13252 – otrs new security issues CVE-2014-2553 and CVE-2014-2554

Bug 13252 - otrs new security issues CVE-2014-2553 and CVE-2014-2554

Summary: otrs new security issues CVE-2014-2553 and CVE-2014-2554

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	4
Hardware:	i586 Linux

Priority:	Normal Severity: major
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:	http://lwn.net/Vulnerabilities/595635/
Whiteboard:	MGA3TOO has_procedure advisory mga3-3...
Keywords:	validated_update

Depends on:
Blocks:

Reported:	2014-04-22 19:18 CEST by David Walser
Modified:	2014-04-24 23:42 CEST (History)
CC List:	2 users (show)

See Also:
Source RPM:	otrs-3.2.15-1.mga4.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2014-04-22 19:18:11 CEST

OpenSuSE has issued an advisory today (April 22):
http://lists.opensuse.org/opensuse-updates/2014-04/msg00062.html

Upstream released version 3.2.16 on April 1 to fix these issues:
https://www.otrs.com/release-notes-otrs-help-desk-3-2-16/

Updated packages uploaded for Mageia 3, Mageia 4, and Cauldron.

Advisory:
========================

Updated otrs package fixes security vulnerabilities:

A logged in attacker could insert special content in dynamic fields, leading
to JavaScript code being executed in OTRS (CVE-2014-2553).

An attacker could embed OTRS in a hidden <iframe> tag of another page,
tricking the user into clicking links in OTRS (CVE-2014-2554).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2553
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2554
https://www.otrs.com/security-advisory-2014-04-xss-issue/
https://www.otrs.com/security-advisory-2014-05-clickjacking-issue/
https://www.otrs.com/release-notes-otrs-help-desk-3-2-16/
http://lists.opensuse.org/opensuse-updates/2014-04/msg00062.html
========================

Updated packages in core/updates_testing:
========================
otrs-3.2.16-1.mga3
otrs-3.2.16-1.mga4

from SRPMS:
otrs-3.2.16-1.mga3.src.rpm
otrs-3.2.16-1.mga4.src.rpm

Reproducible: 

Steps to Reproduce:

David Walser 2014-04-22 19:18:18 CEST

Whiteboard: (none) => MGA3TOO

Comment 1 claire robinson 2014-04-24 15:14:34 CEST

Procedure in bug 12473

Whiteboard: MGA3TOO => MGA3TOO has_procedure

Comment 2 claire robinson 2014-04-24 15:24:55 CEST

Testing complete mga3 64

logged in, created an agent, logged out, logged back in as the agent. All OK.

Whiteboard: MGA3TOO has_procedure => MGA3TOO has_procedure mga3-64-ok

Comment 3 claire robinson 2014-04-24 16:43:36 CEST

Testing complete mga3 32

Whiteboard: MGA3TOO has_procedure mga3-64-ok => MGA3TOO has_procedure mga3-32-ok mga3-64-ok

Comment 4 claire robinson 2014-04-24 17:08:34 CEST

Testing complete mga4 32 & 64

Whiteboard: MGA3TOO has_procedure mga3-32-ok mga3-64-ok => MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok

Comment 5 claire robinson 2014-04-24 18:14:14 CEST

Validating. Advisory uploaded.

Could sysadmin please push to 3 & 4 updates

Thanks

Keywords: (none) => validated_update
Whiteboard: MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok => MGA3TOO has_procedure advisory mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok
CC: (none) => sysadmin-bugs

Comment 6 Thomas Backlund 2014-04-24 21:16:13 CEST

Update pushed:
http://advisories.mageia.org/MGASA-2014-0194.html

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED

Comment 7 James Kerr 2014-04-24 23:37:06 CEST

The advisory page seems to be incomplete. The email message is OK. Compare:

http://advisories.mageia.org/MGASA-2014-0194.html

https://ml.mageia.org/l/arc/updates-announce/2014-04/msg00062.html

Comment 8 Thomas Backlund 2014-04-24 23:42:13 CEST

Fixed, thanks for noticing

It was the <iframe> tag in description breaking the page

Note You need to log in before you can comment on or make changes to this bug.