Bug 12473 - otrs new security issues CVE-2014-1694 and CVE-2014-1471
Summary: otrs new security issues CVE-2014-1694 and CVE-2014-1471
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 4
Hardware: i586 Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/588015/
Whiteboard: MGA3TOO has_procedure advisory mga3-3...
Keywords: validated_update
Depends on:
Blocks: 10669
  Show dependency treegraph
 
Reported: 2014-01-29 17:04 CET by David Walser
Modified: 2014-02-25 23:19 CET (History)
4 users (show)

See Also:
Source RPM: otrs-3.2.9-3.mga4.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2014-01-29 17:04:21 CET
Upstream has posted two security advisories on January 28:
http://www.otrs.com/security-advisory-2014-01-csrf-issue-customer-web-interface/
http://www.otrs.com/security-advisory-2014-02-sql-injection-issue/

Both issues are fixed in 3.2.14.

CVEs don't currently exist for these, but one has been requested for 2014-01:
http://openwall.com/lists/oss-security/2014/01/29/7

Mageia 3 and Mageia 4 will need updates.

Reproducible: 

Steps to Reproduce:
David Walser 2014-01-29 17:04:48 CET

Blocks: (none) => 10669
Whiteboard: (none) => MGA4TOO, MGA3TOO

Comment 1 David Walser 2014-01-29 21:23:08 CET
Both upstream advisories have received CVEs:
http://openwall.com/lists/oss-security/2014/01/29/15

Summary: otrs new security issues fixed upstream in 3.2.14 => otrs new security issues CVE-2014-1694 and CVE-2014-1471

Comment 2 David Walser 2014-02-24 18:37:05 CET
Updated packages uploaded for Mageia 3, Mageia 4, and Cauldron.

Sorry that Bug 10669 hasn't been addressed.  The maintainer has been ignoring Bugzilla.

Advisory:
========================

Updated otrs package fixes security vulnerabilities:

In OTRS before 3.2.14, an attacker that managed to take over the session of a
logged in customer could create tickets and/or send follow-ups to existing
tickets due to missing challenge token checks (CVE-2014-1694).

In OTRS before 3.2.14, an attacker with a valid customer or agent login could
inject SQL in the ticket search URL (CVE-2014-1471).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1471
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1694
http://www.otrs.com/security-advisory-2014-01-csrf-issue-customer-web-interface/
http://www.otrs.com/security-advisory-2014-02-sql-injection-issue/
http://www.otrs.com/release_notes_otrs_help_desk_3_2_14/
========================

Updated packages in core/updates_testing:
========================
otrs-3.2.14-1.mga3
otrs-3.2.14-1.mga4

from SRPMS:
otrs-3.2.14-1.mga3.src.rpm
otrs-3.2.14-1.mga4.src.rpm

CC: (none) => luis.daniel.lucio
Version: Cauldron => 4
Blocks: 10669 => (none)
Assignee: luis.daniel.lucio => qa-bugs
Whiteboard: MGA4TOO, MGA3TOO => MGA3TOO

Comment 3 David Walser 2014-02-24 22:30:57 CET
Debian has issued an advisory for this on February 23:
http://www.debian.org/security/2014/dsa-2867

URL: (none) => http://lwn.net/Vulnerabilities/588015/

Comment 4 claire robinson 2014-02-25 09:27:43 CET
Procedure: https://bugs.mageia.org/show_bug.cgi?id=10927#c7

Comment 8 may still be valid as bug 10669 is still open.
claire robinson 2014-02-25 09:28:09 CET

Whiteboard: MGA3TOO => MGA3TOO has_procedure

Comment 5 Anne Nicolas 2014-02-25 09:43:16 CET
Tested on mageia 4 64. Package installed. Using http://localhost/otrs/index.pl in a browser works nicely. So ok here.

CC: (none) => ennael1
Whiteboard: MGA3TOO has_procedure => MGA3TOO has_procedure mga4-64-ok

Comment 6 Anne Nicolas 2014-02-25 10:56:38 CET
Tested and validayed on Mageia 4 32.

