215138 – www-apps/otrs <2.2.6 SOAP xmlrpc vulnerability (CVE-2008-1515)

Bug 215138 - www-apps/otrs <2.2.6 SOAP xmlrpc vulnerability (CVE-2008-1515)

Summary: www-apps/otrs <2.2.6 SOAP xmlrpc vulnerability (CVE-2008-1515)

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	High trivial (vote)
Assignee:	Gentoo Security

URL:	http://otrs.org/advisory/OSA-2008-01-en/
Whiteboard:	~3? [noglsa]
Keywords:

Duplicates (1):	208885 (view as bug list)
Depends on:
Blocks:

Reported:	2008-03-28 01:54 UTC by Robert Buchholz (RETIRED)
Modified:	2008-04-03 13:20 UTC (History)
CC List:	4 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
osa-2008-01.diff (osa-2008-01.diff,1.01 KB, patch) 2008-03-28 01:55 UTC, Robert Buchholz (RETIRED)	no flags	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Robert Buchholz (RETIRED) gentoo-dev

2008-03-28 01:54:56 UTC

From the Debian changelog:

otrs2 (2.2.5-2) unstable; urgency=high

  * Add patch osa-2008-01.diff to fix http://otrs.org/advisory/OSA-2008-01-en/
  * Set urgency to high because of the security problem.

 -- Torsten Werner <twerner@debian.org>  Thu, 20 Mar 2008 21:24:39 +0100

Comment 1 Robert Buchholz (RETIRED) gentoo-dev

2008-03-28 01:55:25 UTC

Created attachment 147489 [details, diff]
osa-2008-01.diff

Comment 2 Robert Buchholz (RETIRED) gentoo-dev

2008-03-28 02:01:30 UTC

Seems like it previously allowed xml rpc access when no soap credentials were set in the configuration.

Comment 3 Martin Edenhofer 2008-03-31 20:38:48 UTC

In reply to "Comment #2". Yes, this is the problem.

I informed Renat (Lumpau) on March 19, 2008 15:12:52 GMT+01:00 about this issue.

Should I add an second address next time?

 -Martin
   (OTRS.org Security Team)

Comment 4 Robert Buchholz (RETIRED) gentoo-dev

2008-03-31 20:57:08 UTC

(In reply to comment #3)
> In reply to "Comment #2". Yes, this is the problem.
> 
> I informed Renat (Lumpau) on March 19, 2008 15:12:52 GMT+01:00 about this
> issue.
> 
> Should I add an second address next time?

You can add security@gentoo.org or the confidential contacts as listed on http://www.gentoo.org/security/en/ to that mail. Thanks for contacting us directly here.

Comment 5 Robert Buchholz (RETIRED) gentoo-dev

2008-04-01 12:44:21 UTC

*** Bug 208885 has been marked as a duplicate of this bug. ***

Comment 6 Benedikt Böhm (RETIRED) gentoo-dev

2008-04-03 11:09:19 UTC

2.2.6 in cvs

Comment 7 Robert Buchholz (RETIRED) gentoo-dev

2008-04-03 13:20:17 UTC

Thanks, closing [noglsa].