Debian Bug report logs -
#882370
otrs2: CVE-2017-16664: OSA-2017-07: privilege escalation
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Tue, 21 Nov 2017 20:57:10 UTC
Severity: grave
Tags: fixed-upstream, patch, security, upstream
Found in version otrs2/3.3.9-1
Fixed in versions otrs2/5.0.24-1, otrs2/5.0.16-1+deb9u3, otrs2/3.3.18-1+deb8u2
Done: Patrick Matthäi <pmatthaei@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Patrick Matthäi <pmatthaei@debian.org>:
Bug#882370; Package src:otrs2.
(Tue, 21 Nov 2017 20:57:12 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Patrick Matthäi <pmatthaei@debian.org>.
(Tue, 21 Nov 2017 20:57:12 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: otrs2
Version: 3.3.9-1
Severity: grave
Tags: patch security upstream fixed-upstream
Hi,
the following vulnerability was published for otrs2.
CVE-2017-16664[0]:
| Code injection exists in Kernel/System/Spelling.pm in Open Ticket
| Request System (OTRS) 5 before 5.0.24, 4 before 4.0.26, and 3.3 before
| 3.3.20. In the agent interface, an authenticated remote attackeer can
| execute shell commands as the webserver user via URL manipulation.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-16664
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16664
[1] https://www.otrs.com/security-advisory-2017-07-security-update-otrs-framework/
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Reply sent
to Patrick Matthäi <pmatthaei@debian.org>:
You have taken responsibility.
(Wed, 22 Nov 2017 15:51:05 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Wed, 22 Nov 2017 15:51:05 GMT) (full text, mbox, link).
Message #10 received at 882370-close@bugs.debian.org (full text, mbox, reply):
Source: otrs2
Source-Version: 5.0.24-1
We believe that the bug you reported is fixed in the latest version of
otrs2, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 882370@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Patrick Matthäi <pmatthaei@debian.org> (supplier of updated otrs2 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Wed, 22 Nov 2017 16:33:29 +0100
Source: otrs2
Binary: otrs2 otrs
Architecture: source all
Version: 5.0.24-1
Distribution: unstable
Urgency: high
Maintainer: Patrick Matthäi <pmatthaei@debian.org>
Changed-By: Patrick Matthäi <pmatthaei@debian.org>
Description:
otrs - Open Ticket Request System (OTRS 5)
otrs2 - Open Ticket Request System
Closes: 882370
Changes:
otrs2 (5.0.24-1) unstable; urgency=high
.
* New upstream release.
- This fixes OSA-2017-07, also known as CVE-2017-16664: An attacker who is
logged into OTRS as an agent can request special URLs from OTRS which can
lead to the execution of shell commands with the permissions of the web
server user.
Closes: #882370
* Merge 3.3.18-1+deb8u1, 3.3.18-1+deb8u2, 5.0.16-1+deb9u2, 5.0.16-1+deb9u3
and 5.0.23-1~bpo9+1 changelog.
* Use secure URI in debian/watch and for the homepage field.
* Bump Standards-Version to 4.1.1 (no changes required).
Checksums-Sha1:
8fe974b41b240e6efd5e799cbb86638c37f4a530 1812 otrs2_5.0.24-1.dsc
8444fe941050238cc6aaf8e53d0de832731a6719 20661272 otrs2_5.0.24.orig.tar.bz2
5558202e60d527cb23d93df7fbcf43064139fc8d 45752 otrs2_5.0.24-1.debian.tar.xz
1e341365ab8a481f959b383af395a132ed91fcb9 7425784 otrs2_5.0.24-1_all.deb
50cac87a2bfe1aca9d466d8c02edbd4ff9c52c6c 7481 otrs2_5.0.24-1_amd64.buildinfo
