Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2020.1570 otrs2 security update 5 May 2020 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: otrs2 Publisher: Debian Operating System: UNIX variants (UNIX, Linux, OSX) Debian GNU/Linux 8 Impact/Access: Access Privileged Data -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2020-1774 CVE-2020-1772 CVE-2020-1770 Original Bulletin: https://lists.debian.org/debian-lts-announce/2020/05/msg00000.html Comment: This advisory references vulnerabilities in products which run on platforms other than Debian. It is recommended that administrators running otrs2 check for an updated version of the software for their operating system. - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Package : otrs2 Version : 3.3.18-1+deb8u15 CVE ID : CVE-2020-1770 CVE-2020-1772 CVE-2020-1774 Several vulnerabilities have been discovered in otrs2 (Open source Ticket Request System) CVE-2020-1770 Support bundle generated files could contain sensitive information that might be unwanted to be disclosed. CVE-2020-1772 Its possible to craft Lost Password requests with wildcards in the Token value, which allows attacker to retrieve valid Token(s), generated by users which already requested new passwords. CVE-2020-1774 When user downloads PGP or S/MIME keys/certificates, exported file has same name for private and public keys. Therefore its possible to mix them and to send private key to the third-party instead of public key. For Debian 8 "Jessie", these problems have been fixed in version 3.3.18-1+deb8u15. We recommend that you upgrade your otrs2 packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS - -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE7xPqJqaY/zX9fJAuhj1N8u2cKO8FAl6rt2gACgkQhj1N8u2c KO+YXhAAgnXXnXFYtuAw3PfGIbA0VUcIEu3gZAKM/ahCFaILZaN8xN3QFHM84yiH HAjWH/b+PITvCG81TNcO6xn7DAHsVL3rk1+tmg0TY4rBfo9zfdQHP9CXCxf5GClM 4tUt7X2YishqF/kGgQ2fcEC1bLnghWSMVMQ985WTCyP1AwHlc+0SjHhoU8ABhAiE ct4w8hxWlvqMsYF8rf1dIBCWoFQUB50PdB6asjCrOEznMn6wNSOsuM9EXszQpSGk Mho07Syxctmts0FPfMYvBg9eI/5x+tCXMHfKs1pCrmRermlaCEiLLhMznjv0yQdg zulqMKlqt1+FIwklntY8CptFXDNZpFiuIBFziIiWKHYS6KBXON00K9rbdDd2fluQ CMFjWnRzxkj1zuzlXNRqXOd1VCy1P+JpsYJ8SO1uL36UiZbjregS3d750yZ8f8MZ WkuK34hrG666BnBbSnafcvqd9mwkSd1OdekTOt0w2wZMCNSDX4nzFKGd2zFU0lFE HCDkBCi8mBEHWnyufV0ndIYj93dpD4ssLmjEKQpESXhxZY+nnDLZatigtaSus91P Ual4R1U9Cy/z0XB3aUiuXUIqijEq+DjDoBlsrL3yD7KkXEz+dH0GqPJmZa7+wcol uS6j2JzZYB5eM7lJUzljNumN5gI1etnMIXKcx1QKHBCQbiBCXgE= =QvxW - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXrDOH2aOgq3Tt24GAQiF3xAA010iTUE/iCoEyFGEcDtnzUzj+fIJXhdr fMKJGhXzNxRJzxEECy2ZhxSLZTeBRHC/XUrEIan8Qemg5FJsjTvdizUbMppe4ix2 3hOKKpBP3G+idLibmzrZO0FFlmvH0kuR8Hm3q3yBry022Yyy3es8zMW0YnlLZBhr Xl9SAULzk+4Cfxuy3e3MyOXdYjI7HfT1YW74e+ilFlcAqY7NUf6emtYinllS0sRx sVnZ8DQGBcivC355bRFdN56tHSwRXaUcfw1MSxYVBPbF2V15xYmdaw5PVBHgAppn IVW6f3WRqX/JjzPIUBF++Z2HPWfsclMJdig/NlKmbKcmQVbwXlU+3X/tGaTKblWG /MyedKzysxkH5PrBTYTke0+cP5EtKC5MsmCkhCqDVDd3/CVpBKCim12LbYbqzCRY 4vDm+KuUezgAzZ+mdRMJTxM7cSLq7W5cwmHiYzaM3Ir2syOsdVWUkLN4JXt3QQc6 SiSghIXBk45Pd1qzIw+2DOUwNFikSR4TrpZ6x7IuoEN6W9vo8dW5XadRiQB4z372 dgAtClm4mfQEbijwn+bIVsqzx2GACUFIzkRFo285yvkMrdl8MbF6hTYF15tfJh89 zV/xoOvMDJwjMU5K8KL4sTUVGfp8h8NlVlEsApyY3O6L0lcl8ohvEo5R6BIxcz4w yZWb7kFg3vk= =0QzX -----END PGP SIGNATURE-----