Summary: | www-apps/otrs: multiple vulnerabilities (CVE-2018-11563, CVE-2019-{12746,13458,9751,9752,9892,12497,12248,18179,18180}, CVE-2020-{1765,1766,1767,1768,1769,1770,1771,1772,1773,1774) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | GLSAMaker/CVETool Bot <glsamaker> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | trivial | CC: | fordfrog, web-apps |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
See Also: | https://bugs.gentoo.org/show_bug.cgi?id=664326 | ||
Whiteboard: | ~3 [noglsa cve] | ||
Package list: | Runtime testing required: | --- |
Description
GLSAMaker/CVETool Bot
2019-08-17 22:51:47 UTC
https://community.otrs.com/security-advisory-2019-10-security-update-for-otrs-framework/ https://community.otrs.com/security-advisory-2019-12-security-update-for-otrs-framework/ CVE-2019-9892: "An issue was discovered in Open Ticket Request System (OTRS) 5.x through 5.0.34, 6.x through 6.0.17, and 7.x through 7.0.6. An attacker who is logged into OTRS as an agent user with appropriate permissions may try to import carefully crafted Report Statistics XML that will result in reading of arbitrary files on the OTRS filesystem." URL: https://community.otrs.com/security-advisory-2019-04-security-update-for-otrs-framework/ CVE-2020-1774 (https://nvd.nist.gov/vuln/detail/CVE-2020-1774): When user downloads PGP or S/MIME keys/certificates, exported file has same name for private and public keys. Therefore it's possible to mix them and to send private key to the third-party instead of public key. This issue affects ((OTRS)) Community Edition: 5.0.42 and prior versions, 6.0.27 and prior versions. OTRS: 7.0.16 and prior versions. CVE-2020-1768 (https://nvd.nist.gov/vuln/detail/CVE-2020-1768): The external frontend system uses numerous background calls to the backend. Each background request is treated as user activity so the SessionMaxIdleTime will not be reached. This issue affects: OTRS 7.0.x version 7.0.14 and prior versions. CVE-2019-9892 (https://nvd.nist.gov/vuln/detail/CVE-2019-9892): An issue was discovered in Open Ticket Request System (OTRS) 5.x through 5.0.34, 6.x through 6.0.17, and 7.x through 7.0.6. An attacker who is logged into OTRS as an agent user with appropriate permissions may try to import carefully crafted Report Statistics XML that will result in reading of arbitrary files on the OTRS filesystem. CVE-2019-18180 (https://nvd.nist.gov/vuln/detail/CVE-2019-18180): Improper Check for filenames with overly long extensions in PostMaster (sending in email) or uploading files (e.g. attaching files to mails) of ((OTRS)) Community Edition and OTRS allows an remote attacker to cause an endless loop. This issue affects: OTRS AG: ((OTRS)) Community Edition 5.0.x version 5.0.38 and prior versions; 6.0.x version 6.0.23 and prior versions. OTRS AG: OTRS 7.0.x version 7.0.12 and prior versions. CVE-2019-12497 (https://nvd.nist.gov/vuln/detail/CVE-2019-12497): An issue was discovered in Open Ticket Request System (OTRS) 7.0.x through 7.0.8, Community Edition 6.0.x through 6.0.19, and Community Edition 5.0.x through 5.0.36. In the customer or external frontend, personal information of agents (e.g., Name and mail address) can be disclosed in external notes. CVE-2019-12248 (https://nvd.nist.gov/vuln/detail/CVE-2019-12248): An issue was discovered in Open Ticket Request System (OTRS) 7.0.x through 7.0.7, Community Edition 6.0.x through 6.0.19, and Community Edition 5.0.x through 5.0.36. An attacker could send a malicious email to an OTRS system. If a logged-in agent user quotes it, the email could cause the browser to load external image resources. CVE-2019-18179 (https://nvd.nist.gov/vuln/detail/CVE-2019-18179): An issue was discovered in Open Ticket Request System (OTRS) 7.0.x through 7.0.12, and Community Edition 5.0.x through 5.0.38 and 6.0.x through 6.0.23. An attacker who is logged into OTRS as an agent is able to list tickets assigned to other agents, even tickets in a queue where the attacker doesn't have permissions. @maintainer(s), this really needs a bump or just last rites if you are not interested in the package. The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=aa950e734b5caed317ac64dff518b8b33b797ba0 commit aa950e734b5caed317ac64dff518b8b33b797ba0 Author: Sam James (sam_c) <sam@cmpct.info> AuthorDate: 2020-06-04 18:25:22 +0000 Commit: Thomas Deutschmann <whissi@gentoo.org> CommitDate: 2020-06-04 19:14:37 +0000 www-apps/otrs: Last rites Bug: https://bugs.gentoo.org/692398 Bug: https://bugs.gentoo.org/664326 Signed-off-by: Sam James (sam_c) <sam@cmpct.info> Closes: https://github.com/gentoo/gentoo/pull/15907 Signed-off-by: Thomas Deutschmann <whissi@gentoo.org> profiles/package.mask | 6 ++++++ 1 file changed, 6 insertions(+) The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=934a47e2dfc9eb2ff6a38198622584ef458f028d commit 934a47e2dfc9eb2ff6a38198622584ef458f028d Author: Sam James <sam@gentoo.org> AuthorDate: 2020-07-09 12:41:39 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2020-07-09 12:43:17 +0000 www-apps/otrs: remove last-rited package www-apps/otrs had a large number of vulnerabilities and was unmaintained within Gentoo. Bug: https://bugs.gentoo.org/692398 Bug: https://bugs.gentoo.org/664326 Signed-off-by: Sam James <sam@gentoo.org> profiles/base/package.use.stable.mask | 1 - profiles/package.mask | 6 -- www-apps/otrs/Manifest | 5 -- www-apps/otrs/files/otrs.service | 13 --- www-apps/otrs/metadata.xml | 11 --- www-apps/otrs/otrs-5.0.25.ebuild | 154 --------------------------------- www-apps/otrs/otrs-6.0.3.ebuild | 156 --------------------------------- www-apps/otrs/otrs-6.0.4.ebuild | 156 --------------------------------- www-apps/otrs/otrs-6.0.5.ebuild | 156 --------------------------------- www-apps/otrs/otrs-6.0.7.ebuild | 157 ---------------------------------- 10 files changed, 815 deletions(-) Tree is now clean. Package was ~ so noglsa. Closing. |