Debian has issued an advisory on January 10: https://www.debian.org/security/2015/dsa-3124 The issue is fixed upstream in 3.2.17: https://www.otrs.com/release-notes-otrs-help-desk-3-2-17/ https://www.otrs.com/security-advisory-2014-06-incomplete-access-control/ Updated package uploaded for Mageia 4. Advisory: ======================== Updated otrs package fixes security vulnerability: An attacker with valid OTRS credentials could access and manipulate ticket data of other users via the GenericInterface, if a ticket webservice is configured and not additionally secured (CVE-2014-9324). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9324 https://www.otrs.com/security-advisory-2014-06-incomplete-access-control/ https://www.otrs.com/release-notes-otrs-help-desk-3-2-17/ https://www.debian.org/security/2015/dsa-3124 ======================== Updated packages in core/updates_testing: ======================== otrs-3.2.17-1.mga4 from otrs-3.2.17-1.mga4.src.rpm Reproducible: Steps to Reproduce:
Testing procedure in: https://bugs.mageia.org/show_bug.cgi?id=12473
Whiteboard: (none) => has_procedure
Testing on Mageia 4x32 real hardware following procedure mentionned in Comment 1 From current package : -------------------- otrs-3.2.16-1 Went to : http://localhost/otrs/installer.pl Setup mysql database through otrs installer and connected to it. To updated to testing package : -------------------------- otrs-3.2.17-1.mga4 Connected back to previous database : http://127.0.0.1/otrs/index.pl OK To check updated testing package could create otrs database from scratch # urpme otrs With phpmyadmin, dropped otrs database and # rm -R -f /var/www/otrs/ Reinstalled otrs-3.2.17-1.mga4 and restarted hhtpd service Retraced installation All OK
CC: (none) => olchal
Whiteboard: has_procedure => has_procedure MGA4-32-OK
In VirtualBox, M4, KDE, 64-bit Install mariadb create mariadb database In root terminal: systemctl start mysqld.service Set password to: testotrs [root@localhost wilcal]# mysqladmin -u root password type password "testotrs" twice Package(s) under test: otrs default install of otrs [root@localhost wilcal]# urpmi otrs Package otrs-3.2.16-1.mga4.noarch is already installed Stumbling around a bit..... Installed default otrs, successfully opened: http://localhost/otrs/installer.pl followed the steps to set up the database and user, interacted with otrs using: http://localhost/otrs/index.pl install otrs from updates_testing [root@localhost wilcal]# urpmi otrs Package otrs-3.2.17-1.mga4.noarch is already installed Interacted with updated otrs using: http://localhost/otrs/index.pl Test platform: Intel Core i7-2600K Sandy Bridge 3.4GHz GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB RTL8111/8168B PCI Express 1Gbit Ethernet DRAM 16GB (4 x 4GB) Mageia 4 64-bit, Nvidia driver virtualbox-4.3.10-1.1.mga4.x86_64 virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64
CC: (none) => wilcal.int
I went about this somewhat differently In VirtualBox, M4, KDE, 64-bit New install Install mariadb create mariadb database In root terminal: systemctl start mysqld.service Set password to: testotrs [root@localhost wilcal]# mysqladmin -u root password type password "testotrs" twice Package(s) under test: otrs enable updates_testing repos default install of otrs [root@localhost wilcal]# urpmi otrs Package otrs-3.2.17-1.mga4.noarch is already installed Getting better at it: Installed default otrs, successfully opened: http://localhost/otrs/installer.pl followed the steps to set up the database and user, interacted with otrs using: http://localhost/otrs/index.pl Test platform: Intel Core i7-2600K Sandy Bridge 3.4GHz GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB RTL8111/8168B PCI Express 1Gbit Ethernet DRAM 16GB (4 x 4GB) Mageia 4 64-bit, Nvidia driver virtualbox-4.3.10-1.1.mga4.x86_64 virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64
Whiteboard: has_procedure MGA4-32-OK => has_procedure MGA4-32-OK MGA4-64-OK
For me this update works fine as best I can test it. Testing complete for mga4 32-bit & 64-bit I'll validate the update in 24-hours unless oliver or clair does so sooner.
Validating. Advisory uploaded. Please push to 4 updates Thanks
CC: (none) => sysadmin-bugsWhiteboard: has_procedure MGA4-32-OK MGA4-64-OK => has_procedure advisory MGA4-32-OK MGA4-64-OKKeywords: (none) => validated_update
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0031.html
Status: NEW => RESOLVEDResolution: (none) => FIXED