Debian has issued an advisory on August 2: http://www.debian.org/security/2013/dsa-2733 It appears that the issue was fixed upstream in 3.2.9. Mageia 2 and Mageia 3 are also affected. Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA3TOO, MGA2TOO
3.2.9 has been submitted to all.
CC: (none) => oe
Thanks Oden! Advisory: ======================== Updated otrs packages fix security vulnerability: It was discovered that otrs2, the Open Ticket Request System, does not properly sanitise user-supplied data that is used on SQL queries. An attacker with a valid agent login could exploit this issue to craft SQL queries by injecting arbitrary SQL code through manipulated URLs (CVE-2013-4717). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4717 http://www.debian.org/security/2013/dsa-2733 ======================== Updated packages in core/updates_testing: ======================== otrs-3.2.9-1.mga2 otrs-3.2.9-1.mga3 from SRPMS: otrs-3.2.9-1.mga2.src.rpm otrs-3.2.9-1.mga3.src.rpm
CC: (none) => luis.daniel.lucioVersion: Cauldron => 3Assignee: luis.daniel.lucio => qa-bugsWhiteboard: MGA3TOO, MGA2TOO => MGA2TOO
How do I launch otrs? Apache is succesfully running on the test system. The following webpages are available: http://localhost/~wilcal/ ( works ) http://192.168.1.40/~wilcal/ ( from the LAN works ) http://192.168.1.40/ ( It works! works ) After installing otrs from the MCC I tried the following: http://localhost/~otrs/ http://localhost/otrs/ http://otrs.localhost http://localhost/otrs/index.pl http://localhost/~otrs/index.pl http://192.168.1.40/~otrs/ http://192.168.1.40/otrs/ http://otrs.192.168.1.40 http://192.168.1.40/otrs/index.pl http://192.168.1.40/~otrs/index.pl none work, even after reboot FWIW http://localhost/awstats/ works just fine http://localhost/otrs/ does not There exists a /etc/httpd/conf/sites.d/otrs.conf file Thanks
CC: (none) => wilcal.int
(In reply to William Kenney from comment #3) > How do I launch otrs? > > There exists a /etc/httpd/conf/sites.d/otrs.conf file Therein lies the answer to your question: Alias /otrs-web/ "/var/www/otrs/var/httpd/htdocs" So it would be http://localhost/otrs-web/
Advisory 10927.adv uploaded to svn.
CC: (none) => davidwhodgins
Testing Mageia 2 i586, firefox localhost/otrs returns The server encountered an internal error and was unable to complete your request. Error message: (null) at /usr/lib/perl5/vendor_perl/5.14.2/i386-linux-thread-multi/ModPerl/RegistryCooker.pm line 541. Trying localhost/otrs-web returns not found.
Whiteboard: MGA2TOO => MGA2TOO feedback
Sorry for the noise. Ignore comment 6. See https://bugs.mageia.org/show_bug.cgi?id=10352#c12 for procedure.
Whiteboard: MGA2TOO feedback => MGA2TOO
As per bug 10669 the requires for perl-DBD-mysql is still missing, so it must be installed manually.
Testing complete Mageia 2 and 3, i586 and x86_64. Could someone from the sysadmin team push 10927.adv to updates.
Keywords: (none) => validated_updateWhiteboard: MGA2TOO => MGA2TOO MGA3-64-OK MGA3-32-OK MGA2-64-OK MGA2-32-OKCC: (none) => sysadmin-bugs
Update pushed: http://advisories.mageia.org/MGASA-2013-0247.html
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED