Your message dated Wed, 22 Nov 2017 15:49:20 +0000 with message-id <e1ehxh6-0007wd...@fasolo.debian.org> and subject line Bug#882370: fixed in otrs2 5.0.24-1 has caused the Debian Bug report #882370, regarding otrs2: CVE-2017-16664: OSA-2017-07: privilege escalation to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 882370: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=882370 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: otrs2 Version: 3.3.9-1 Severity: grave Tags: patch security upstream fixed-upstream Hi, the following vulnerability was published for otrs2. CVE-2017-16664[0]: | Code injection exists in Kernel/System/Spelling.pm in Open Ticket | Request System (OTRS) 5 before 5.0.24, 4 before 4.0.26, and 3.3 before | 3.3.20. In the agent interface, an authenticated remote attackeer can | execute shell commands as the webserver user via URL manipulation. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2017-16664 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16664 [1] https://www.otrs.com/security-advisory-2017-07-security-update-otrs-framework/ Please adjust the affected versions in the BTS as needed. Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: otrs2 Source-Version: 5.0.24-1 We believe that the bug you reported is fixed in the latest version of otrs2, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 882...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Patrick Matthäi <pmatth...@debian.org> (supplier of updated otrs2 package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Wed, 22 Nov 2017 16:33:29 +0100 Source: otrs2 Binary: otrs2 otrs Architecture: source all Version: 5.0.24-1 Distribution: unstable Urgency: high Maintainer: Patrick Matthäi <pmatth...@debian.org> Changed-By: Patrick Matthäi <pmatth...@debian.org> Description: otrs - Open Ticket Request System (OTRS 5) otrs2 - Open Ticket Request System Closes: 882370 Changes: otrs2 (5.0.24-1) unstable; urgency=high . * New upstream release. - This fixes OSA-2017-07, also known as CVE-2017-16664: An attacker who is logged into OTRS as an agent can request special URLs from OTRS which can lead to the execution of shell commands with the permissions of the web server user. Closes: #882370 * Merge 3.3.18-1+deb8u1, 3.3.18-1+deb8u2, 5.0.16-1+deb9u2, 5.0.16-1+deb9u3 and 5.0.23-1~bpo9+1 changelog. * Use secure URI in debian/watch and for the homepage field. * Bump Standards-Version to 4.1.1 (no changes required). Checksums-Sha1: 8fe974b41b240e6efd5e799cbb86638c37f4a530 1812 otrs2_5.0.24-1.dsc 8444fe941050238cc6aaf8e53d0de832731a6719 20661272 otrs2_5.0.24.orig.tar.bz2 5558202e60d527cb23d93df7fbcf43064139fc8d 45752 otrs2_5.0.24-1.debian.tar.xz 1e341365ab8a481f959b383af395a132ed91fcb9 7425784 otrs2_5.0.24-1_all.deb 50cac87a2bfe1aca9d466d8c02edbd4ff9c52c6c 7481 otrs2_5.0.24-1_amd64.buildinfo 4c789dfeb7015e7a7dc9f42affdcb61a1ae6ec3e 223008 otrs_5.0.24-1_all.deb Checksums-Sha256: 185829602e12e8b6766bf69a7f9eedae8c1e7435b7f10be958503f6d98cf9f2d 1812 otrs2_5.0.24-1.dsc b7171baaf5252a763f858ea3ae3b44ad1024eb722834852dcddb0117d8cbf261 20661272 otrs2_5.0.24.orig.tar.bz2 bf827bacc83219e24b2fcd773700bd412baeed7b76abaa2c5a73b1c175623284 45752 otrs2_5.0.24-1.debian.tar.xz 214b2e01f9f51de10421eaa96884d3d3bf5dcfe20c20648fdc6aab3cf1ae1fc5 7425784 otrs2_5.0.24-1_all.deb c82f3136d4145f40a9065c0802f8b5d68e2edbdb39f43df2666709354c6d5291 7481 otrs2_5.0.24-1_amd64.buildinfo fbc88d284f990c54f096c5785f454cdb6d6e1bcdab767c6014972b5cb73e1e65 223008 otrs_5.0.24-1_all.deb Files: 63d5ebdff2a34ea14db9a672ae882486 1812 non-free/web optional otrs2_5.0.24-1.dsc e04711ff0b13d1b11475554b9ee6ee4d 20661272 non-free/web optional otrs2_5.0.24.orig.tar.bz2 fb454ed1c3812951c15a56738b9d1028 45752 non-free/web optional otrs2_5.0.24-1.debian.tar.xz 0e1404f2716335a2cf47a4483df550e5 7425784 non-free/web optional otrs2_5.0.24-1_all.deb 1b6ee4b562479ba915093d82c5457855 7481 non-free/web optional otrs2_5.0.24-1_amd64.buildinfo 12b442cc9b8fb2d09c3b6dd4f2b94b26 223008 non-free/web optional otrs_5.0.24-1_all.deb -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEWKA9xYJCWk3IuQ4TEtmwSpDL2OQFAloVmdcACgkQEtmwSpDL 2ORpvxAAp82wEfgKl1tT+Md6ONQS6UXNH6bo2Y1PorOwzdADwAAz9VZjWNfhQMt4 EsLQJiyyW0hayi78hz410jcWSY0Xn/R5/WipjD7/zZPCZI1nfiJwzNQetiIC8G6s GRcHi88gDc0wratChX/5hygNdY5B/J+dIcWRar2g8qEW9HayVTJBHMxMB8H9j9H9 LT+1qqWdfHsJVkSaqzKgstdZa4NLIzp6hQkenyPLWhxxX62yeqnFUCxKMPa/NOs5 M3YfUhRXGEtqfr7QrzQN9z0ulUH6wnDCg9mFSsuUfD7AuBOHmh1+jQ0zn6Aex6HY q26zd8z/6Ipoz84nhY4OwbE4UZPYySpKnWI7AXNNsbVBvdQfZOj2d6UKovUKgqcB OpFJZlxAOHGcGMHFAXmHjVkrFI4/SMUn7+qfDMinqVASYjf0iXs2OIIIlhdgGQeQ +3qSm8+4CIEUyAG9APe4W8Oa4cOSTrUwwXau7jz0buL8ZDSY/5/Rp32snkCdx1Xe LWtuMyUqPEZb5hUbUIxwVv5bvZJCVnjzKij4qn7CaXXTgwdgE6vKF/WoelKOgO3s 73rMzyqv0yWhi3DmLZa4t8XoaDRwEs/k2DqKHpTe5DVd64b2126HG/nSCzcZe8KR Ah4qq7BPKJnHqiP972XO7WIHobC6KdpPz4PVn45pvUq2WV8c3GM= =QVpH -----END PGP SIGNATURE-----
--- End Message ---
