Zum Inhalt springen.
Sympa Menü

it-securitynotifies - [IT-SecNots] [SECURITY] [DSA 2867-1] otrs2 security update

it-securitynotifies AT lists.piratenpartei.de

Betreff: Sicherheitsankündigungen

Listenarchiv

[IT-SecNots] [SECURITY] [DSA 2867-1] otrs2 security update


Chronologisch Thread 
    < Chronologisch >      < Thread >
  • From: Salvatore Bonaccorso <carnil AT debian.org>
  • To: debian-security-announce AT lists.debian.org
  • Subject: [IT-SecNots] [SECURITY] [DSA 2867-1] otrs2 security update
  • Date: Sun, 23 Feb 2014 20:42:01 +0000
  • List-archive: <https://service.piratenpartei.de/pipermail/it-securitynotifies>
  • List-id: Sicherheitsankündigungen <it-securitynotifies.lists.piratenpartei.de>
  • Old-return-path: <carnil AT master.debian.org>
  • Priority: urgent
  • Resent-date: Sun, 23 Feb 2014 20:42:23 +0000 (UTC)
  • Resent-from: debian-security-announce AT lists.debian.org
  • Resent-message-id: <_SBCnUht80C.A.EMD.u0lCTB@bendel>
  • Resent-sender: debian-security-announce-request AT lists.debian.org
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- -------------------------------------------------------------------------
Debian Security Advisory DSA-2867-1 security AT debian.org
http://www.debian.org/security/ Salvatore Bonaccorso
February 23, 2014 http://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : otrs2
Vulnerability : several
CVE ID : CVE-2014-1471 CVE-2014-1694

Several vulnerabilities were discovered in otrs2, the Open Ticket
Request System. The Common Vulnerabilities and Exposures project
identifies the following problems:

CVE-2014-1471

Norihiro Tanaka reported missing challenge token checks. An attacker
that managed to take over the session of a logged in customer could
create tickets and/or send follow-ups to existing tickets due to
these missing checks.

CVE-2014-1694

Karsten Nielsen from Vasgard GmbH discovered that an attacker with a
valid customer or agent login could inject SQL code through the
ticket search URL.

For the oldstable distribution (squeeze), these problems have been fixed in
version 2.4.9+dfsg1-3+squeeze5.

For the stable distribution (wheezy), these problems have been fixed in
version 3.1.7+dfsg1-8+deb7u4.

For the testing distribution (jessie) and the unstable distribution
(sid), these problems have been fixed in version 3.3.4-1.

We recommend that you upgrade your otrs2 packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/

Mailing list: debian-security-announce AT lists.debian.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCgAGBQJTClzdAAoJEAVMuPMTQ89EkjoP/RbBPM2R1xYqnVkV4Wf9njsJ
IKTBGnER1miZ6PlDq6YCxKNkWTLBfflLf4AvpkX7kH6Frh19o6FJYxQ1/qvESfJh
zuuOT2fi5b66C2XhYXzsAJ+0fCcnCJSrBcWB8vwhrCqICptwp4TzIQ5WAzBRB3pL
cA/DRM/UgT+jZXb68cl27zOJL0D9E8MnOpSImrjh3+Sz3dgeG2UOmE8ZLcaGagDk
04dS5LDEOGRwIjC4+vKU113M4KWW5waP3PgChwBZwr3rjYFo69pZT619QYxoP70g
mZtKem30AHBFflqDhhN4b5POtRGpq9WLH3iDNK7RO7DyeE2gs+QN5C5w6Anw8IgH
4ePu4gWwru4F3lCu6jRc06MKqxy35tJLZvcsQY/IOKhV3e1YxfmOuNqEk0VqWCEG
rWwOrNaAcRGBE9FFLYsCSFCrkbkrkb/BP6Lz7QZrxRUhz23M1Qj6SKJr3zPX9FPc
yCaKn+zhC7tW9gub7Ko0KPv4e5IQJBaBVnnx8ls2c71PQi1RZ9A6a2sdMi8Queir
3fzGK0+pxBcqX1OHHlU3/ScVAAZRBGvLcL8CY23l36wIJ0DSEfnkvQtIVlhk/axZ
n40aczl/oAYzU4WmR7iESAA0eNYkUDiR3WyT66Df5Ipq0WXOk8P4826/fhkmM94J
Qi2eEVijIJqIo/HjZ51Z
=/RNB
-----END PGP SIGNATURE-----


--
To UNSUBSCRIBE, email to debian-security-announce-REQUEST AT lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster AT lists.debian.org
Archive: E1WHfs9-0001Zp-29 AT master.debian.org">http://lists.debian.org/E1WHfs9-0001Zp-29 AT master.debian.org



  • [IT-SecNots] [SECURITY] [DSA 2867-1] otrs2 security update, Salvatore Bonaccorso, 23.02.2014

Archiv bereitgestellt durch MHonArc 2.6.19.

Seitenanfang