPUmuQrLBlQ4rE16IuMDIOU9zR18fp6rzba9vsL
3QNW+pJxJ//+XKjgLpBlcvkdXckzrP0gr+5Nco+Ovj73eDcZPKT1wbJYDiBqkP2g
jT53jQ0DXrtyyGNborbGAipXYZezv2/cPVoHBqxoZxYCtGo5B7Z6Guf5yMhAzIVu
Wf1MKZIqIW2yR9h4R5CY1QD2i8mr6eoIoyCtY23+60Qdj9hb3zZ532ylIxAwck1J
zNpTBHQDJovAZMft09viGn0+FTY/Pyplf4lL8upX6e/5t4A+Q+is4kDH+E7skgCp
r9IgVJDdZYDwnEKqJ0/Er+vRvz9fk0TCBs8FXk74pGkMe+XOAF7taTf4Sn5m8qvC
Mq5G8B034xDCnyU8kE4o7lkZhV2NfjLkQic0RwM0He1KVV0h+HjxKV8Depe2bxPP
5nCcVmicjLcNd2Fo2KtU
=/LOb
-----END PGP SIGNATURE-----
Information forwarded
to debian-bugs-dist@lists.debian.org, Patrick Matthäi <pmatthaei@debian.org>:
Bug#843091; Package src:otrs2.
(Wed, 09 Nov 2016 11:39:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Patrick Matthäi <pmatthaei@debian.org>.
(Wed, 09 Nov 2016 11:39:02 GMT) (full text, mbox, link).
Message #20 received at 843091@bugs.debian.org (full text, mbox, reply):
Hi Patrick,
On Thu, Nov 03, 2016 at 09:06:55PM +0100, Patrick Matth??i wrote:
> Am 03.11.2016 um 19:48 schrieb Salvatore Bonaccorso:
> > Source: otrs2
> > Version: 3.3.9-1
> > Severity: important
> > Tags: security upstream fixed-upstream
> >
> > Hi,
> >
> > the following vulnerability was published for otrs2.
> >
> > CVE-2016-9139[0]:
> > |An attacker could trick an authenticated agent or customer into opening
> > |a malicious attachment which could lead to the execution of JavaScript
> > |in OTRS context
> >
> > If you fix the vulnerability please also make sure to include the
> > CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
> >
> > For further information see:
> >
> > [0] https://security-tracker.debian.org/tracker/CVE-2016-9139
> > [1] https://www.otrs.com/security-advisory-2016-02-security-update-otrs/
> >
> > Please adjust the affected versions in the BTS as needed.
> >
>
> Hi,
>
> yeah already saw it and stable is affected also. Upstream says the
> severity is low and I also would say IMHO that this is no candidate for
> a jessie security update. What do you think?
Yes agreed, I think it would be enough to fix this issue via the
upcoming point release and it does nto warrant a DSA on it's own.
Regards,
Salvatore
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Thu, 29 Dec 2016 09:45:11 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 15:40:05 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon