Bug 12910

Summary: otrs new security issue CVE-2014-1695
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: marc.lattemann, sysadmin-bugs, tmb
Version: 4Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/589096/
Whiteboard: MGA3TOO MGA4-32-OK MGA4-64-OK MGA3-32-OK MGA3-64-OK advisory
Source RPM: otrs-3.2.14-1.mga4.src.rpm CVE:
Status comment:

Description David Walser 2014-03-01 22:01:13 CET 
Upstream has issued an advisory on February 25:
https://www.otrs.com/security-advisory-2014-03-xss-issue/

The issue is fixed upstream in 3.2.15.

Updated packages uploaded for Mageia 3, Mageia 4, and Cauldron.

Advisory:
========================

Updated otrs package fixes security vulnerability:

An attacker could send a specially prepared HTML email to OTRS. If he can then
trick an agent into following a special link to display this email, JavaScript
code would be executed (CVE-2014-1695).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1695
https://www.otrs.com/security-advisory-2014-03-xss-issue/
http://www.otrs.com/release-notes-otrs-help-desk-3-2-15/
========================

Updated packages in core/updates_testing:
========================
otrs-3.2.15-1.mga3
otrs-3.2.15-1.mga4

from SRPMS:
otrs-3.2.15-1.mga3.src.rpm
otrs-3.2.15-1.mga4.src.rpm

Reproducible: 

Steps to Reproduce:
David Walser 2014-03-01 22:01:23 CET

Version: Cauldron => 4
Whiteboard: (none) => MGA3TOO

Comment 1 Marc Lattemann 2014-03-02 19:43:44 CET 
did not found how to check this vulnerability...

tested general installation of otrs on MGA4 32bit:
- installed version from core and run installer
- log into otrs
- update installed version from update-testing
- log into update orts 
--> no errors detected
- delete existing database
- re-run installer to install updated version
- log into otrs
--> no errors detected

update tested successfully in MGA4 32bit

CC: (none) => marc.lattemann
Whiteboard: MGA3TOO => MGA3TOO MGA4-32-OK

Comment 2 Marc Lattemann 2014-03-02 20:10:15 CET 
update tested successfully in MGA4 64bit based on comment #1

Whiteboard: MGA3TOO MGA4-32-OK => MGA3TOO MGA4-32-OK MGA4-64-OK

Comment 3 Marc Lattemann 2014-03-02 21:04:13 CET 
update tested successfully in MGA3 32bit
Comment 4 Marc Lattemann 2014-03-02 21:30:13 CET 
update tested successfully in MGA3 64bit.

If tests above are sufficient, than advisory can be uploaded and validated.

Whiteboard: MGA3TOO MGA4-32-OK MGA4-64-OK => MGA3TOO MGA4-32-OK MGA4-64-OK MGA3-32-OK MGA-64-OK

Marc Lattemann 2014-03-02 21:30:54 CET

Whiteboard: MGA3TOO MGA4-32-OK MGA4-64-OK MGA3-32-OK MGA-64-OK => MGA3TOO MGA4-32-OK MGA4-64-OK MGA3-32-OK MGA3-64-OK

Comment 5 Thomas Backlund 2014-03-02 21:38:07 CET 
advisory uploaded, validating.

Keywords: (none) => validated_update
Whiteboard: MGA3TOO MGA4-32-OK MGA4-64-OK MGA3-32-OK MGA3-64-OK => MGA3TOO MGA4-32-OK MGA4-64-OK MGA3-32-OK MGA3-64-OK advisory
CC: (none) => tmb, sysadmin-bugs

Comment 6 Thomas Backlund 2014-03-02 22:01:41 CET 
Update pushed:
http://advisories.mageia.org/MGASA-2014-0114.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

David Walser 2014-03-03 19:10:37 CET

URL: (none) => http://lwn.net/Vulnerabilities/589096/