OpenSuSE has issued an advisory today (September 19): http://lists.opensuse.org/opensuse-updates/2012-09/msg00079.html Mageia 2 is also affected. This is fixed upstream in version 3.1.10 (which OpenSuSE updated to).
Whiteboard: (none) => MGA2TOOSeverity: normal => major
CC: (none) => guillomovitch
CC: (none) => dlucio
CC: (none) => oe
Assignee: bugsquad => dlucio
Fixed in Cauldron by Daniel Lucio.
Version: Cauldron => 2Whiteboard: MGA2TOO => (none)
So for this one the only things remaining is the advisory and push it to core/updates_testing ?
CC: (none) => juan.baptiste
(In reply to comment #2) > So for this one the only things remaining is the advisory and push it to > core/updates_testing ? If you mean backporting from Cauldron to Mageia 2 SVN, then pushing to updates_testing, yes, that would do it.
Ok, I'll work on this one.
Status: NEW => ASSIGNEDAssignee: dlucio => juan.baptiste
Ok, update available in core/updates_testing.
Thanks Juan Luis! Advisory: ======================== Updated otrs package fixes security vulnerabilities: Multiple cross-site scripting (XSS) vulnerabilities in Open Ticket Request System (OTRS) Help Desk 2.4.x before 2.4.13, 3.0.x before 3.0.15, and 3.1.x before 3.1.9, and OTRS ITSM 2.1.x before 2.1.5, 3.0.x before 3.0.6, and 3.1.x before 3.1.6, allow remote attackers to inject arbitrary web script or HTML via an e-mail message body with (1) a Cascading Style Sheets (CSS) expression property in the STYLE attribute of an arbitrary element or (2) UTF-7 text in an HTTP-EQUIV="CONTENT-TYPE" META element (CVE-2012-2582). Cross-site scripting (XSS) vulnerability in Open Ticket Request System (OTRS) Help Desk 2.4.x before 2.4.14, 3.0.x before 3.0.16, and 3.1.x before 3.1.10, when Firefox or Opera is used, allows remote attackers to inject arbitrary web script or HTML via an e-mail message body with nested HTML tags (CVE-2012-4600). Cross-site scripting (XSS) vulnerability in Open Ticket Request System (OTRS) Help Desk 2.4.x before 2.4.15, 3.0.x before 3.0.17, and 3.1.x before 3.1.11 allows remote attackers to inject arbitrary web script or HTML via an e-mail message body with whitespace before a javascript: URL in the SRC attribute of an element, as demonstrated by an IFRAME element (CVE-2012-4751). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2582 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4600 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4751 http://www.otrs.com/en/open-source/community-news/security-advisories/security-advisory-2012-01/ http://www.otrs.com/en/open-source/community-news/security-advisories/security-advisory-2012-02/ http://www.otrs.com/en/open-source/community-news/security-advisories/security-advisory-2012-03/ http://lists.opensuse.org/opensuse-updates/2012-09/msg00079.html ======================== Updated packages in core/updates_testing: ======================== otrs-3.1.11-1.mga2 from otrs-3.1.11-1.mga2.src.rpm
Assignee: juan.baptiste => qa-bugs
Testing complete on Mageia 2 i586. No poc that I could find, so just testing that I can create an agent, customer, and ticket. Note for other testers. when following the README instructions, do not create the sql database or user, prior to going to http://localhost/otrs/installer.pl
CC: (none) => davidwhodginsWhiteboard: (none) => MGA2-32-OK
Testing complete on Mageia 2 x86-64. Could someone from the sysadmin team push the srpm otrs-3.1.11-1.mga2.src.rpm from Mageia 2 Core Updates Testing to Core Updates. Advisory: Updated otrs package fixes security vulnerabilities: Multiple cross-site scripting (XSS) vulnerabilities in Open Ticket Request System (OTRS) Help Desk 2.4.x before 2.4.13, 3.0.x before 3.0.15, and 3.1.x before 3.1.9, and OTRS ITSM 2.1.x before 2.1.5, 3.0.x before 3.0.6, and 3.1.x before 3.1.6, allow remote attackers to inject arbitrary web script or HTML via an e-mail message body with (1) a Cascading Style Sheets (CSS) expression property in the STYLE attribute of an arbitrary element or (2) UTF-7 text in an HTTP-EQUIV="CONTENT-TYPE" META element (CVE-2012-2582). Cross-site scripting (XSS) vulnerability in Open Ticket Request System (OTRS) Help Desk 2.4.x before 2.4.14, 3.0.x before 3.0.16, and 3.1.x before 3.1.10, when Firefox or Opera is used, allows remote attackers to inject arbitrary web script or HTML via an e-mail message body with nested HTML tags (CVE-2012-4600). Cross-site scripting (XSS) vulnerability in Open Ticket Request System (OTRS) Help Desk 2.4.x before 2.4.15, 3.0.x before 3.0.17, and 3.1.x before 3.1.11 allows remote attackers to inject arbitrary web script or HTML via an e-mail message body with whitespace before a javascript: URL in the SRC attribute of an element, as demonstrated by an IFRAME element (CVE-2012-4751). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2582 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4600 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4751 http://www.otrs.com/en/open-source/community-news/security-advisories/security-advisory-2012-01/ http://www.otrs.com/en/open-source/community-news/security-advisories/security-advisory-2012-02/ http://www.otrs.com/en/open-source/community-news/security-advisories/security-advisory-2012-03/ http://lists.opensuse.org/opensuse-updates/2012-09/msg00079.html https://bugs.mageia.org/show_bug.cgi?id=7527
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugsWhiteboard: MGA2-32-OK => MGA2-32-OK MGA2-64-OK
Update pushed: https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0322
Status: ASSIGNED => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED