| Summary: | otrs new security issues CVE-2014-1694 and CVE-2014-1471 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | ennael1, luis.daniel.lucio, sysadmin-bugs, tmb |
| Version: | 4 | Keywords: | validated_update |
| Target Milestone: | --- | ||
| Hardware: | i586 | ||
| OS: | Linux | ||
| URL: | http://lwn.net/Vulnerabilities/588015/ | ||
| Whiteboard: | MGA3TOO has_procedure advisory mga3-32-ok mga3-64-ok mga4-64-ok mga4-32-ok | ||
| Source RPM: | otrs-3.2.9-3.mga4.src.rpm | CVE: | |
| Status comment: | |||
| Bug Depends on: | |||
| Bug Blocks: | 10669 | ||
|
Description
David Walser
2014-01-29 17:04:21 CET
David Walser
2014-01-29 17:04:48 CET
Blocks:
(none) =>
10669 Both upstream advisories have received CVEs: http://openwall.com/lists/oss-security/2014/01/29/15 Summary:
otrs new security issues fixed upstream in 3.2.14 =>
otrs new security issues CVE-2014-1694 and CVE-2014-1471 Updated packages uploaded for Mageia 3, Mageia 4, and Cauldron. Sorry that Bug 10669 hasn't been addressed. The maintainer has been ignoring Bugzilla. Advisory: ======================== Updated otrs package fixes security vulnerabilities: In OTRS before 3.2.14, an attacker that managed to take over the session of a logged in customer could create tickets and/or send follow-ups to existing tickets due to missing challenge token checks (CVE-2014-1694). In OTRS before 3.2.14, an attacker with a valid customer or agent login could inject SQL in the ticket search URL (CVE-2014-1471). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1471 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1694 http://www.otrs.com/security-advisory-2014-01-csrf-issue-customer-web-interface/ http://www.otrs.com/security-advisory-2014-02-sql-injection-issue/ http://www.otrs.com/release_notes_otrs_help_desk_3_2_14/ ======================== Updated packages in core/updates_testing: ======================== otrs-3.2.14-1.mga3 otrs-3.2.14-1.mga4 from SRPMS: otrs-3.2.14-1.mga3.src.rpm otrs-3.2.14-1.mga4.src.rpm CC:
(none) =>
luis.daniel.lucio Debian has issued an advisory for this on February 23: http://www.debian.org/security/2014/dsa-2867 URL:
(none) =>
http://lwn.net/Vulnerabilities/588015/ Procedure: https://bugs.mageia.org/show_bug.cgi?id=10927#c7 Comment 8 may still be valid as bug 10669 is still open.
claire robinson
2014-02-25 09:28:09 CET
Whiteboard:
MGA3TOO =>
MGA3TOO has_procedure Tested on mageia 4 64. Package installed. Using http://localhost/otrs/index.pl in a browser works nicely. So ok here. CC:
(none) =>
ennael1 Tested and validayed on Mageia 4 32. Whiteboard:
MGA3TOO has_procedure mga4-64-ok =>
MGA3TOO has_procedure mga4-64-ok mga4-32-ok After package installation visit http://localhost/otrs/installer.pl and follow the steps to create the database. It's not necessary to create a database before hand as the installer does it for you. Testing complete mga3 64 Bug 10669 seems fixed # rpm -q --requires otrs apache-mod_perl perl-DBD-mysql ...etc Testing mga3 32 next Whiteboard:
MGA3TOO has_procedure mga4-64-ok mga4-32-ok =>
MGA3TOO has_procedure mga3-64-ok mga4-64-ok mga4-32-ok Strange %preun error when uninstalling. # urpme otrs removing otrs-3.2.14-1.mga3.noarch / Cron.sh - start/stop OTRS cronjobs Copyright (C) 2001-2012 OTRS AG, http://otrs.org/ no crontab for otrs failed error: %preun(otrs-3.2.14-1.mga3.noarch) scriptlet failed, exit status 1 ERROR: 'script' failed for aspectj-installer-1.6.12-1.mga2.noarch: removing package otrs-3.2.14-1.mga3.noarch 1/1: removing otrs-3.2.14-1.mga3.noarch ##################################################################################warning: /var/www/otrs/Kernel/Config.pm saved as /var/www/otrs/Kernel/Config.pm.rpmsave ## I noticed a very similar strange %preun error when uninstalling json on Mageia 4 yesterday, and the package it was complaining about (libcsync0 in my case, aspectj-installer in your case) wasn't even installed on my VM. I'm not sure what's going on with that. Yep, same here, very strange.. # rpm -q aspectj-installer package aspectj-installer is not installed Testing complete mga3 32 The update adds the require on perl-DBD-mysql which was missing previously. Same weird %preun error # urpme otrs removing otrs-3.2.14-1.mga3.noarch / Cron.sh - start/stop OTRS cronjobs Copyright (C) 2001-2012 OTRS AG, http://otrs.org/ no crontab for otrs failed error: %preun(otrs-3.2.14-1.mga3.noarch) scriptlet failed, exit status 1 ERROR: 'script' failed for aspectj-installer-1.6.12-1.mga2.noarch: removing package otrs-3.2.14-1.mga3.noarch 1/1: removing otrs-3.2.14-1.mga3.noarch ##################################################################################warning: /var/www/otrs/Kernel/Config.pm saved as /var/www/otrs/Kernel/Config.pm.rpmsave ## # rpm -q aspectj-installer package aspectj-installer is not installed Advisory uploaded. Validating. Could sysadmin please push to 3 & 4 updates. Bug 10669 can also be closed fixed when this is pushed. Thanks Keywords:
(none) =>
validated_update (In reply to claire robinson from comment #12) > Bug 10669 can also be closed fixed when this is pushed. The cp and cd commands aren't causing problems anymore? Blocks:
(none) =>
10669 Update pushed: http://advisories.mageia.org/MGASA-2014-0094.html Status:
NEW =>
RESOLVED |