ESB-2017.2999 - [UNIX/Linux][Debian] otrs2: Multiple vulnerabilities 2017-11-24

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2017.2999
                           otrs2 security update
                             24 November 2017

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           otrs2
Publisher:         Debian
Operating System:  Debian GNU/Linux 9
                   Debian GNU/Linux 8
                   UNIX variants (UNIX, Linux, OSX)
Impact/Access:     Execute Arbitrary Code/Commands -- Existing Account
                   Access Privileged Data          -- Existing Account
Resolution:        Patch/Upgrade
CVE Names:         CVE-2017-16664 CVE-2017-15864 

Original Bulletin: 
   http://www.debian.org/security/2017/dsa-4047

Comment: This advisory references vulnerabilities in products which run on 
         platforms other than Debian. It is recommended that administrators 
         running otrs2 check for an updated version of the software for their
         operating system.

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- - -------------------------------------------------------------------------
Debian Security Advisory DSA-4047-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
November 23, 2017                     https://www.debian.org/security/faq
- - -------------------------------------------------------------------------

Package        : otrs2
CVE ID         : CVE-2017-15864 CVE-2017-16664

Two vulnerabilities were discovered in the Open Ticket Request System
which could result in disclosure of database credentials or the
execution of arbitrary shell commands by logged-in agents.

For the oldstable distribution (jessie), these problems have been fixed
in version 3.3.18-1+deb8u2.

For the stable distribution (stretch), these problems have been fixed in
version 5.0.16-1+deb9u3.

We recommend that you upgrade your otrs2 packages.

For the detailed security status of otrs2 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/otrs2

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAloXRmAACgkQEMKTtsN8
TjZWTg//eP+vuqJDmMrEWiqv3HwFVlDAwufLVtfyvZaRuvQLSCaPJ5vEWVNWWZrg
IPO8h7ch/p0jmDONlJBPBpWWh7fYd9P7YkqXCCfj8J5A20LATtzQ8ckZ9Cfv0ppP
m7RvEtU961rraZn88dSim+rYY4XWThWl3Mc8zJkjoKYK7yzBLdIuC6XBiJ4jbZ2a
JnmviWoPPdhqCyRm5MVqVO7QJ5MHo4sqAaBZQpHTXVG19lApnSmJJUKRtpog3Fob
Zt9I1ThQYmnEQdgQeUmTckCN7O6bEUm1XLfRSlGD5/Ukk6+HaS4vEQj9AVnSWgqi
pHR4u6S24EPZDxo97DllgW37jtBIP+DTY537i26GJOTUZHgrOeAY2xd1yFFsLsr6
8LMgXFbwB4sJaf/43iZUBATM7um01YImv37WeA34XTJ+y5zpxeIy5OMIrz75G6PZ
BCbROZybPDn8Pf8LNSi/rYDqMlGb5Ly5a4mjAc8b3Y8eGs76Bf+Ql1kcc5Rmi+bH
Pan7UjXWaKJXfs7JzUP+gviyVzaXsWJz3GH/LFyBIcWKPhRS+wwGvoCRK158npXv
z7pMErMqbBfJfqLBV/2cYAiPV+ouQXVGn7ElCbLXuy0tyhmRJk7Vp6NA04pUP/X8
6OS69PjXcw8R1cW8XXvQkYYJZ991psAWRkVwjO6CBZOA3BKJclM=
=ocZl
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWhdwzox+lLeg9Ub1AQjZyQ/9E8G7y3HcihCuUi+A74ckOtMeXMeyzmsq
GDcRkNEdxzou7cSFJyKJefDSW2aGNnJIfXOgiqzEklhfURzX19sxSJMimAxfKFu4
oCIULrKR7DJdMXKKlsNdH8tDC2iV5NYSdHjCQGXkFB7T+CE0Bwolunz+MedeeN7N
s2txn9g+5cYgOXm5OMKDUEs0a05bUthkeyP/FOmezQSWGLbAkOXRQ2vJUHUc/pzW
a1JGq/kvV2IgLYjeiCpmXz9xIMwmOyO4xYE7pdsbO4bCaKTmRL6Zh9H4zvdHfdyG
MklTw3udSvgjGDtHjlBBV7i2WY29Wa8zybcQbe95mEvh2kRpVtfoYa6iCqNVPvj9
YrnRXtszJBR9wo5NYM6WAJML5XaX1rP0iNUQO+0WEO8lw9HKROihJagTv18MYCm/
DpjWjVX0ukQjVjD8kmF1Jvrxr4KJ9a3irdS1uyh+iJvkTUhtLzlXbA9RcvTmfR8i
UCP/Y6lPl4VZvj6zi7dSIWnfG6arnre+uU2Rulc8sNcgCwHM6/mhQ0yoOD6yDT4f
6HuDb1vu5gp+jMiI2LmiKjdIaQiH6UajYYvBnmVyAOpq3FlWIEu1WeFQNxoDqQcM
7v0j7RV6F0nWQ1+iVhUtGMJEVrj4dGGYYT/XO5Ml+NSVn4btK94WMtgCS6YXggEm
QbDd67eQmi0=
=1bNX
-----END PGP SIGNATURE-----

« Back to bulletins