4c789dfeb7015e7a7dc9f42affdcb61a1ae6ec3e 223008 otrs_5.0.24-1_all.deb
Checksums-Sha256:
185829602e12e8b6766bf69a7f9eedae8c1e7435b7f10be958503f6d98cf9f2d 1812 otrs2_5.0.24-1.dsc
b7171baaf5252a763f858ea3ae3b44ad1024eb722834852dcddb0117d8cbf261 20661272 otrs2_5.0.24.orig.tar.bz2
bf827bacc83219e24b2fcd773700bd412baeed7b76abaa2c5a73b1c175623284 45752 otrs2_5.0.24-1.debian.tar.xz
214b2e01f9f51de10421eaa96884d3d3bf5dcfe20c20648fdc6aab3cf1ae1fc5 7425784 otrs2_5.0.24-1_all.deb
c82f3136d4145f40a9065c0802f8b5d68e2edbdb39f43df2666709354c6d5291 7481 otrs2_5.0.24-1_amd64.buildinfo
fbc88d284f990c54f096c5785f454cdb6d6e1bcdab767c6014972b5cb73e1e65 223008 otrs_5.0.24-1_all.deb
Files:
63d5ebdff2a34ea14db9a672ae882486 1812 non-free/web optional otrs2_5.0.24-1.dsc
e04711ff0b13d1b11475554b9ee6ee4d 20661272 non-free/web optional otrs2_5.0.24.orig.tar.bz2
fb454ed1c3812951c15a56738b9d1028 45752 non-free/web optional otrs2_5.0.24-1.debian.tar.xz
0e1404f2716335a2cf47a4483df550e5 7425784 non-free/web optional otrs2_5.0.24-1_all.deb
1b6ee4b562479ba915093d82c5457855 7481 non-free/web optional otrs2_5.0.24-1_amd64.buildinfo
12b442cc9b8fb2d09c3b6dd4f2b94b26 223008 non-free/web optional otrs_5.0.24-1_all.deb
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEWKA9xYJCWk3IuQ4TEtmwSpDL2OQFAloVmdcACgkQEtmwSpDL
2ORpvxAAp82wEfgKl1tT+Md6ONQS6UXNH6bo2Y1PorOwzdADwAAz9VZjWNfhQMt4
EsLQJiyyW0hayi78hz410jcWSY0Xn/R5/WipjD7/zZPCZI1nfiJwzNQetiIC8G6s
GRcHi88gDc0wratChX/5hygNdY5B/J+dIcWRar2g8qEW9HayVTJBHMxMB8H9j9H9
LT+1qqWdfHsJVkSaqzKgstdZa4NLIzp6hQkenyPLWhxxX62yeqnFUCxKMPa/NOs5
M3YfUhRXGEtqfr7QrzQN9z0ulUH6wnDCg9mFSsuUfD7AuBOHmh4+jQ0zn6Aex6HY
q26zd8z/6Ipoz84nhY4OwbE4UZPYySpKnWI7AXNNsbVBvdQfZOj2d6UKovUKgqcB
OpFJZlxAOHGcGMHFAXmHjVkrFI4/SMUn7+qfDMinqVASYjf0iXs2OIIIlhdgGQeQ
+3qSm8+4CIEUyAG9APe4W8Oa4cOSTrUwwXau7jz0buL8ZDSY/5/Rp32snkCdx1Xe
LWtuMyUqPEZb5hUbUIxwVv5bvZJCVnjzKij4qn7CaXXTgwdgE6vKF/WoelKOgO3s
73rMzyqv0yWhi3DmLZa4t8XoaDRwEs/k2DqKHpTe5DVd64b2126HG/nSCzcZe8KR
Ah4qq7BPKJnHqiP972XO7WIHobC6KdpPz4PVn45pvUq2WV8c3GM=
=QVpH
-----END PGP SIGNATURE-----
Reply sent
to Patrick Matthäi <pmatthaei@debian.org>:
You have taken responsibility.
(Fri, 24 Nov 2017 11:03:09 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Fri, 24 Nov 2017 11:03:09 GMT) (full text, mbox, link).
Message #15 received at 882370-close@bugs.debian.org (full text, mbox, reply):
Source: otrs2
Source-Version: 5.0.16-1+deb9u3
We believe that the bug you reported is fixed in the latest version of
otrs2, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 882370@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Patrick Matthäi <pmatthaei@debian.org> (supplier of updated otrs2 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Wed, 22 Nov 2017 15:16:23 +0100
Source: otrs2
Binary: otrs2 otrs
Architecture: source all
Version: 5.0.16-1+deb9u3
Distribution: stretch-security
Urgency: high
Maintainer: Patrick Matthäi <pmatthaei@debian.org>
Changed-By: Patrick Matthäi <pmatthaei@debian.org>
Description:
otrs - Open Ticket Request System (OTRS 5)
otrs2 - Open Ticket Request System
Closes: 882370
Changes:
otrs2 (5.0.16-1+deb9u3) stretch-security; urgency=high
.
* Add patch 17-CVE-2017-16664:
This fixes OSA-2017-07, also known as CVE-2017-16664: An attacker who is
logged into OTRS as an agent can request special URLs from OTRS which can
lead to the execution of shell commands with the permissions of the web
server user.
