Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 337755

Summary: <www-apps/otrs-3.0.10: Multiple XSS and denial of service vulnerabilities (CVE-2010-2080)
Product: Gentoo Security Reporter: Andreis Vinogradovs ( slepnoga ) <andreis.vinogradovs>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: jesse, patrick, underling, web-apps
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://otrs.org/advisory/OSA-2010-02-en/
Whiteboard: ~4 [noglsa]
Package list:
Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 260823, 308059    
Attachments:
Description Flags
otrs-2.3.6 - fixed version
none
otrs-2.4.8.ebuild -2.4 series fixed ebuild
none
files/reconfig-2
none
files/reconfig-3
none
files/reconfig-4
none
files/apache2.patch
none
files/apache2-2.patch none

Description Andreis Vinogradovs ( slepnoga ) 2010-09-17 06:05:02 UTC 
all version in portage tree affected.
See   http://otrs.org/advisory/OSA-2010-02-en/

Also, see http://bugs.gentoo.org/show_bug.cgi?id=308059
Please, mask in profile OR bump
Comment 1 Tim Sammut (RETIRED) gentoo-dev 2010-09-19 05:23:00 UTC 
*** Bug 337994 has been marked as a duplicate of this bug. ***
Comment 2 Andreis Vinogradovs ( slepnoga ) 2010-09-19 08:01:43 UTC 
Note
not affected version:
2.3.6
2.4.8
3.0.0_beta3
Comment 3 Andreis Vinogradovs ( slepnoga ) 2010-09-19 08:16:59 UTC 
Created attachment 247938 [details]
otrs-2.3.6 - fixed version
Comment 4 Andreis Vinogradovs ( slepnoga ) 2010-09-19 08:17:48 UTC 
Created attachment 247939 [details]
otrs-2.4.8.ebuild -2.4 series fixed ebuild
Comment 5 Andreis Vinogradovs ( slepnoga ) 2010-09-19 08:18:49 UTC 
Created attachment 247943 [details]
files/reconfig-2
Comment 6 Andreis Vinogradovs ( slepnoga ) 2010-09-19 08:19:23 UTC 
Created attachment 247944 [details]
files/reconfig-3
Comment 7 Andreis Vinogradovs ( slepnoga ) 2010-09-19 08:20:00 UTC 
Created attachment 247946 [details]
files/reconfig-4
Comment 8 Andreis Vinogradovs ( slepnoga ) 2010-09-19 08:20:41 UTC 
Created attachment 247948 [details]
files/apache2.patch
Comment 9 Andreis Vinogradovs ( slepnoga ) 2010-09-19 08:21:22 UTC 
Created attachment 247950 [details]
files/apache2-2.patch
Comment 10 Andreis Vinogradovs ( slepnoga ) 2010-09-19 08:26:57 UTC 
in overlay rion affected versions removed.
available 2.4.8; 2.3.6
Comment 11 Stefan Behte (RETIRED) gentoo-dev Security 2010-09-24 20:28:20 UTC 
CVE-2010-2080 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2080):
  Multiple cross-site scripting (XSS) vulnerabilities in Open Ticket
  Request System (OTRS) 2.3.x before 2.3.6 and 2.4.x before 2.4.8 allow
  remote authenticated users to inject arbitrary web script or HTML via
  unspecified vectors.
Comment 12 Jesse Adelman 2011-02-03 03:11:22 UTC 
Hrm. Any hope of official Portage seeing version bumps for the various security issues with the versions available? :)
Comment 13 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2011-02-03 07:07:17 UTC 
I think this has exceeded time limit even for ~4-rated vulnerability. Should we consider masking the package?
Comment 14 Stefan Behte (RETIRED) gentoo-dev Security 2011-07-10 00:59:57 UTC 
I'd like to even see it punted...
Comment 15 Andreis Vinogradovs ( slepnoga ) 2011-08-15 14:38:30 UTC 
What state at this moment this bug ? 
In tree commited new  (not affected) version
Comment 16 Tim Sammut (RETIRED) gentoo-dev 2011-08-17 15:46:28 UTC 
(In reply to comment #15)
> What state at this moment this bug ? 
> In tree commited new  (not affected) version

The fixed ebuilds lack keywords on some arches.
Comment 17 Tim Sammut (RETIRED) gentoo-dev 2011-08-19 15:32:36 UTC 
Fixed software added and vulnerable versions removed by Patrick Lauer via bug 379855. Closing noglsa for ~arch package.