Bug 12473 - otrs new security issues CVE-2014-1694 and CVE-2014-1471
: otrs new security issues CVE-2014-1694 and CVE-2014-1471
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 4
: i586 Linux
: Normal Severity: normal
: ---
Assigned To: QA Team
: Sec team
: http://lwn.net/Vulnerabilities/588015/
: MGA3TOO has_procedure advisory mga3-3...
: validated_update
:
: 10669
  Show dependency treegraph
 
Reported: 2014-01-29 17:04 CET by David Walser
Modified: 2014-02-25 23:19 CET (History)
4 users (show)

See Also:
Source RPM: otrs-3.2.9-3.mga4.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2014-01-29 17:04:21 CET
Upstream has posted two security advisories on January 28:
http://www.otrs.com/security-advisory-2014-01-csrf-issue-customer-web-interface/
http://www.otrs.com/security-advisory-2014-02-sql-injection-issue/

Both issues are fixed in 3.2.14.

CVEs don't currently exist for these, but one has been requested for 2014-01:
http://openwall.com/lists/oss-security/2014/01/29/7

Mageia 3 and Mageia 4 will need updates.

Reproducible: 

Steps to Reproduce:
Comment 1 David Walser 2014-01-29 21:23:08 CET
Both upstream advisories have received CVEs:
http://openwall.com/lists/oss-security/2014/01/29/15
Comment 2 David Walser 2014-02-24 18:37:05 CET
Updated packages uploaded for Mageia 3, Mageia 4, and Cauldron.

Sorry that Bug 10669 hasn't been addressed.  The maintainer has been ignoring Bugzilla.

Advisory:
========================

Updated otrs package fixes security vulnerabilities:

In OTRS before 3.2.14, an attacker that managed to take over the session of a
logged in customer could create tickets and/or send follow-ups to existing
tickets due to missing challenge token checks (CVE-2014-1694).

In OTRS before 3.2.14, an attacker with a valid customer or agent login could
inject SQL in the ticket search URL (CVE-2014-1471).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1471
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1694
http://www.otrs.com/security-advisory-2014-01-csrf-issue-customer-web-interface/
http://www.otrs.com/security-advisory-2014-02-sql-injection-issue/
http://www.otrs.com/release_notes_otrs_help_desk_3_2_14/
========================

Updated packages in core/updates_testing:
========================
otrs-3.2.14-1.mga3
otrs-3.2.14-1.mga4

from SRPMS:
otrs-3.2.14-1.mga3.src.rpm
otrs-3.2.14-1.mga4.src.rpm
Comment 3 David Walser 2014-02-24 22:30:57 CET
Debian has issued an advisory for this on February 23:
http://www.debian.org/security/2014/dsa-2867
Comment 4 claire robinson 2014-02-25 09:27:43 CET
Procedure: https://bugs.mageia.org/show_bug.cgi?id=10927#c7

Comment 8 may still be valid as bug 10669 is still open.
Comment 5 Anne Nicolas 2014-02-25 09:43:16 CET
Tested on mageia 4 64. Package installed. Using http://localhost/otrs/index.pl in a browser works nicely. So ok here.
Comment 6 Anne Nicolas 2014-02-25 10:56:38 CET
Tested and validayed on Mageia 4 32.
Comment 7 claire robinson 2014-02-25 16:31:28 CET
After package installation visit http://localhost/otrs/installer.pl and follow the steps to create the database. It's not necessary to create a database before hand as the installer does it for you.

Testing complete mga3 64

Bug 10669 seems fixed

# rpm -q --requires otrs
apache-mod_perl
perl-DBD-mysql
...etc

Testing mga3 32 next
Comment 8 claire robinson 2014-02-25 16:33:59 CET
Strange %preun error when uninstalling.

# urpme otrs
removing otrs-3.2.14-1.mga3.noarch
/
Cron.sh - start/stop OTRS cronjobs
Copyright (C) 2001-2012 OTRS AG, http://otrs.org/
no crontab for otrs
failed
error: %preun(otrs-3.2.14-1.mga3.noarch) scriptlet failed, exit status 1
ERROR: 'script' failed for aspectj-installer-1.6.12-1.mga2.noarch: 
removing package otrs-3.2.14-1.mga3.noarch
      1/1: removing otrs-3.2.14-1.mga3.noarch
                                 ##################################################################################warning: /var/www/otrs/Kernel/Config.pm saved as /var/www/otrs/Kernel/Config.pm.rpmsave
##
Comment 9 David Walser 2014-02-25 16:38:24 CET
I noticed a very similar strange %preun error when uninstalling json on Mageia 4 yesterday, and the package it was complaining about (libcsync0 in my case, aspectj-installer in your case) wasn't even installed on my VM.  I'm not sure what's going on with that.
Comment 10 claire robinson 2014-02-25 16:54:36 CET
Yep, same here, very strange..

# rpm -q aspectj-installer
package aspectj-installer is not installed
Comment 11 claire robinson 2014-02-25 17:23:15 CET
Testing complete mga3 32

The update adds the require on perl-DBD-mysql which was missing previously.

Same weird %preun error

# urpme otrs
removing otrs-3.2.14-1.mga3.noarch
/
Cron.sh - start/stop OTRS cronjobs
Copyright (C) 2001-2012 OTRS AG, http://otrs.org/
no crontab for otrs
failed
error: %preun(otrs-3.2.14-1.mga3.noarch) scriptlet failed, exit status 1
ERROR: 'script' failed for aspectj-installer-1.6.12-1.mga2.noarch: 
removing package otrs-3.2.14-1.mga3.noarch
      1/1: removing otrs-3.2.14-1.mga3.noarch
                                 ##################################################################################warning: /var/www/otrs/Kernel/Config.pm saved as /var/www/otrs/Kernel/Config.pm.rpmsave
##

# rpm -q aspectj-installer
package aspectj-installer is not installed
Comment 12 claire robinson 2014-02-25 17:46:25 CET
Advisory uploaded. Validating.

Could sysadmin please push to 3 & 4 updates. Bug 10669 can also be closed fixed when this is pushed.

Thanks
Comment 13 David Walser 2014-02-25 17:55:40 CET
(In reply to claire robinson from comment #12)
> Bug 10669 can also be closed fixed when this is pushed.

The cp and cd commands aren't causing problems anymore?
Comment 14 Thomas Backlund 2014-02-25 23:19:04 CET
Update pushed:
http://advisories.mageia.org/MGASA-2014-0094.html

Note You need to log in before you can comment on or make changes to this bug.