Closes: #882370
Checksums-Sha1:
302bea080cc1a77886e2b4ecd627f382d2bdfde8 1838 otrs2_5.0.16-1+deb9u3.dsc
898049f899bd8859fa2c17df1bc4ec2bc13c614c 49600 otrs2_5.0.16-1+deb9u3.debian.tar.xz
7c17549665d3808200bfc3107800b17f8255d89c 7052652 otrs2_5.0.16-1+deb9u3_all.deb
b4fc5e5e50c747594e3bc73fe7a106e4a1571168 7244 otrs2_5.0.16-1+deb9u3_amd64.buildinfo
97da148da8d1b6fe7db6004b827618ca6b17fe27 213116 otrs_5.0.16-1+deb9u3_all.deb
Checksums-Sha256:
9effda6496f6f98f42a43a0b4eeaf458d6e4f1b9e185e8e036d830e50a7131b3 1838 otrs2_5.0.16-1+deb9u3.dsc
12a56d047f3c6c41adf7dc4469bf8b18e415dfef39da0106fef32acd9fdcebb5 49600 otrs2_5.0.16-1+deb9u3.debian.tar.xz
ec18c5f49bd863233908048b7f87aed061bba727e57130875ab9789b1d709be4 7052652 otrs2_5.0.16-1+deb9u3_all.deb
02a5ec25cbbc41417510c05437222c84151d03c06abaed7ef75db7ab17ea268a 7244 otrs2_5.0.16-1+deb9u3_amd64.buildinfo
e3ae8c205d8c7e848f1d85bae41e82b79b04b6e44a467c5593fb5993badd2764 213116 otrs_5.0.16-1+deb9u3_all.deb
Files:
e4879549dcfb7d821484cee9e206a827 1838 non-free/web optional otrs2_5.0.16-1+deb9u3.dsc
412cee7efd05a7c7b78a9e9e4dcc1122 49600 non-free/web optional otrs2_5.0.16-1+deb9u3.debian.tar.xz
afcc90c2acb9e20840c4cc0ee64373f4 7052652 non-free/web optional otrs2_5.0.16-1+deb9u3_all.deb
7858e3e3ae32418b719d757077baf0ca 7244 non-free/web optional otrs2_5.0.16-1+deb9u3_amd64.buildinfo
0abb3bb7c1d2ce9ea18328413aa413a0 213116 non-free/web optional otrs_5.0.16-1+deb9u3_all.deb
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEWKA9xYJCWk3IuQ4TEtmwSpDL2OQFAloVlZ8ACgkQEtmwSpDL
2OQRShAAgnxySc+3sB+FNWllsu9vX+NbfYyBLzwbLMxF+mFFXS+iem/Aa/UJ0Pk2
zRHNQZXB42nxljseL2KLRhgz4E4Lgh89NJ6ev69Ls+OXVJvmhUh6bFzEK5t1Feat
R2QOJXtp8gjnOs6+vVh/DEjAb8TKdYop6WdJJprob4/BjuLpEd5hAD1PkYHNgC/F
Xt+w4y6/1+AaZXqIjVfUp7w/XYibRHlBJF+BO3zqvo0U+GCEJ+ZUSwkrZ1mUAGru
d4uX+07ctY/wid4IlDZNisbhzhzvmMRTaJXBEjgjCQ9yJe6hmHHwqS/F/r7V3eLq
Bv0SDGhjiBpdK3LCNZlN7SJf2H74MQTNZfD17quaRDeo3RXnkMLw0/zZujtxFJ9w
kF2O3WZMbLRbHLf/0JXrUemC+PTJUiOo7lk2Mm/NA4oZ+LCfoJ1akL0HMP5mH5+r
OKM06pq9OnAjgWHhm643ggY7LpkahhEJFeoPHBb/5rIdgPBuBNd5d8W9gxwzHqON
1kreEcUDTlKdRL4Y/hkMcRv5lDiDLbfNWRpu2clbKPT0YegXUfMbrCQxfFjRkYh4
akCLW6ev3Mg9P6HSMYfuTIrm9vLqqtciuQPazOQ4AfAeLsHHP9nwqDWHzsZQlSkH
eu6ppHQo0Xk0gqsvd4oW2VEpVlfBIQUs7BSOsm+QUDUVhW5YT3A=
=x7af
-----END PGP SIGNATURE-----
Reply sent
to Patrick Matthäi <pmatthaei@debian.org>:
You have taken responsibility.
(Fri, 24 Nov 2017 11:03:11 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Fri, 24 Nov 2017 11:03:12 GMT) (full text, mbox, link).
Message #20 received at 882370-close@bugs.debian.org (full text, mbox, reply):
Source: otrs2
Source-Version: 3.3.18-1+deb8u2
We believe that the bug you reported is fixed in the latest version of
otrs2, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 882370@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Patrick Matthäi <pmatthaei@debian.org> (supplier of updated otrs2 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Wed, 22 Nov 2017 15:03:02 +0100
Source: otrs2
Binary: otrs2 otrs
Architecture: source all
Version: 3.3.18-1+deb8u2
Distribution: jessie-security
Urgency: high
Maintainer: Patrick Matthäi <pmatthaei@debian.org>
Changed-By: Patrick Matthäi <pmatthaei@debian.org>
Description:
otrs - Open Ticket Request System (OTRS 3)
otrs2 - Open Ticket Request System
Closes: 882370
Changes:
otrs2 (3.3.18-1+deb8u2) jessie-security; urgency=high
.
