CVE-2017-14635 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14635): In Open Ticket Request System (OTRS) 3.3.x before 3.3.18, 4.x before 4.0.25, and 5.x before 5.0.23, remote authenticated users can leverage statistics-write permissions to gain privileges via code injection. References: https://www.otrs.com/security-advisory-2017-04-security-update-otrs-versions/
PR: https://github.com/gentoo/gentoo/pull/5756
commit 1d8bc0effd4c8d8bb5248dc89b18129fad68c5ef (HEAD -> master, origin/master, origin/HEAD) Author: Stefan G. Weichinger <office@oops.co.at> AuthorDate: Thu Sep 21 17:28:30 2017 +0200 Commit: Patrice Clement <monsieurp@gentoo.org> CommitDate: Tue Oct 3 00:32:47 2017 +0200 www-apps/otrs: version bump to 5.0.23. Gentoo-Bug: https://bugs.gentoo.org/631638 Closes: https://github.com/gentoo/gentoo/pull/5756 www-apps/otrs/Manifest | 1 + www-apps/otrs/otrs-5.0.23.ebuild | 154 +++++++++++++++++++++++++++++++++++++++ 2 files changed, 155 insertions(+) create mode 100644 www-apps/otrs/otrs-5.0.23.ebuild
Do we need to call for stabilisation?
(In reply to Patrice Clement from comment #3) > Do we need to call for stabilization? No, Patrice, it is not necessary for non-stable ebuidls.Although you should remove the vulnerable versions. Thank you Gentoo Security Padawan ChrisADR
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c8d17ca06beea07febb2b479fada0550ae744e83 commit c8d17ca06beea07febb2b479fada0550ae744e83 Author: Patrice Clement <monsieurp@gentoo.org> AuthorDate: 2017-10-07 19:47:18 +0000 Commit: Patrice Clement <monsieurp@gentoo.org> CommitDate: 2017-10-07 19:47:34 +0000 www-apps/otrs: remove vulnerable versions. Bug: https://bugs.gentoo.org/631638 Package-Manager: Portage-2.3.8, Repoman-2.3.3 www-apps/otrs/Manifest | 2 - www-apps/otrs/otrs-5.0.21.ebuild | 153 --------------------------------------- www-apps/otrs/otrs-5.0.22.ebuild | 153 --------------------------------------- 3 files changed, 308 deletions(-)}