ESB-2018.2906 - [Win][UNIX/Linux][Debian] otrs2: Multiple vulnerabilities 2018-09-27

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2018.2906
               [SECURITY] [DLA 1521-1] otrs2 security update
                             27 September 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:          otrs2
Publisher:        Debian
Operating System: Debian GNU/Linux 8
                  Windows
                  UNIX variants (UNIX, Linux, OSX)
Impact/Access:    Increased Privileges   -- Remote with User Interaction
                  Delete Arbitrary Files -- Remote with User Interaction
Resolution:       Patch/Upgrade
CVE Names:        CVE-2018-16587 CVE-2018-16586 

Comment: This advisory references vulnerabilities in products which run on 
         platforms other than Debian. It is recommended that administrators 
         running otrs2 check for an updated version of the software for their
         operating system.

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Package        : otrs2
Version        : 3.3.18-1+deb8u6
CVE ID         : CVE-2018-16586 CVE-2018-16587


Fabien Arnoux discovered several security issues in email validation
of otrs system.

CVE-2018-16586

    Load external image or CSS resources in browser when user opens a
    malicious email.

CVE-2018-16587

    Remote deletions of arbitrary files that the OTRS web server user
    has write access when opening malicious email.

For Debian 8 "Jessie", these problems have been fixed in version
3.3.18-1+deb8u6.

We recommend that you upgrade your otrs2 packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
- -----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE7xPqJqaY/zX9fJAuhj1N8u2cKO8FAlururYACgkQhj1N8u2c
KO9c6Q//bCZJI5hUNnoilRF0eWfci5ykPbFFqGWBown91OnIIMZdZ25N93m5v94y
GnVcj+ZbhKnOBGjgjkCeBghz9nsutABwrVV+Qu9fl4zRn0rw4CwCxmE7LTwpHblW
h8geOWVcAugjW19kOMx6vfl7aN91pdfswLprmndPnqCzh4AM4hnbEaUQrqc8EHof
XtPzN4SUDs7O2ZaIDoJSkQ6l2+wwofMQ5Wp9chaQJ1KxVzh60lrXpyVMiT5xAKes
4F7AilTx/5msWiOSqceELPd8p5gIBu96dycD0uBf/7Fv7ZYJ5l3RKnZeGooAdB8+
bQdgh3GCsY0rxcPOSud8e7VLEXn8m1Bi7J1AnvDPZw6Z30sb5DfccvpD2O9DahdG
fa0pBvDDLQ4gIJ4NEGH+JKmNk6ZQGIn6PabxuJwkQ9djpBdIXJNG69ZPnAc8ef1p
DCD0ECt7UZ+wgcg0KlZwQV+Iu6F9mPi6eOLAs40tzwInloJNbUUtKMzBrvH4SjKK
W9QJDef6P2U8yRhUGNpIoumPM9JGMnfeFjQOwficHKH2qhAZIE0UC/AGw9k57cI8
Xk3iD8VZ7s8HY9/jL4ouBaQHuZN0TS7zN0f3l1Hnv3E269pxeVwHGnD5OrqYqlMo
aJGQ0HjL4Vx5Gkvj4SgO2fj1fJHmuaFLEMFtkWNhvtj1FADX54g=
=R2Hi
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBW6wzPWaOgq3Tt24GAQg5zxAAv+NjS/tM/2x8ETsM5T10Or1DY9m55so8
Ewux8o3oWkbiPBbEr3r213t8dsYGqZNQtMvau4hd9eIj/ceHeVlcJ4L5uivsJS7k
tigk4gkPi7qalaJ2BKSYW0Y/xf+YvK9nbTTS50/mEzM8DHieS/ALhi0Z9IgrP4rl
v0mV6E/CuJFBOJ56QuR5k0bdL5HxGy/bk0Z0qWGaWUmUELzIsO3IcH/Mp9crak0e
xBYu0eMAqV7vRpYqwaxQkqxMt+2wBwv3+1kYyFYr8VT3KAl1MY7G3pxXFlaRrfnn
qwS1yVPtycjOLSkEcxISJakJ2TTTOUR4XHx7c863hoF5GYnQtgug7TvXNey7nWHI
RUWdvJtVy7u1f/pGY5ZWW8MFcFKDDgaN7lmHF84+j/BILM+yTOJHyFrFX3zEWctR
HNhRalFcer54ao0EkrHqrKWDe2qv9RSKDvoyUmwLqlp8H686v6W69qShgnYwDjRX
VyX8UkFfx5Noh5yOeEXOSfyS4GWIStsNKNL71u1ji3nch2ac2OdVsEkfln6q7fa6
SlincUfo+V2XAMMJhV87pu5e5ua2EPMuLKEiBlv6Rkqed7m+5nhOWXHzpkbjDHul
m4GiD9dahr3ebbH6zsfNtBUTBpiVgubgicBXahipzmRA0qarwXCAm6ZnXCIGa/Nc
4S+jm2cdKic=
=hFib
-----END PGP SIGNATURE-----

« Back to bulletins