Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 598768 (CVE-2016-9139)

Summary: <www-apps/otrs-5.0.15: Stored CSS Vulnerability
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: trivial CC: lists, proxy-maint, web-apps
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://www.otrs.com/security-advisory-2016-02-security-update-otrs/
Whiteboard: ~4 [noglsa]
Package list:
Runtime testing required: ---

Description Agostino Sarubbo gentoo-dev 2016-11-02 10:54:07 UTC
From ${URL} :

An attacker could trick an authenticated agent or customer into opening a malicious attachment which could lead to the execution of JavaScript in OTRS 
context.

Fixed in: OTRS 3.3.16 4.0.19 5.0.14


@maintainer(s): since the package or the affected version has never been marked as stable, we don't need to stabilize it. After the bump, please remove the affected versions from the tree.
Comment 1 Stefan G. Weichinger 2016-11-02 11:02:19 UTC
otrs-5.0.14.ebuild running OK here.
Same ebuild as the releases before.

see bug https://bugs.gentoo.org/show_bug.cgi?id=563580 for reference
Comment 2 Thomas Deutschmann (RETIRED) gentoo-dev 2017-01-09 22:38:14 UTC
@ Stefan: Please submit a PR so we can review/proceed.
Comment 3 Stefan G. Weichinger 2017-01-10 09:31:43 UTC
please advise where and how to submit the PR.
You want to pull the ebuild from my repo?
Comment 4 Thomas Deutschmann (RETIRED) gentoo-dev 2017-01-10 13:42:56 UTC
Stefan, please see https://wiki.gentoo.org/wiki/Gentoo_Github for details. You basically create a PR against the repository at https://github.com/gentoo/gentoo.
Comment 5 Stefan G. Weichinger 2017-01-10 13:56:48 UTC
https://github.com/gentoo/gentoo/pull/3412
Comment 6 Thomas Deutschmann (RETIRED) gentoo-dev 2017-01-15 08:05:14 UTC
Package was updated, no stabilization needed because package was never stable. Repository is clean. All done.