Whiteboard: MGA3TOO has_procedure mga4-64-ok => MGA3TOO has_procedure mga4-64-ok mga4-32-ok

Comment 7 claire robinson 2014-02-25 16:31:28 CET
After package installation visit http://localhost/otrs/installer.pl and follow the steps to create the database. It's not necessary to create a database before hand as the installer does it for you.

Testing complete mga3 64

Bug 10669 seems fixed

# rpm -q --requires otrs
apache-mod_perl
perl-DBD-mysql
...etc

Testing mga3 32 next

Whiteboard: MGA3TOO has_procedure mga4-64-ok mga4-32-ok => MGA3TOO has_procedure mga3-64-ok mga4-64-ok mga4-32-ok

Comment 8 claire robinson 2014-02-25 16:33:59 CET
Strange %preun error when uninstalling.

# urpme otrs
removing otrs-3.2.14-1.mga3.noarch
/
Cron.sh - start/stop OTRS cronjobs
Copyright (C) 2001-2012 OTRS AG, http://otrs.org/
no crontab for otrs
failed
error: %preun(otrs-3.2.14-1.mga3.noarch) scriptlet failed, exit status 1
ERROR: 'script' failed for aspectj-installer-1.6.12-1.mga2.noarch: 
removing package otrs-3.2.14-1.mga3.noarch
      1/1: removing otrs-3.2.14-1.mga3.noarch
                                 ##################################################################################warning: /var/www/otrs/Kernel/Config.pm saved as /var/www/otrs/Kernel/Config.pm.rpmsave
##
Comment 9 David Walser 2014-02-25 16:38:24 CET
I noticed a very similar strange %preun error when uninstalling json on Mageia 4 yesterday, and the package it was complaining about (libcsync0 in my case, aspectj-installer in your case) wasn't even installed on my VM.  I'm not sure what's going on with that.
Comment 10 claire robinson 2014-02-25 16:54:36 CET
Yep, same here, very strange..

# rpm -q aspectj-installer
package aspectj-installer is not installed
Comment 11 claire robinson 2014-02-25 17:23:15 CET
Testing complete mga3 32

The update adds the require on perl-DBD-mysql which was missing previously.

Same weird %preun error

# urpme otrs
removing otrs-3.2.14-1.mga3.noarch
/
Cron.sh - start/stop OTRS cronjobs
Copyright (C) 2001-2012 OTRS AG, http://otrs.org/
no crontab for otrs
failed
error: %preun(otrs-3.2.14-1.mga3.noarch) scriptlet failed, exit status 1
ERROR: 'script' failed for aspectj-installer-1.6.12-1.mga2.noarch: 
removing package otrs-3.2.14-1.mga3.noarch
      1/1: removing otrs-3.2.14-1.mga3.noarch
                                 ##################################################################################warning: /var/www/otrs/Kernel/Config.pm saved as /var/www/otrs/Kernel/Config.pm.rpmsave
##

# rpm -q aspectj-installer
package aspectj-installer is not installed
Comment 12 claire robinson 2014-02-25 17:46:25 CET
Advisory uploaded. Validating.

Could sysadmin please push to 3 & 4 updates. Bug 10669 can also be closed fixed when this is pushed.

Thanks

Keywords: (none) => validated_update
Depends on: (none) => 10669
Whiteboard: MGA3TOO has_procedure mga3-64-ok mga4-64-ok mga4-32-ok => MGA3TOO has_procedure advisory mga3-32-ok mga3-64-ok mga4-64-ok mga4-32-ok
CC: (none) => sysadmin-bugs

Comment 13 David Walser 2014-02-25 17:55:40 CET
(In reply to claire robinson from comment #12)
> Bug 10669 can also be closed fixed when this is pushed.

The cp and cd commands aren't causing problems anymore?

Blocks: (none) => 10669
Depends on: 10669 => (none)

Comment 14 Thomas Backlund 2014-02-25 23:19:04 CET
Update pushed:
http://advisories.mageia.org/MGASA-2014-0094.html

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.