Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2018.2906 [SECURITY] [DLA 1521-1] otrs2 security update 27 September 2018 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: otrs2 Publisher: Debian Operating System: Debian GNU/Linux 8 Windows UNIX variants (UNIX, Linux, OSX) Impact/Access: Increased Privileges -- Remote with User Interaction Delete Arbitrary Files -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2018-16587 CVE-2018-16586 Comment: This advisory references vulnerabilities in products which run on platforms other than Debian. It is recommended that administrators running otrs2 check for an updated version of the software for their operating system. - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Package : otrs2 Version : 3.3.18-1+deb8u6 CVE ID : CVE-2018-16586 CVE-2018-16587 Fabien Arnoux discovered several security issues in email validation of otrs system. CVE-2018-16586 Load external image or CSS resources in browser when user opens a malicious email. CVE-2018-16587 Remote deletions of arbitrary files that the OTRS web server user has write access when opening malicious email. For Debian 8 "Jessie", these problems have been fixed in version 3.3.18-1+deb8u6. We recommend that you upgrade your otrs2 packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS - -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE7xPqJqaY/zX9fJAuhj1N8u2cKO8FAlururYACgkQhj1N8u2c KO9c6Q//bCZJI5hUNnoilRF0eWfci5ykPbFFqGWBown91OnIIMZdZ25N93m5v94y GnVcj+ZbhKnOBGjgjkCeBghz9nsutABwrVV+Qu9fl4zRn0rw4CwCxmE7LTwpHblW h8geOWVcAugjW19kOMx6vfl7aN91pdfswLprmndPnqCzh4AM4hnbEaUQrqc8EHof XtPzN4SUDs7O2ZaIDoJSkQ6l2+wwofMQ5Wp9chaQJ1KxVzh60lrXpyVMiT5xAKes 4F7AilTx/5msWiOSqceELPd8p5gIBu96dycD0uBf/7Fv7ZYJ5l3RKnZeGooAdB8+ bQdgh3GCsY0rxcPOSud8e7VLEXn8m1Bi7J1AnvDPZw6Z30sb5DfccvpD2O9DahdG fa0pBvDDLQ4gIJ4NEGH+JKmNk6ZQGIn6PabxuJwkQ9djpBdIXJNG69ZPnAc8ef1p DCD0ECt7UZ+wgcg0KlZwQV+Iu6F9mPi6eOLAs40tzwInloJNbUUtKMzBrvH4SjKK W9QJDef6P2U8yRhUGNpIoumPM9JGMnfeFjQOwficHKH2qhAZIE0UC/AGw9k57cI8 Xk3iD8VZ7s8HY9/jL4ouBaQHuZN0TS7zN0f3l1Hnv3E269pxeVwHGnD5OrqYqlMo aJGQ0HjL4Vx5Gkvj4SgO2fj1fJHmuaFLEMFtkWNhvtj1FADX54g= =R2Hi - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBW6wzPWaOgq3Tt24GAQg5zxAAv+NjS/tM/2x8ETsM5T10Or1DY9m55so8 Ewux8o3oWkbiPBbEr3r213t8dsYGqZNQtMvau4hd9eIj/ceHeVlcJ4L5uivsJS7k tigk4gkPi7qalaJ2BKSYW0Y/xf+YvK9nbTTS50/mEzM8DHieS/ALhi0Z9IgrP4rl v0mV6E/CuJFBOJ56QuR5k0bdL5HxGy/bk0Z0qWGaWUmUELzIsO3IcH/Mp9crak0e xBYu0eMAqV7vRpYqwaxQkqxMt+2wBwv3+1kYyFYr8VT3KAl1MY7G3pxXFlaRrfnn qwS1yVPtycjOLSkEcxISJakJ2TTTOUR4XHx7c863hoF5GYnQtgug7TvXNey7nWHI RUWdvJtVy7u1f/pGY5ZWW8MFcFKDDgaN7lmHF84+j/BILM+yTOJHyFrFX3zEWctR HNhRalFcer54ao0EkrHqrKWDe2qv9RSKDvoyUmwLqlp8H686v6W69qShgnYwDjRX VyX8UkFfx5Noh5yOeEXOSfyS4GWIStsNKNL71u1ji3nch2ac2OdVsEkfln6q7fa6 SlincUfo+V2XAMMJhV87pu5e5ua2EPMuLKEiBlv6Rkqed7m+5nhOWXHzpkbjDHul m4GiD9dahr3ebbH6zsfNtBUTBpiVgubgicBXahipzmRA0qarwXCAm6ZnXCIGa/Nc 4S+jm2cdKic= =hFib -----END PGP SIGNATURE-----