Bug 13252

Summary: otrs new security issues CVE-2014-2553 and CVE-2014-2554
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: sysadmin-bugs, tmb
Version: 4Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/595635/
Whiteboard: MGA3TOO has_procedure advisory mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok
Source RPM: otrs-3.2.15-1.mga4.src.rpm CVE:
Status comment:

Description David Walser 2014-04-22 19:18:11 CEST 
OpenSuSE has issued an advisory today (April 22):
http://lists.opensuse.org/opensuse-updates/2014-04/msg00062.html

Upstream released version 3.2.16 on April 1 to fix these issues:
https://www.otrs.com/release-notes-otrs-help-desk-3-2-16/

Updated packages uploaded for Mageia 3, Mageia 4, and Cauldron.

Advisory:
========================

Updated otrs package fixes security vulnerabilities:

A logged in attacker could insert special content in dynamic fields, leading
to JavaScript code being executed in OTRS (CVE-2014-2553).

An attacker could embed OTRS in a hidden <iframe> tag of another page,
tricking the user into clicking links in OTRS (CVE-2014-2554).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2553
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2554
https://www.otrs.com/security-advisory-2014-04-xss-issue/
https://www.otrs.com/security-advisory-2014-05-clickjacking-issue/
https://www.otrs.com/release-notes-otrs-help-desk-3-2-16/
http://lists.opensuse.org/opensuse-updates/2014-04/msg00062.html
========================

Updated packages in core/updates_testing:
========================
otrs-3.2.16-1.mga3
otrs-3.2.16-1.mga4

from SRPMS:
otrs-3.2.16-1.mga3.src.rpm
otrs-3.2.16-1.mga4.src.rpm

Reproducible: 

Steps to Reproduce:
David Walser 2014-04-22 19:18:18 CEST

Whiteboard: (none) => MGA3TOO

Comment 1 claire robinson 2014-04-24 15:14:34 CEST 
Procedure in bug 12473

Whiteboard: MGA3TOO => MGA3TOO has_procedure

Comment 2 claire robinson 2014-04-24 15:24:55 CEST 
Testing complete mga3 64

logged in, created an agent, logged out, logged back in as the agent. All OK.

Whiteboard: MGA3TOO has_procedure => MGA3TOO has_procedure mga3-64-ok

Comment 3 claire robinson 2014-04-24 16:43:36 CEST 
Testing complete mga3 32

Whiteboard: MGA3TOO has_procedure mga3-64-ok => MGA3TOO has_procedure mga3-32-ok mga3-64-ok

Comment 4 claire robinson 2014-04-24 17:08:34 CEST 
Testing complete mga4 32 & 64

Whiteboard: MGA3TOO has_procedure mga3-32-ok mga3-64-ok => MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok

Comment 5 claire robinson 2014-04-24 18:14:14 CEST 
Validating. Advisory uploaded.

Could sysadmin please push to 3 & 4 updates

Thanks

Keywords: (none) => validated_update
Whiteboard: MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok => MGA3TOO has_procedure advisory mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok
CC: (none) => sysadmin-bugs

Comment 6 Thomas Backlund 2014-04-24 21:16:13 CEST 
Update pushed:
http://advisories.mageia.org/MGASA-2014-0194.html

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED

Comment 7 James Kerr 2014-04-24 23:37:06 CEST 
The advisory page seems to be incomplete. The email message is OK. Compare:

http://advisories.mageia.org/MGASA-2014-0194.html

https://ml.mageia.org/l/arc/updates-announce/2014-04/msg00062.html
Comment 8 Thomas Backlund 2014-04-24 23:42:13 CEST 
Fixed, thanks for noticing

It was the <iframe> tag in description breaking the page