* Add patch 16-OSA-2017-06 which fixes OSA-2017-06, also known as
CVE-2017-15864: An attacker who is logged into OTRS as an agent can request
special URLs from OTRS which can lead to the disclosure of any
configuration information, including database credentials.
* Add patch 17-OSA-2017-07 which fixes OSA-2017-07, also known as
CVE-2017-16664: An attacker who is logged into OTRS as an agent can request
special URLs from OTRS which can lead to the execution of shell commands
with the permissions of the web server user.
Closes: #882370
Checksums-Sha1:
27c9cca1a50b3571b03f61eded065025e9616b84 1820 otrs2_3.3.18-1+deb8u2.dsc
acf3b42b22a0abd76e6e6640d1eb1aa5bda2e6fc 40360 otrs2_3.3.18-1+deb8u2.debian.tar.xz
923c79ad2769a451b15bd75de3fc9ed5a333050b 5644592 otrs2_3.3.18-1+deb8u2_all.deb
287c43a90c60c5617ef7a7e3d443ba2b3f55dd46 188454 otrs_3.3.18-1+deb8u2_all.deb
Checksums-Sha256:
7f2fd625275993aba9841b85231f8a4eca1388e7447d23277db3239ce1521bd5 1820 otrs2_3.3.18-1+deb8u2.dsc
b5b01ce9fcd8f92ef92f8454c98f2622af54bcaa4b438cfca0da5f816cb6daa0 40360 otrs2_3.3.18-1+deb8u2.debian.tar.xz
fc43ed2e1242cefaa5040005e7974272106e89cdb7bc14fc7faac452716c286c 5644592 otrs2_3.3.18-1+deb8u2_all.deb
d9c099a91f6d78701f7fc1bc5a50139719f5104d8e0eb11e5d25b9c26dbaacf8 188454 otrs_3.3.18-1+deb8u2_all.deb
Files:
8dc8728850d446d72c07b604002b5ca8 1820 web optional otrs2_3.3.18-1+deb8u2.dsc
8fd520cb5ad031c5f14e7dc90e79cecf 40360 web optional otrs2_3.3.18-1+deb8u2.debian.tar.xz
3f4aa9fe0505a273fc2293a6587b1822 5644592 web optional otrs2_3.3.18-1+deb8u2_all.deb
b917bfe33ff6bbc4c6b3781c8f8a54c1 188454 web optional otrs_3.3.18-1+deb8u2_all.deb
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEWKA9xYJCWk3IuQ4TEtmwSpDL2OQFAloVlZ8ACgkQEtmwSpDL
2OR4aBAAj82Mk/grW0u9V57FyVGBIjUQV9kdqen3upXbuBopaaKzfcR7UpTknzOy
TUdy99Dup3Yxr/OOEQYv3vaoTjKj/cAAqfFp8crVZTEsFDOfjfRxbp7gXvHVXShf
hUj9LVYS3Tzy7wzv5cGa+cH9cvlLCDzoqG5RudJxN6XjKnIgnbn6IiTxI1Jz+2u7
FPiTEvjMDCH5I6A9DwDBKCQBTXfKKjcyHsZvzAaxnK+lapbj1kjeJ5w4+MQTNkUv
FLsTQNzztnr83yR6ZCpfKteP4TpYICysgiEZeigqlGp5lpp95rhLq/A9/mu6quKi
NiC9JIqh9FEEXJJgD6FS/pF8T4eUfeuFJSLzsWflQGk+jFvh02LFQOpeVQUKgj91
jxW2V+D98F0pPgiwKYV8rD4Mh9P6z6DJtspdDYaTrXUMAHePeyKWC9w9+vXs+jR3
9ZcnprxEo+fWARJFDruL+SjqRHdKZFDyTNeN8WOkmNRhUw3m5f0g8zy0F6mzIYRO
yP3SG2WjTnIZ9bY6Vt71Bozby+oIwk22JTUCPNa45sNI8mYudWUVlF4krvZTb9Jf
Ofz0/omZV2N7NP/LoqqYCD4ObRl0DUQsvoxZ5yXH6AcLZS1JO0FS9AV+AHVJcS2K
OiaeQBOdTIjOVg281TnJPIOVrS21xbKYxunDyJ43+KUylUK2Pk8=
=+skt
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sat, 23 Dec 2017 07:29:42 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 16:24:28 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon