Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 379855

Summary: <www-apps/otrs-{2.4.11,3.0.10} File Disclosure Vulnerability (CVE-2011-2746)
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: trivial CC: patrick, web-apps
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://otrs.org/advisory/OSA-2011-03-en/
Whiteboard: ~4 [noglsa]
Package list:
Runtime testing required: ---
Bug Depends on: 379863    
Bug Blocks:    

Description Agostino Sarubbo gentoo-dev 2011-08-19 11:03:12 UTC 
Description:
A vulnerability has been reported in OTRS, which can be exploited by malicious users to disclose potentially sensitive information.
The vulnerability is caused due to an error within the Kernel/Modules/AdminPackageManager.pm script, which can be exploited to disclose arbitrary local files.
Successful exploitation requires administrator permissions and that at least one OTRS package is installed.

The vulnerability is reported in versions prior to 2.4.11 and 3.0.10.

Solution:
Update to versions 2.4.11 or 3.0.10.
Comment 1 Patrick Lauer gentoo-dev 2011-08-19 12:56:19 UTC 
+  19 Aug 2011; Patrick Lauer <patrick@gentoo.org> +otrs-3.0.10.ebuild:
+  Bump for #379855

I suggest masking/removing otrs 2.*, upstream doesn't plan to support it much longer, and we have seriously outdated versions.

For the ppc keywords I've opened Bug #379863
Comment 2 Patrick Lauer gentoo-dev 2011-08-19 15:20:10 UTC 
+  19 Aug 2011; Patrick Lauer <patrick@gentoo.org> -otrs-2.2.6.ebuild,
+  -otrs-2.3.3.ebuild, -otrs-3.0.7.ebuild, -otrs-3.0.9.ebuild:
+  Remove old

So only 3.0.10 is left and no vulnerable version is left
Comment 3 Tim Sammut (RETIRED) gentoo-dev 2011-08-19 15:30:35 UTC 
Great, thank you, Patrick. Closing noglsa for ~arch package.
Comment 4 GLSAMaker/CVETool Bot gentoo-dev 2011-09-02 17:33:36 UTC 
CVE-2011-2746 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2746):
  Unspecified vulnerability in Kernel/Modules/AdminPackageManager.pm in
  OTRS-Core in Open Ticket Request System (OTRS) 2.x before 2.4.11 and 3.x
  before 3.0.10 allows remote authenticated administrators to read arbitrary
  files via unknown vectors.