Operating System:

[Debian]

Published:

24 February 2014

Protect yourself against future threats.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2014.0228
                           otrs2 security update
                             24 February 2014

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           otrs2
Publisher:         Debian
Operating System:  Debian GNU/Linux 6
                   Debian GNU/Linux 7
Impact/Access:     Execute Arbitrary Code/Commands -- Existing Account            
                   Cross-site Request Forgery      -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2014-1694 CVE-2014-1471 

Reference:         ESB-2014.0121

Original Bulletin: 
   http://www.debian.org/security/2014/dsa-2867

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- - -------------------------------------------------------------------------
Debian Security Advisory DSA-2867-1                   security@debian.org
http://www.debian.org/security/                      Salvatore Bonaccorso
February 23, 2014                      http://www.debian.org/security/faq
- - -------------------------------------------------------------------------

Package        : otrs2
Vulnerability  : several
CVE ID         : CVE-2014-1471 CVE-2014-1694

Several vulnerabilities were discovered in otrs2, the Open Ticket
Request System. The Common Vulnerabilities and Exposures project
identifies the following problems:

CVE-2014-1471

    Norihiro Tanaka reported missing challenge token checks. An attacker
    that managed to take over the session of a logged in customer could
    create tickets and/or send follow-ups to existing tickets due to
    these missing checks.

CVE-2014-1694

    Karsten Nielsen from Vasgard GmbH discovered that an attacker with a
    valid customer or agent login could inject SQL code through the
    ticket search URL.

For the oldstable distribution (squeeze), these problems have been fixed in
version 2.4.9+dfsg1-3+squeeze5.

For the stable distribution (wheezy), these problems have been fixed in
version 3.1.7+dfsg1-8+deb7u4.

For the testing distribution (jessie) and the unstable distribution
(sid), these problems have been fixed in version 3.3.4-1.

We recommend that you upgrade your otrs2 packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCgAGBQJTClzdAAoJEAVMuPMTQ89EkjoP/RbBPM2R1xYqnVkV4Wf9njsJ
IKTBGnER1miZ6PlDq6YCxKNkWTLBfflLf4AvpkX7kH6Frh19o6FJYxQ1/qvESfJh
zuuOT2fi5b66C2XhYXzsAJ+0fCcnCJSrBcWB8vwhrCqICptwp4TzIQ5WAzBRB3pL
cA/DRM/UgT+jZXb68cl27zOJL0D9E8MnOpSImrjh3+Sz3dgeG2UOmE8ZLcaGagDk
04dS5LDEOGRwIjC4+vKU113M4KWW5waP3PgChwBZwr3rjYFo69pZT619QYxoP70g
mZtKem30AHBFflqDhhN4b5POtRGpq9WLH3iDNK7RO7DyeE2gs+QN5C5w6Anw8IgH
4ePu4gWwru4F3lCu6jRc06MKqxy35tJLZvcsQY/IOKhV3e1YxfmOuNqEk0VqWCEG
rWwOrNaAcRGBE9FFLYsCSFCrkbkrkb/BP6Lz7QZrxRUhz23M1Qj6SKJr3zPX9FPc
yCaKn+zhC7tW9gub7Ko0KPv4e5IQJBaBVnnx8ls2c71PQi1RZ9A6a2sdMi8Queir
3fzGK0+pxBcqX1OHHlU3/ScVAAZRBGvLcL8CY23l36wIJ0DSEfnkvQtIVlhk/axZ
n40aczl/oAYzU4WmR7iESAA0eNYkUDiR3WyT66Df5Ipq0WXOk8P4826/fhkmM94J
Qi2eEVijIJqIo/HjZ51Z
=/RNB
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBUwqqshLndAQH1ShLAQLQCg/+OS7d7m16InLVc7Xj0JTIJWfy61EE49Tj
7x+N0c5WlWrAgj7KVYAuG4UgXrZbL30AZf1w2Ciw/+Zi/7fHwO1ckK45Y2c8DDZo
E4d5QYBNYqlKy+ke85IlCSS0N3xTZTOAgv6GIG1WvnP8bLz2zHQZSPdSGliC8jgV
deT8330dIDW9Kec/DdvqTvk+D9tT4sW/xTFR2AZUivYRHnPwRyNy022qv96BQTcS
YHHiIZfKuvrPoPhSLytkpxqiFw/oZqwShKPa+iNgEIO01ywkrwTcBoGbNfF2azYM
UnDtwjfg3QXG2SA20tMC/OsxuAA3OeEHkp+28jIDr5P1vqgXz7hA8EvBnpaTOQ1M
Rna1MlvhgcM66y38rqeF5rnzT/EO1jsV32crh+BmcpEm4wpB0qkyvA/hDD1ux6nz
ESk2sdydldmPffZlJOFWt+rg1IJAOLqNDzGslKTaOxQFaIgwqdBZImkNq26EUQkv
wZ7Ndz7dxVHI6N//MxGU3TVYBfbckvdw5KG3Xn7lZ4k8D3gLxwsqWZJ6d0um9aQ0
QJr92a2VzdyZQT9wdoqAgiOsAGNOEJdsNpms7mtEfX60o8DgQO7nqK6rijVCHU1v
vcOJwlFFMCmhKjPRWh+04Uqj8GiFpbhBoJj5BwMZUPGYixsET9o1MjB2tlIlMEMo
H7ImjCzIRGI=
=NXjv
-----END PGP SIGNATURE-----