Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

otrs2: CVE-2017-17476: OSA-2017-10: Session hijacking

Related Vulnerabilities: CVE-2017-17476  

Source

Debian Bug report logs - #884801
otrs2: CVE-2017-17476: OSA-2017-10: Session hijacking

version graph

Package: src:otrs2; Maintainer for src:otrs2 is Patrick Matthäi <pmatthaei@debian.org>;

Reported by: Salvatore Bonaccorso <carnil@debian.org>

Date: Tue, 19 Dec 2017 20:24:01 UTC

Severity: grave

Tags: patch, security, upstream

Found in version otrs2/3.3.9-3

Fixed in versions otrs2/6.0.3-1, otrs2/3.3.18-1+deb8u4, otrs2/5.0.16-1+deb9u5

Done: Patrick Matthäi <pmatthaei@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Patrick Matthäi <pmatthaei@debian.org>:
Bug#884801; Package src:otrs2. (Tue, 19 Dec 2017 20:24:04 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Patrick Matthäi <pmatthaei@debian.org>. (Tue, 19 Dec 2017 20:24:04 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: otrs2: OSA-2017-10: Session hijacking
Date: Tue, 19 Dec 2017 21:20:57 +0100
Source: otrs2
Version: 3.3.9-3
Severity: grave
Tags: patch security upstream

Hi

From https://www.otrs.com/security-advisory-2017-10-security-update-otrs-framework/

> An attacker can send a specially prepared email to an OTRS system. If
> this system has cookie support disabled, and a logged in agent clicks a
> link in this email, the session information could be leaked to external
> systems, allowing the attacker to take over the agent’s session.

Regards,
Salvatore

Information forwarded to debian-bugs-dist@lists.debian.org, Patrick Matthäi <pmatthaei@debian.org>:
Bug#884801; Package src:otrs2. (Tue, 19 Dec 2017 20:39:04 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Patrick Matthäi <pmatthaei@debian.org>. (Tue, 19 Dec 2017 20:39:04 GMT) (full text, mbox, link).

Message #10 received at 884801@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: 884801@bugs.debian.org
Subject: Re: Bug#884801: otrs2: OSA-2017-10: Session hijacking
Date: Tue, 19 Dec 2017 21:35:51 +0100
Control: retitle -1 otrs2: CVE-2017-17476: OSA-2017-10: Session hijacking 

Hi

On Tue, Dec 19, 2017 at 09:20:57PM +0100, Salvatore Bonaccorso wrote:
> Source: otrs2
> Version: 3.3.9-3
> Severity: grave
> Tags: patch security upstream
> 
> Hi
> 
> From https://www.otrs.com/security-advisory-2017-10-security-update-otrs-framework/
> 
> > An attacker can send a specially prepared email to an OTRS system. If
> > this system has cookie support disabled, and a logged in agent clicks a
> > link in this email, the session information could be leaked to external
> > systems, allowing the attacker to take over the agent’s session.

Ok, MITRE confirmed there is already a CVE for this one:
CVE-2017-17476.

Regards,
Salvatore

Changed Bug title to 'otrs2: CVE-2017-17476: OSA-2017-10: Session hijacking' from 'otrs2: OSA-2017-10: Session hijacking'. Request was from Salvatore Bonaccorso <carnil@debian.org> to 884801-submit@bugs.debian.org. (Tue, 19 Dec 2017 20:39:04 GMT) (full text, mbox, link).

Reply sent to Patrick Matthäi <pmatthaei@debian.org>:
You have taken responsibility. (Wed, 20 Dec 2017 09:24:06 GMT) (full text, mbox, link).

Notification sent to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer. (Wed, 20 Dec 2017 09:24:06 GMT) (full text, mbox, link).

Message #17 received at 884801-close@bugs.debian.org (full text, mbox, reply):

From: Patrick Matthäi <pmatthaei@debian.org>
To: 884801-close@bugs.debian.org
Subject: Bug#884801: fixed in otrs2 6.0.3-1
Date: Wed, 20 Dec 2017 09:20:26 +0000
Source: otrs2
Source-Version: 6.0.3-1

