Bug 7527 - otrs new security issue CVE-2012-4600
: otrs new security issue CVE-2012-4600
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 2
: i586 Linux
: Normal Severity: major
: ---
Assigned To: QA Team
:
: http://lwn.net/Vulnerabilities/516948/
: MGA2-32-OK MGA2-64-OK
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2012-09-19 19:52 CEST by David Walser
Modified: 2012-11-06 20:27 CET (History)
7 users (show)

See Also:
Source RPM: otrs-3.1.2-2.mga2.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2012-09-19 19:52:00 CEST
OpenSuSE has issued an advisory today (September 19):
http://lists.opensuse.org/opensuse-updates/2012-09/msg00079.html

Mageia 2 is also affected.

This is fixed upstream in version 3.1.10 (which OpenSuSE updated to).
Comment 1 David Walser 2012-11-02 11:17:24 CET
Fixed in Cauldron by Daniel Lucio.
Comment 2 Juan Luis Baptiste 2012-11-02 21:50:37 CET
So for this one the only things remaining is the advisory and push it to core/updates_testing ?
Comment 3 David Walser 2012-11-02 21:53:07 CET
(In reply to comment #2)
> So for this one the only things remaining is the advisory and push it to
> core/updates_testing ?

If you mean backporting from Cauldron to Mageia 2 SVN, then pushing to updates_testing, yes, that would do it.
Comment 4 Juan Luis Baptiste 2012-11-03 00:15:40 CET
Ok, I'll work on this one.
Comment 5 Juan Luis Baptiste 2012-11-03 00:26:11 CET
Ok, update available in core/updates_testing.
Comment 6 David Walser 2012-11-03 00:35:05 CET
Thanks Juan Luis!

Advisory:
========================

Updated otrs package fixes security vulnerabilities:

Multiple cross-site scripting (XSS) vulnerabilities in Open Ticket Request
System (OTRS) Help Desk 2.4.x before 2.4.13, 3.0.x before 3.0.15, and 3.1.x
before 3.1.9, and OTRS ITSM 2.1.x before 2.1.5, 3.0.x before 3.0.6, and 3.1.x
before 3.1.6, allow remote attackers to inject arbitrary web script or HTML
via an e-mail message body with (1) a Cascading Style Sheets (CSS) expression
property in the STYLE attribute of an arbitrary element or (2) UTF-7 text in
an HTTP-EQUIV="CONTENT-TYPE" META element (CVE-2012-2582).

Cross-site scripting (XSS) vulnerability in Open Ticket Request System (OTRS)
Help Desk 2.4.x before 2.4.14, 3.0.x before 3.0.16, and 3.1.x before 3.1.10,
when Firefox or Opera is used, allows remote attackers to inject arbitrary
web script or HTML via an e-mail message body with nested HTML tags
(CVE-2012-4600).

Cross-site scripting (XSS) vulnerability in Open Ticket Request System (OTRS)
Help Desk 2.4.x before 2.4.15, 3.0.x before 3.0.17, and 3.1.x before 3.1.11
allows remote attackers to inject arbitrary web script or HTML via an e-mail
message body with whitespace before a javascript: URL in the SRC attribute of
an element, as demonstrated by an IFRAME element (CVE-2012-4751).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2582
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4600
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4751
http://www.otrs.com/en/open-source/community-news/security-advisories/security-advisory-2012-01/
http://www.otrs.com/en/open-source/community-news/security-advisories/security-advisory-2012-02/
http://www.otrs.com/en/open-source/community-news/security-advisories/security-advisory-2012-03/
http://lists.opensuse.org/opensuse-updates/2012-09/msg00079.html
========================

Updated packages in core/updates_testing:
========================
otrs-3.1.11-1.mga2

from otrs-3.1.11-1.mga2.src.rpm
Comment 7 Dave Hodgins 2012-11-04 20:02:10 CET
Testing complete on Mageia 2 i586.

No poc that I could find, so just testing that I can create an agent,
customer, and ticket.

Note for other testers. when following the README instructions, do
not create the sql database or user, prior to going to
http://localhost/otrs/installer.pl
Comment 8 Dave Hodgins 2012-11-06 02:05:38 CET
Testing complete on Mageia 2 x86-64.

Could someone from the sysadmin team push the srpm
otrs-3.1.11-1.mga2.src.rpm
from Mageia 2 Core Updates Testing to Core Updates.

Advisory: Updated otrs package fixes security vulnerabilities:

Multiple cross-site scripting (XSS) vulnerabilities in Open Ticket Request
System (OTRS) Help Desk 2.4.x before 2.4.13, 3.0.x before 3.0.15, and 3.1.x
before 3.1.9, and OTRS ITSM 2.1.x before 2.1.5, 3.0.x before 3.0.6, and 3.1.x
before 3.1.6, allow remote attackers to inject arbitrary web script or HTML
via an e-mail message body with (1) a Cascading Style Sheets (CSS) expression
property in the STYLE attribute of an arbitrary element or (2) UTF-7 text in
an HTTP-EQUIV="CONTENT-TYPE" META element (CVE-2012-2582).

Cross-site scripting (XSS) vulnerability in Open Ticket Request System (OTRS)
Help Desk 2.4.x before 2.4.14, 3.0.x before 3.0.16, and 3.1.x before 3.1.10,
when Firefox or Opera is used, allows remote attackers to inject arbitrary
web script or HTML via an e-mail message body with nested HTML tags
(CVE-2012-4600).

Cross-site scripting (XSS) vulnerability in Open Ticket Request System (OTRS)
Help Desk 2.4.x before 2.4.15, 3.0.x before 3.0.17, and 3.1.x before 3.1.11
allows remote attackers to inject arbitrary web script or HTML via an e-mail
message body with whitespace before a javascript: URL in the SRC attribute of
an element, as demonstrated by an IFRAME element (CVE-2012-4751).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2582
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4600
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4751
http://www.otrs.com/en/open-source/community-news/security-advisories/security-advisory-2012-01/
http://www.otrs.com/en/open-source/community-news/security-advisories/security-advisory-2012-02/
http://www.otrs.com/en/open-source/community-news/security-advisories/security-advisory-2012-03/
http://lists.opensuse.org/opensuse-updates/2012-09/msg00079.html

https://bugs.mageia.org/show_bug.cgi?id=7527
Comment 9 Thomas Backlund 2012-11-06 20:27:50 CET
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0322

Note You need to log in before you can comment on or make changes to this bug.