Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2020.1570
otrs2 security update
5 May 2020
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: otrs2
Publisher: Debian
Operating System: UNIX variants (UNIX, Linux, OSX)
Debian GNU/Linux 8
Impact/Access: Access Privileged Data -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2020-1774 CVE-2020-1772 CVE-2020-1770
Original Bulletin:
https://lists.debian.org/debian-lts-announce/2020/05/msg00000.html
Comment: This advisory references vulnerabilities in products which run on
platforms other than Debian. It is recommended that administrators
running otrs2 check for an updated version of the software for their
operating system.
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Package : otrs2
Version : 3.3.18-1+deb8u15
CVE ID : CVE-2020-1770 CVE-2020-1772 CVE-2020-1774
Several vulnerabilities have been discovered in otrs2 (Open source
Ticket Request System)
CVE-2020-1770
Support bundle generated files could contain sensitive information
that might be unwanted to be disclosed.
CVE-2020-1772
Its possible to craft Lost Password requests with wildcards in the
Token value, which allows attacker to retrieve valid Token(s),
generated by users which already requested new passwords.
CVE-2020-1774
When user downloads PGP or S/MIME keys/certificates, exported file
has same name for private and public keys. Therefore its possible
to mix them and to send private key to the third-party instead of
public key.
For Debian 8 "Jessie", these problems have been fixed in version
3.3.18-1+deb8u15.
We recommend that you upgrade your otrs2 packages.
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
- -----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEE7xPqJqaY/zX9fJAuhj1N8u2cKO8FAl6rt2gACgkQhj1N8u2c
KO+YXhAAgnXXnXFYtuAw3PfGIbA0VUcIEu3gZAKM/ahCFaILZaN8xN3QFHM84yiH
HAjWH/b+PITvCG81TNcO6xn7DAHsVL3rk1+tmg0TY4rBfo9zfdQHP9CXCxf5GClM
4tUt7X2YishqF/kGgQ2fcEC1bLnghWSMVMQ985WTCyP1AwHlc+0SjHhoU8ABhAiE
ct4w8hxWlvqMsYF8rf1dIBCWoFQUB50PdB6asjCrOEznMn6wNSOsuM9EXszQpSGk
Mho07Syxctmts0FPfMYvBg9eI/5x+tCXMHfKs1pCrmRermlaCEiLLhMznjv0yQdg
zulqMKlqt1+FIwklntY8CptFXDNZpFiuIBFziIiWKHYS6KBXON00K9rbdDd2fluQ
CMFjWnRzxkj1zuzlXNRqXOd1VCy1P+JpsYJ8SO1uL36UiZbjregS3d750yZ8f8MZ
WkuK34hrG666BnBbSnafcvqd9mwkSd1OdekTOt0w2wZMCNSDX4nzFKGd2zFU0lFE
HCDkBCi8mBEHWnyufV0ndIYj93dpD4ssLmjEKQpESXhxZY+nnDLZatigtaSus91P
Ual4R1U9Cy/z0XB3aUiuXUIqijEq+DjDoBlsrL3yD7KkXEz+dH0GqPJmZa7+wcol
uS6j2JzZYB5eM7lJUzljNumN5gI1etnMIXKcx1QKHBCQbiBCXgE=
=QvxW
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBXrDOH2aOgq3Tt24GAQiF3xAA010iTUE/iCoEyFGEcDtnzUzj+fIJXhdr
fMKJGhXzNxRJzxEECy2ZhxSLZTeBRHC/XUrEIan8Qemg5FJsjTvdizUbMppe4ix2
3hOKKpBP3G+idLibmzrZO0FFlmvH0kuR8Hm3q3yBry022Yyy3es8zMW0YnlLZBhr
Xl9SAULzk+4Cfxuy3e3MyOXdYjI7HfT1YW74e+ilFlcAqY7NUf6emtYinllS0sRx
sVnZ8DQGBcivC355bRFdN56tHSwRXaUcfw1MSxYVBPbF2V15xYmdaw5PVBHgAppn
IVW6f3WRqX/JjzPIUBF++Z2HPWfsclMJdig/NlKmbKcmQVbwXlU+3X/tGaTKblWG
/MyedKzysxkH5PrBTYTke0+cP5EtKC5MsmCkhCqDVDd3/CVpBKCim12LbYbqzCRY
4vDm+KuUezgAzZ+mdRMJTxM7cSLq7W5cwmHiYzaM3Ir2syOsdVWUkLN4JXt3QQc6
SiSghIXBk45Pd1qzIw+2DOUwNFikSR4TrpZ6x7IuoEN6W9vo8dW5XadRiQB4z372
dgAtClm4mfQEbijwn+bIVsqzx2GACUFIzkRFo285yvkMrdl8MbF6hTYF15tfJh89
zV/xoOvMDJwjMU5K8KL4sTUVGfp8h8NlVlEsApyY3O6L0lcl8ohvEo5R6BIxcz4w
yZWb7kFg3vk=
=0QzX
-----END PGP SIGNATURE-----