Mageia Bugzilla – Bug 10352
otrs new security issues CVE-2013-3551 and CVE-2013-4088
Last modified: 2014-05-08 18:04:31 CEST
Debian has issued an advisory today (May 29):
Mageia 2 and 3 are also affected.
Steps to Reproduce:
debian.org link for advisory is now active:
Debian has issued a new advisory on June 19:
This adds a new CVE, CVE-2013-4088.
Pushing for Cauldron, 3 and 2
Waiting for QA
(In reply to Daniel Lucio from comment #4)
> Waiting for QA
any reason you have closed this bug ?
Next time please keep the bug open and just assign to QA :)
More info about these vulnerabilities (upstream advisories):
Updated otrs package fixes security vulnerabilities:
An attacker with a valid agent login could manipulate URLs in the ticket
watch mechanism to see contents of tickets they are not permitted to see
Updated packages in core/updates_testing:
Testers, see https://bugs.mageia.org/show_bug.cgi?id=7527#c7
Not a regression, but there is an error in ...
postinstall scriptlet (using /bin/sh):
/var/www/otrs/bin/otrs.SetPermissions.pl --otrs-user=otrs --web-user=apache --otrs-group=otrs --web-group=apache /var/www/otrs
for foo in *.dist; do cp $foo `basename $foo .dist`; done
/var/www/otrs/bin/Cron.sh start otrs
From rpm -q -l otrs
As all of the files that end in .dist have a copy in the same dir without
the .dist (and none of the .dist files are in /var/www/otrs/var/cron),
it looks like the cd and for/cp commands should just be removed from the
As it is, the installation has one easy to miss message in the output with
cp: target ‘unlock’ is not a directory
Note that unlock is last file in the cron directory, so it looks like the
target of trying to copy multiple files, hence the error message.
I'll be testing shortly.
Probably not a regression, but it should have a requires on perl-DBD-mysql,
otherwise there's an error in /var/log/httpd/error_log with
install_driver(mysql) failed: Can't locate DBD/mysql.pm
Once that's installed, it starts ok.
Note for future testers, after installing otrs, and (if not already installed),
mariadb, use http://127.0.0.1/otrs/installer.pl, to create the database,
and then follow the instructions, to login, create an agent, etc.
Bug 10669 opened for comment 10 and comment 11.
Testing complete on Mageia 3 i586 and x86_64, and Mageia 2 i586 and x86_64.
Could someone from the sysadmin team push 10352.adv.