Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 598768 (CVE-2016-9139) - <www-apps/otrs-5.0.15: Stored CSS Vulnerability
Summary: <www-apps/otrs-5.0.15: Stored CSS Vulnerability
Status: RESOLVED FIXED
Alias: CVE-2016-9139
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial (vote)
Assignee: Gentoo Security
URL: https://www.otrs.com/security-advisor...
Whiteboard: ~4 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2016-11-02 10:54 UTC by Agostino Sarubbo
Modified: 2017-01-15 08:05 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2016-11-02 10:54:07 UTC
From ${URL} :

An attacker could trick an authenticated agent or customer into opening a malicious attachment which could lead to the execution of JavaScript in OTRS 
context.

Fixed in: OTRS 3.3.16 4.0.19 5.0.14


@maintainer(s): since the package or the affected version has never been marked as stable, we don't need to stabilize it. After the bump, please remove the affected versions from the tree.
Comment 1 Stefan G. Weichinger 2016-11-02 11:02:19 UTC
otrs-5.0.14.ebuild running OK here.
Same ebuild as the releases before.

see bug https://bugs.gentoo.org/show_bug.cgi?id=563580 for reference
Comment 2 Thomas Deutschmann gentoo-dev Security 2017-01-09 22:38:14 UTC
@ Stefan: Please submit a PR so we can review/proceed.
Comment 3 Stefan G. Weichinger 2017-01-10 09:31:43 UTC
please advise where and how to submit the PR.
You want to pull the ebuild from my repo?
Comment 4 Thomas Deutschmann gentoo-dev Security 2017-01-10 13:42:56 UTC
Stefan, please see https://wiki.gentoo.org/wiki/Gentoo_Github for details. You basically create a PR against the repository at https://github.com/gentoo/gentoo.
Comment 5 Stefan G. Weichinger 2017-01-10 13:56:48 UTC
https://github.com/gentoo/gentoo/pull/3412
Comment 6 Thomas Deutschmann gentoo-dev Security 2017-01-15 08:05:14 UTC
Package was updated, no stabilization needed because package was never stable. Repository is clean. All done.