Comment 1 GLSAMaker/CVETool Bot 2011-07-10 00:59:32 UTC

CVE-2010-3476 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3476):
  Open Ticket Request System (OTRS) 2.3.x before 2.3.6 and 2.4.x before 2.4.8
  does not properly handle the matching of Perl regular expressions against
  HTML e-mail messages, which allows remote attackers to cause a denial of
  service (CPU consumption) via a large message, a different vulnerability
  than CVE-2010-2080.

Comment 2 GLSAMaker/CVETool Bot 2011-07-10 02:01:14 UTC

CVE-2009-5057 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-5057):
  The S/MIME feature in Open Ticket Request System (OTRS) before 2.3.4 does
  not configure the RANDFILE and HOME environment variables for OpenSSL, which
  might make it easier for remote attackers to decrypt e-mail messages that
  had lower than intended entropy available for cryptographic operations,
  related to inability to write to the seeding file.

CVE-2009-5056 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-5056):
  Open Ticket Request System (OTRS) before 2.4.0-beta2 does not properly
  enforce the move_into permission setting for a queue, which allows remote
  authenticated users to bypass intended access restrictions and read a ticket
  by watching this ticket, and then selecting the ticket from the
  watched-tickets list.

CVE-2009-5055 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-5055):
  Open Ticket Request System (OTRS) before 2.4.4 grants ticket access on the
  basis of single-digit substrings of the CustomerID value, which allows
  remote authenticated users to bypass intended access restrictions in
  opportunistic circumstances by visiting a ticket, as demonstrated by
  leveraging the CustomerID 12 account to read tickets that should be
  available only to CustomerID 1 or CustomerID 2.

Comment 3 Tim Sammut (RETIRED) 2011-08-19 15:34:17 UTC

Fixed software added and vulnerable versions removed by Patrick Lauer via bug 379855. Closing noglsa for ~arch package.