Debian has issued an advisory today (May 29): http://lwn.net/Alerts/552189/ Mageia 2 and 3 are also affected. Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA3TOO, MGA2TOO
debian.org link for advisory is now active: http://www.debian.org/security/2013/dsa-2696
Debian has issued a new advisory on June 19: http://www.debian.org/security/2013/dsa-2712 This adds a new CVE, CVE-2013-4088. from http://lwn.net/Vulnerabilities/555692/
Summary: otrs new security issue CVE-2013-3551 => otrs new security issues CVE-2013-3551 and CVE-2013-4088
Pushing for Cauldron, 3 and 2
Waiting for QA
Status: NEW => RESOLVEDResolution: (none) => FIXED
(In reply to Daniel Lucio from comment #4) > Waiting for QA any reason you have closed this bug ?
Next time please keep the bug open and just assign to QA :)
Status: RESOLVED => REOPENEDCC: (none) => mageiaResolution: FIXED => (none)Assignee: luis.daniel.lucio => qa-bugs
Version: Cauldron => 3Whiteboard: MGA3TOO, MGA2TOO => MGA2TOO
More info about these vulnerabilities (upstream advisories): http://www.otrs.com/en/open-source/community-news/security-advisories/security-advisory-2013-03/ http://www.otrs.com/en/open-source/community-news/security-advisories/security-advisory-2013-04/
Advisory: ======================== Updated otrs package fixes security vulnerabilities: An attacker with a valid agent login could manipulate URLs in the ticket watch mechanism to see contents of tickets they are not permitted to see (CVE-2013-3551, CVE-2013-4088). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3551 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4088 http://www.otrs.com/en/open-source/community-news/security-advisories/security-advisory-2013-03/ http://www.otrs.com/en/open-source/community-news/security-advisories/security-advisory-2013-04/ http://www.debian.org/security/2013/dsa-2696 http://www.debian.org/security/2013/dsa-2712 ======================== Updated packages in core/updates_testing: ======================== otrs-3.2.8-1.mga2 otrs-3.2.8-1.mga3 from SRPMS: otrs-3.2.8-1.mga2.src.rpm otrs-3.2.8-1.mga3.src.rpm
Testers, see https://bugs.mageia.org/show_bug.cgi?id=7527#c7
CC: (none) => davidwhodgins
Whiteboard: MGA2TOO => MGA2TOO has_procedure
Not a regression, but there is an error in ... postinstall scriptlet (using /bin/sh): /var/www/otrs/bin/otrs.SetPermissions.pl --otrs-user=otrs --web-user=apache --otrs-group=otrs --web-group=apache /var/www/otrs cd /var/www/otrs/var/cron for foo in *.dist; do cp $foo `basename $foo .dist`; done /var/www/otrs/bin/Cron.sh start otrs From rpm -q -l otrs /var/www/otrs/.fetchmailrc /var/www/otrs/.fetchmailrc.dist /var/www/otrs/.mailfilter /var/www/otrs/.mailfilter.dist /var/www/otrs/.procmailrc /var/www/otrs/.procmailrc.dist /var/www/otrs/Kernel/Config.pm /var/www/otrs/Kernel/Config.pm.dist /var/www/otrs/Kernel/Config/GenericAgent.pm /var/www/otrs/Kernel/Config/GenericAgent.pm.dist As all of the files that end in .dist have a copy in the same dir without the .dist (and none of the .dist files are in /var/www/otrs/var/cron), it looks like the cd and for/cp commands should just be removed from the postinstall scriptlet. As it is, the installation has one easy to miss message in the output with cp: target âunlockâ is not a directory Note that unlock is last file in the cron directory, so it looks like the target of trying to copy multiple files, hence the error message. I'll be testing shortly.
Probably not a regression, but it should have a requires on perl-DBD-mysql, otherwise there's an error in /var/log/httpd/error_log with install_driver(mysql) failed: Can't locate DBD/mysql.pm Once that's installed, it starts ok.
Note for future testers, after installing otrs, and (if not already installed), mariadb, use http://127.0.0.1/otrs/installer.pl, to create the database, and then follow the instructions, to login, create an agent, etc.
Bug 10669 opened for comment 10 and comment 11. Testing complete on Mageia 3 i586 and x86_64, and Mageia 2 i586 and x86_64. http://svnweb.mageia.org/advisories/10352.adv?view=markup&sortby=date uploaded. Could someone from the sysadmin team push 10352.adv.
Keywords: (none) => validated_updateWhiteboard: MGA2TOO has_procedure => MGA2TOO has_procedure MGA3-64-OK MGA3-32-OK MGA2-64-OK MGA2-32-OKCC: (none) => sysadmin-bugs
http://advisories.mageia.org/MGASA-2013-0196.html
Status: REOPENED => RESOLVEDCC: (none) => boklmResolution: (none) => FIXED
CC: boklm => (none)