Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2014.0228 otrs2 security update 24 February 2014 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: otrs2 Publisher: Debian Operating System: Debian GNU/Linux 6 Debian GNU/Linux 7 Impact/Access: Execute Arbitrary Code/Commands -- Existing Account Cross-site Request Forgery -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2014-1694 CVE-2014-1471 Reference: ESB-2014.0121 Original Bulletin: http://www.debian.org/security/2014/dsa-2867 - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - - ------------------------------------------------------------------------- Debian Security Advisory DSA-2867-1 security@debian.org http://www.debian.org/security/ Salvatore Bonaccorso February 23, 2014 http://www.debian.org/security/faq - - ------------------------------------------------------------------------- Package : otrs2 Vulnerability : several CVE ID : CVE-2014-1471 CVE-2014-1694 Several vulnerabilities were discovered in otrs2, the Open Ticket Request System. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2014-1471 Norihiro Tanaka reported missing challenge token checks. An attacker that managed to take over the session of a logged in customer could create tickets and/or send follow-ups to existing tickets due to these missing checks. CVE-2014-1694 Karsten Nielsen from Vasgard GmbH discovered that an attacker with a valid customer or agent login could inject SQL code through the ticket search URL. For the oldstable distribution (squeeze), these problems have been fixed in version 2.4.9+dfsg1-3+squeeze5. For the stable distribution (wheezy), these problems have been fixed in version 3.1.7+dfsg1-8+deb7u4. For the testing distribution (jessie) and the unstable distribution (sid), these problems have been fixed in version 3.3.4-1. We recommend that you upgrade your otrs2 packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCgAGBQJTClzdAAoJEAVMuPMTQ89EkjoP/RbBPM2R1xYqnVkV4Wf9njsJ IKTBGnER1miZ6PlDq6YCxKNkWTLBfflLf4AvpkX7kH6Frh19o6FJYxQ1/qvESfJh zuuOT2fi5b66C2XhYXzsAJ+0fCcnCJSrBcWB8vwhrCqICptwp4TzIQ5WAzBRB3pL cA/DRM/UgT+jZXb68cl27zOJL0D9E8MnOpSImrjh3+Sz3dgeG2UOmE8ZLcaGagDk 04dS5LDEOGRwIjC4+vKU113M4KWW5waP3PgChwBZwr3rjYFo69pZT619QYxoP70g mZtKem30AHBFflqDhhN4b5POtRGpq9WLH3iDNK7RO7DyeE2gs+QN5C5w6Anw8IgH 4ePu4gWwru4F3lCu6jRc06MKqxy35tJLZvcsQY/IOKhV3e1YxfmOuNqEk0VqWCEG rWwOrNaAcRGBE9FFLYsCSFCrkbkrkb/BP6Lz7QZrxRUhz23M1Qj6SKJr3zPX9FPc yCaKn+zhC7tW9gub7Ko0KPv4e5IQJBaBVnnx8ls2c71PQi1RZ9A6a2sdMi8Queir 3fzGK0+pxBcqX1OHHlU3/ScVAAZRBGvLcL8CY23l36wIJ0DSEfnkvQtIVlhk/axZ n40aczl/oAYzU4WmR7iESAA0eNYkUDiR3WyT66Df5Ipq0WXOk8P4826/fhkmM94J Qi2eEVijIJqIo/HjZ51Z =/RNB - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBUwqqshLndAQH1ShLAQLQCg/+OS7d7m16InLVc7Xj0JTIJWfy61EE49Tj 7x+N0c5WlWrAgj7KVYAuG4UgXrZbL30AZf1w2Ciw/+Zi/7fHwO1ckK45Y2c8DDZo E4d5QYBNYqlKy+ke85IlCSS0N3xTZTOAgv6GIG1WvnP8bLz2zHQZSPdSGliC8jgV deT8330dIDW9Kec/DdvqTvk+D9tT4sW/xTFR2AZUivYRHnPwRyNy022qv96BQTcS YHHiIZfKuvrPoPhSLytkpxqiFw/oZqwShKPa+iNgEIO01ywkrwTcBoGbNfF2azYM UnDtwjfg3QXG2SA20tMC/OsxuAA3OeEHkp+28jIDr5P1vqgXz7hA8EvBnpaTOQ1M Rna1MlvhgcM66y38rqeF5rnzT/EO1jsV32crh+BmcpEm4wpB0qkyvA/hDD1ux6nz ESk2sdydldmPffZlJOFWt+rg1IJAOLqNDzGslKTaOxQFaIgwqdBZImkNq26EUQkv wZ7Ndz7dxVHI6N//MxGU3TVYBfbckvdw5KG3Xn7lZ4k8D3gLxwsqWZJ6d0um9aQ0 QJr92a2VzdyZQT9wdoqAgiOsAGNOEJdsNpms7mtEfX60o8DgQO7nqK6rijVCHU1v vcOJwlFFMCmhKjPRWh+04Uqj8GiFpbhBoJj5BwMZUPGYixsET9o1MjB2tlIlMEMo H7ImjCzIRGI= =NXjv -----END PGP SIGNATURE-----