| Summary: | otrs new security issue CVE-2012-4600 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | |
| Severity: | major | ||
| Priority: | Normal | CC: | davidwhodgins, guillomovitch, juan.baptiste, luis.daniel.lucio, oe, sysadmin-bugs, tmb |
| Version: | 2 | Keywords: | validated_update |
| Target Milestone: | --- | ||
| Hardware: | i586 | ||
| OS: | Linux | ||
| URL: | http://lwn.net/Vulnerabilities/516948/ | ||
| Whiteboard: | MGA2-32-OK MGA2-64-OK | ||
| Source RPM: | otrs-3.1.2-2.mga2.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2012-09-19 19:52:00 CEST
David Walser
2012-09-19 19:52:11 CEST
Whiteboard:
(none) =>
MGA2TOO
David Walser
2012-09-19 19:52:21 CEST
CC:
(none) =>
guillomovitch
David Walser
2012-09-19 19:52:29 CEST
CC:
(none) =>
dlucio
David Walser
2012-10-10 00:45:02 CEST
CC:
(none) =>
oe
David Walser
2012-10-19 16:42:09 CEST
Assignee:
bugsquad =>
dlucio Fixed in Cauldron by Daniel Lucio. Version:
Cauldron =>
2 So for this one the only things remaining is the advisory and push it to core/updates_testing ? CC:
(none) =>
juan.baptiste (In reply to comment #2) > So for this one the only things remaining is the advisory and push it to > core/updates_testing ? If you mean backporting from Cauldron to Mageia 2 SVN, then pushing to updates_testing, yes, that would do it. Ok, I'll work on this one. Status:
NEW =>
ASSIGNED Ok, update available in core/updates_testing. Thanks Juan Luis! Advisory: ======================== Updated otrs package fixes security vulnerabilities: Multiple cross-site scripting (XSS) vulnerabilities in Open Ticket Request System (OTRS) Help Desk 2.4.x before 2.4.13, 3.0.x before 3.0.15, and 3.1.x before 3.1.9, and OTRS ITSM 2.1.x before 2.1.5, 3.0.x before 3.0.6, and 3.1.x before 3.1.6, allow remote attackers to inject arbitrary web script or HTML via an e-mail message body with (1) a Cascading Style Sheets (CSS) expression property in the STYLE attribute of an arbitrary element or (2) UTF-7 text in an HTTP-EQUIV="CONTENT-TYPE" META element (CVE-2012-2582). Cross-site scripting (XSS) vulnerability in Open Ticket Request System (OTRS) Help Desk 2.4.x before 2.4.14, 3.0.x before 3.0.16, and 3.1.x before 3.1.10, when Firefox or Opera is used, allows remote attackers to inject arbitrary web script or HTML via an e-mail message body with nested HTML tags (CVE-2012-4600). Cross-site scripting (XSS) vulnerability in Open Ticket Request System (OTRS) Help Desk 2.4.x before 2.4.15, 3.0.x before 3.0.17, and 3.1.x before 3.1.11 allows remote attackers to inject arbitrary web script or HTML via an e-mail message body with whitespace before a javascript: URL in the SRC attribute of an element, as demonstrated by an IFRAME element (CVE-2012-4751). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2582 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4600 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4751 http://www.otrs.com/en/open-source/community-news/security-advisories/security-advisory-2012-01/ http://www.otrs.com/en/open-source/community-news/security-advisories/security-advisory-2012-02/ http://www.otrs.com/en/open-source/community-news/security-advisories/security-advisory-2012-03/ http://lists.opensuse.org/opensuse-updates/2012-09/msg00079.html ======================== Updated packages in core/updates_testing: ======================== otrs-3.1.11-1.mga2 from otrs-3.1.11-1.mga2.src.rpm Assignee:
juan.baptiste =>
qa-bugs Testing complete on Mageia 2 i586. No poc that I could find, so just testing that I can create an agent, customer, and ticket. Note for other testers. when following the README instructions, do not create the sql database or user, prior to going to http://localhost/otrs/installer.pl CC:
(none) =>
davidwhodgins Testing complete on Mageia 2 x86-64. Could someone from the sysadmin team push the srpm otrs-3.1.11-1.mga2.src.rpm from Mageia 2 Core Updates Testing to Core Updates. Advisory: Updated otrs package fixes security vulnerabilities: Multiple cross-site scripting (XSS) vulnerabilities in Open Ticket Request System (OTRS) Help Desk 2.4.x before 2.4.13, 3.0.x before 3.0.15, and 3.1.x before 3.1.9, and OTRS ITSM 2.1.x before 2.1.5, 3.0.x before 3.0.6, and 3.1.x before 3.1.6, allow remote attackers to inject arbitrary web script or HTML via an e-mail message body with (1) a Cascading Style Sheets (CSS) expression property in the STYLE attribute of an arbitrary element or (2) UTF-7 text in an HTTP-EQUIV="CONTENT-TYPE" META element (CVE-2012-2582). Cross-site scripting (XSS) vulnerability in Open Ticket Request System (OTRS) Help Desk 2.4.x before 2.4.14, 3.0.x before 3.0.16, and 3.1.x before 3.1.10, when Firefox or Opera is used, allows remote attackers to inject arbitrary web script or HTML via an e-mail message body with nested HTML tags (CVE-2012-4600). Cross-site scripting (XSS) vulnerability in Open Ticket Request System (OTRS) Help Desk 2.4.x before 2.4.15, 3.0.x before 3.0.17, and 3.1.x before 3.1.11 allows remote attackers to inject arbitrary web script or HTML via an e-mail message body with whitespace before a javascript: URL in the SRC attribute of an element, as demonstrated by an IFRAME element (CVE-2012-4751). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2582 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4600 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4751 http://www.otrs.com/en/open-source/community-news/security-advisories/security-advisory-2012-01/ http://www.otrs.com/en/open-source/community-news/security-advisories/security-advisory-2012-02/ http://www.otrs.com/en/open-source/community-news/security-advisories/security-advisory-2012-03/ http://lists.opensuse.org/opensuse-updates/2012-09/msg00079.html https://bugs.mageia.org/show_bug.cgi?id=7527 Keywords:
(none) =>
validated_update Update pushed: https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0322 Status:
ASSIGNED =>
RESOLVED |