We believe that the bug you reported is fixed in the latest version of
otrs2, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 884801@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Patrick Matthäi <pmatthaei@debian.org> (supplier of updated otrs2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Wed, 20 Dec 2017 09:25:55 +0100
Source: otrs2
Binary: otrs2 otrs
Architecture: source all
Version: 6.0.3-1
Distribution: unstable
Urgency: high
Maintainer: Patrick Matthäi <pmatthaei@debian.org>
Changed-By: Patrick Matthäi <pmatthaei@debian.org>
Description:
 otrs       - Open Ticket Request System (OTRS 6)
 otrs2      - Open Ticket Request System
Closes: 884801
Changes:
 otrs2 (6.0.3-1) unstable; urgency=high
 .
   * New upstream release.
     - This fixes OSA-2017-10, also known as CVE-2017-17476: A session hijacking
       vulnerability.
       Closes: #884801
   * Merge 3.3.18-1+deb8u3, 3.3.18-1+deb8u4, 5.0.16-1+deb9u4 and 5.0.16-1+deb9u5
     changelog.
   * Bump Standards-Version to 4.1.2 (no changes required).
Checksums-Sha1:
 a1677d560237c175d4c30ef0c8ea5e17a3f83a5c 1789 otrs2_6.0.3-1.dsc
 75f10e8e42bc6e3e077a05d53fd8c07e879d0475 24314514 otrs2_6.0.3.orig.tar.bz2
 ca313c316b79392907e377660f43d77cf07a7cd2 28244 otrs2_6.0.3-1.debian.tar.xz
 0dc2801df2e3e82d32ba1adaca420465a1d5b70f 9504500 otrs2_6.0.3-1_all.deb
 e301e6fa41ddebdf2d0d62b94b4716a4d8c46edc 6077 otrs2_6.0.3-1_amd64.buildinfo
 e5a4842f79ead6b413df00bf764ad78fe9af2189 233812 otrs_6.0.3-1_all.deb
Checksums-Sha256:
 09648e0670f56e369ba99be8a7c3a9763eff618651a6b2eaa0ecbeb389ee860c 1789 otrs2_6.0.3-1.dsc
 de4ee3e0aa1e4501551fc7af4a45cdd2686e5be1a61a9ecf601aa1b61e821cfb 24314514 otrs2_6.0.3.orig.tar.bz2
 70b53e902126ff7c859e318105f8c116a47143be20ccaace62e801ba6011635e 28244 otrs2_6.0.3-1.debian.tar.xz
 ee40f0a94722d1da713e01cc8e01e5e865500f37dbc5e78f434abb894c68380a 9504500 otrs2_6.0.3-1_all.deb
 000cc127322695229918472ae63ceace251057e70463ad0ca1e2ca083d43fd2f 6077 otrs2_6.0.3-1_amd64.buildinfo
 6131539d671557cae0a525200c6e9b9354669142e86f767597910f562472142a 233812 otrs_6.0.3-1_all.deb
Files:
 3d906962101dc97e69089888de9deb41 1789 non-free/web optional otrs2_6.0.3-1.dsc
 32961cd15798e713ed65fc371789772c 24314514 non-free/web optional otrs2_6.0.3.orig.tar.bz2
 ad8e34382a18a50832972b28b073cec5 28244 non-free/web optional otrs2_6.0.3-1.debian.tar.xz
 ba0e073a4e53dcf03fe7edec6099a5c7 9504500 non-free/web optional otrs2_6.0.3-1_all.deb
 25298da8398360a259d01fe843bde397 6077 non-free/web optional otrs2_6.0.3-1_amd64.buildinfo
 9c44a6198485f81c8804102986fd6edc 233812 non-free/web optional otrs_6.0.3-1_all.deb

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEWKA9xYJCWk3IuQ4TEtmwSpDL2OQFAlo6KKcACgkQEtmwSpDL
2OTV8RAAk8twiyhuCoqqxRa2Ld0WQ4rj3hQkyOQN3EYxgzTlb9imjT9tH8W8PGzi
Rqui28fWodiQ4L1CEmGHHl8YUJpjBDFFckf3e1s9Q6dRusIMzqP806ZJB1n4mRPw
whpk8S9mx0B4p6E+8q0CmAEUyPPqM91OAzT+O/WsYrO0Zqte0ZAcosU73EoxqyBs
D2WSXe97DAufgVF3A9Arl/Jn93ayV2CT6lDaQ9/bPGG6MfyWEDSsTJLASraw9Kla
dQadpmjPmX0FQTXvFE4aR6etG5ehVGqWzCj647hwpEXB7ZfWYkE7HBSUEOOGsGzr
Hb4jNLFPcFxsANiYUX7wCqzbP64kZd9HRScubFdqCIaq0hN0O0bcWWb5xXcdY6Dl
xN9+uS8zMfB5CQY50UnNQxw58FrEKy1i2Loohe82mh6s2xPAIA9HJUMXnJAeSiC9
eCdUMpObridAoiWQNFK9miP9W1eQbLe8GZ0qww+oxrtkVv7Y9GH9t0KkVrq3pM2j
lR17OgP5u4FWIo3e9UDeFMP8wE/FaAjFotY8LiUSR1MwaJAuJqZZKdjzumuyBdHK
ijoNFaRHmI+vEmtz6LW9gUZDr0S0JOTSyJmydE46UdlP7KuS3WUSJ1lby+yGlR27
pELgKyWzhqyF84RQeCDWiyNPyk3hsawhMZy6AwV7lOCysi0vWSI=
=6KWT
-----END PGP SIGNATURE-----

Marked as fixed in versions otrs2/3.3.18-1+deb8u4. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Wed, 20 Dec 2017 11:57:02 GMT) (full text, mbox, link).

Marked as fixed in versions otrs2/5.0.16-1+deb9u5. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Wed, 20 Dec 2017 11:57:03 GMT) (full text, mbox, link).

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Thu, 18 Jan 2018 07:25:19 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 14:46:17 2019; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started