From the Debian changelog: otrs2 (2.2.5-2) unstable; urgency=high * Add patch osa-2008-01.diff to fix http://otrs.org/advisory/OSA-2008-01-en/ * Set urgency to high because of the security problem. -- Torsten Werner <twerner@debian.org> Thu, 20 Mar 2008 21:24:39 +0100
Created attachment 147489 [details, diff] osa-2008-01.diff
Seems like it previously allowed xml rpc access when no soap credentials were set in the configuration.
In reply to "Comment #2". Yes, this is the problem. I informed Renat (Lumpau) on March 19, 2008 15:12:52 GMT+01:00 about this issue. Should I add an second address next time? -Martin (OTRS.org Security Team)
(In reply to comment #3) > In reply to "Comment #2". Yes, this is the problem. > > I informed Renat (Lumpau) on March 19, 2008 15:12:52 GMT+01:00 about this > issue. > > Should I add an second address next time? You can add security@gentoo.org or the confidential contacts as listed on http://www.gentoo.org/security/en/ to that mail. Thanks for contacting us directly here.
*** Bug 208885 has been marked as a duplicate of this bug. ***
2.2.6 in cvs
Thanks, closing [noglsa].