Upstream has posted two security advisories on January 28: http://www.otrs.com/security-advisory-2014-01-csrf-issue-customer-web-interface/ http://www.otrs.com/security-advisory-2014-02-sql-injection-issue/ Both issues are fixed in 3.2.14. CVEs don't currently exist for these, but one has been requested for 2014-01: http://openwall.com/lists/oss-security/2014/01/29/7 Mageia 3 and Mageia 4 will need updates. Reproducible: Steps to Reproduce:
Blocks: (none) => 10669Whiteboard: (none) => MGA4TOO, MGA3TOO
Both upstream advisories have received CVEs: http://openwall.com/lists/oss-security/2014/01/29/15
Summary: otrs new security issues fixed upstream in 3.2.14 => otrs new security issues CVE-2014-1694 and CVE-2014-1471
Updated packages uploaded for Mageia 3, Mageia 4, and Cauldron. Sorry that Bug 10669 hasn't been addressed. The maintainer has been ignoring Bugzilla. Advisory: ======================== Updated otrs package fixes security vulnerabilities: In OTRS before 3.2.14, an attacker that managed to take over the session of a logged in customer could create tickets and/or send follow-ups to existing tickets due to missing challenge token checks (CVE-2014-1694). In OTRS before 3.2.14, an attacker with a valid customer or agent login could inject SQL in the ticket search URL (CVE-2014-1471). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1471 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1694 http://www.otrs.com/security-advisory-2014-01-csrf-issue-customer-web-interface/ http://www.otrs.com/security-advisory-2014-02-sql-injection-issue/ http://www.otrs.com/release_notes_otrs_help_desk_3_2_14/ ======================== Updated packages in core/updates_testing: ======================== otrs-3.2.14-1.mga3 otrs-3.2.14-1.mga4 from SRPMS: otrs-3.2.14-1.mga3.src.rpm otrs-3.2.14-1.mga4.src.rpm
CC: (none) => luis.daniel.lucioVersion: Cauldron => 4Blocks: 10669 => (none)Assignee: luis.daniel.lucio => qa-bugsWhiteboard: MGA4TOO, MGA3TOO => MGA3TOO
Debian has issued an advisory for this on February 23: http://www.debian.org/security/2014/dsa-2867
URL: (none) => http://lwn.net/Vulnerabilities/588015/
Procedure: https://bugs.mageia.org/show_bug.cgi?id=10927#c7 Comment 8 may still be valid as bug 10669 is still open.
Whiteboard: MGA3TOO => MGA3TOO has_procedure
Tested on mageia 4 64. Package installed. Using http://localhost/otrs/index.pl in a browser works nicely. So ok here.
CC: (none) => ennael1Whiteboard: MGA3TOO has_procedure => MGA3TOO has_procedure mga4-64-ok
Tested and validayed on Mageia 4 32.
Whiteboard: MGA3TOO has_procedure mga4-64-ok => MGA3TOO has_procedure mga4-64-ok mga4-32-ok
After package installation visit http://localhost/otrs/installer.pl and follow the steps to create the database. It's not necessary to create a database before hand as the installer does it for you. Testing complete mga3 64 Bug 10669 seems fixed # rpm -q --requires otrs apache-mod_perl perl-DBD-mysql ...etc Testing mga3 32 next
Whiteboard: MGA3TOO has_procedure mga4-64-ok mga4-32-ok => MGA3TOO has_procedure mga3-64-ok mga4-64-ok mga4-32-ok
Strange %preun error when uninstalling. # urpme otrs removing otrs-3.2.14-1.mga3.noarch / Cron.sh - start/stop OTRS cronjobs Copyright (C) 2001-2012 OTRS AG, http://otrs.org/ no crontab for otrs failed error: %preun(otrs-3.2.14-1.mga3.noarch) scriptlet failed, exit status 1 ERROR: 'script' failed for aspectj-installer-1.6.12-1.mga2.noarch: removing package otrs-3.2.14-1.mga3.noarch 1/1: removing otrs-3.2.14-1.mga3.noarch ##################################################################################warning: /var/www/otrs/Kernel/Config.pm saved as /var/www/otrs/Kernel/Config.pm.rpmsave ##
I noticed a very similar strange %preun error when uninstalling json on Mageia 4 yesterday, and the package it was complaining about (libcsync0 in my case, aspectj-installer in your case) wasn't even installed on my VM. I'm not sure what's going on with that.
Yep, same here, very strange.. # rpm -q aspectj-installer package aspectj-installer is not installed
Testing complete mga3 32 The update adds the require on perl-DBD-mysql which was missing previously. Same weird %preun error # urpme otrs removing otrs-3.2.14-1.mga3.noarch / Cron.sh - start/stop OTRS cronjobs Copyright (C) 2001-2012 OTRS AG, http://otrs.org/ no crontab for otrs failed error: %preun(otrs-3.2.14-1.mga3.noarch) scriptlet failed, exit status 1 ERROR: 'script' failed for aspectj-installer-1.6.12-1.mga2.noarch: removing package otrs-3.2.14-1.mga3.noarch 1/1: removing otrs-3.2.14-1.mga3.noarch ##################################################################################warning: /var/www/otrs/Kernel/Config.pm saved as /var/www/otrs/Kernel/Config.pm.rpmsave ## # rpm -q aspectj-installer package aspectj-installer is not installed
Advisory uploaded. Validating. Could sysadmin please push to 3 & 4 updates. Bug 10669 can also be closed fixed when this is pushed. Thanks
Keywords: (none) => validated_updateDepends on: (none) => 10669Whiteboard: MGA3TOO has_procedure mga3-64-ok mga4-64-ok mga4-32-ok => MGA3TOO has_procedure advisory mga3-32-ok mga3-64-ok mga4-64-ok mga4-32-okCC: (none) => sysadmin-bugs
(In reply to claire robinson from comment #12) > Bug 10669 can also be closed fixed when this is pushed. The cp and cd commands aren't causing problems anymore?
Blocks: (none) => 10669Depends on: 10669 => (none)
Update pushed: http://advisories.mageia.org/MGASA-2014-0094.html
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED