-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Package : otrs2 Version : 3.1.7+dfsg1-8+deb7u6 CVE ID : CVE-2016-9139 Debian Bug : 843091
A cross-site sripting vulnerability (XSS) was discovered in OTRS, a ticket requesting system for the web. An attacker could trick an authenticated user into opening a malicious attachment which could lead to the execution of JavaScript in OTRS context. This update addresses the vulnerability by setting a strict default HTTP content security policy that forbids loading of third-party files. For Debian 7 "Wheezy", these problems have been fixed in version 3.1.7+dfsg1-8+deb7u6. We recommend that you upgrade your otrs2 packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS - -- Jonas Meurer -----BEGIN PGP SIGNATURE----- iQJEBAEBCAAuFiEELIzSg9Pv30M4kOeDUmLn/0kQSf4FAlh8xrYQHG1lam9AZGVi aWFuLm9yZwAKCRBSYuf/SRBJ/hVKD/9WSS4N4vW3XlyVohYp1E6B2RVtxJLRbVhM SbEGvETnTP5tgckRJRR+FsQ/4pxVIE/wh5wOprbSGWlN2rg3RyfYmXOGf10ux2yS lraGnRxQ0LtS/BzSYf/n7KIey3Qzm3Nk4MKjkBM+MZlQ7UT2iH5tHJy52lMwjw5w EygoMnLmxlZv9YsfOGk3T1ChvpB1G2SakdfZ2I4IY9FfNawxbJckKXRf9+xG6Cpo UCqinpoEqpFrVCXaPnBpG5KGQ3IF+VBCBeVQdj+nel5cWpzfuxrZhjhoxGC9raHw OklZnFLsBPNBmqjfRvanvm+cqQQeX1+JRvCBRqey620d+BSg/y7NU7Lt1l/x56P3 zOQxQuyGzg2qnEG5zfHjFfmvGyjV4+Znf3+4tGiqqlc5gxvO7Hxxm2PXNjLG3lWS FVbpK0oh/NNR4vOZxv3u6KpLC0WlVT4/gHuXGQWXIFpwwctiTqTorKa1y3HKpuZj Ihln4ui0lMZF7x1v9mNk9ww4Y29SNqlgnmK0GtZZOX9VzvtgkoouSSl6NqwdixNF B3S/VPHjYuIWG1kdAuWy60M57HHYY8io58IMSYNlcRBd2Y8nGHgEYHrQHreFqUGJ zpV1LEHoIJvHyu6k+mDgJpDsUuyrNA+tTjKfOpdtCLTauu6346D65kprM8QBKHfL BOLctLKuDA== =B7nn -----END PGP SIGNATURE-----
