Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bugzilla DB migration completed. Please report issues to Infra team via email via infra@gentoo.org or IRC
Bug 692398 (CVE-2018-11563, CVE-2019-12248, CVE-2019-12497, CVE-2019-12746, CVE-2019-13458, CVE-2019-18179, CVE-2019-18180, CVE-2019-9751, CVE-2019-9752, CVE-2019-9892, CVE-2020-1765, CVE-2020-1766, CVE-2020-1767, CVE-2020-1768, CVE-2020-1769, CVE-2020-1770, CVE-2020-1771, CVE-2020-1772, CVE-2020-1773, CVE-2020-1774) - www-apps/otrs: multiple vulnerabilities (CVE-2018-11563, CVE-2019-{12746,13458,9751,9752,9892,12497,12248,18179,18180}, CVE-2020-{1765,1766,1767,1768,1769,1770,1771,1772,1773,1774)
Summary: www-apps/otrs: multiple vulnerabilities (CVE-2018-11563, CVE-2019-{12746,1345...
Status: RESOLVED FIXED
Alias: CVE-2018-11563, CVE-2019-12248, CVE-2019-12497, CVE-2019-12746, CVE-2019-13458, CVE-2019-18179, CVE-2019-18180, CVE-2019-9751, CVE-2019-9752, CVE-2019-9892, CVE-2020-1765, CVE-2020-1766, CVE-2020-1767, CVE-2020-1768, CVE-2020-1769, CVE-2020-1770, CVE-2020-1771, CVE-2020-1772, CVE-2020-1773, CVE-2020-1774
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial (vote)
Assignee: Gentoo Security
URL:
Whiteboard: ~3 [noglsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2019-08-17 22:51 UTC by GLSAMaker/CVETool Bot
Modified: 2020-07-09 12:48 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description GLSAMaker/CVETool Bot gentoo-dev 2019-08-17 22:51:47 UTC
CVE-2018-11563 (https://nvd.nist.gov/vuln/detail/CVE-2018-11563):
  An issue was discovered in Open Ticket Request System (OTRS) 6.0.x through
  6.0.7. A carefully constructed email could be used to inject and execute
  arbitrary stylesheet or JavaScript code in a logged in customer's browser in
  the context of the OTRS customer panel application.

CVE-2019-12746 (https://nvd.nist.gov/vuln/detail/CVE-2019-12746):
  ** RESERVED ** This candidate has been reserved by an organization or
  individual that will use it when announcing a new security problem. When the
  candidate has been publicized, the details for this candidate will be
  provided.

CVE-2019-13458 (https://nvd.nist.gov/vuln/detail/CVE-2019-13458):
  ** RESERVED ** This candidate has been reserved by an organization or
  individual that will use it when announcing a new security problem. When the
  candidate has been publicized, the details for this candidate will be
  provided.
Comment 2 Sam James gentoo-dev Security 2020-03-06 17:27:51 UTC
CVE-2019-9892:

"An issue was discovered in Open Ticket Request System (OTRS) 5.x through 5.0.34, 6.x through 6.0.17, and 7.x through 7.0.6. An attacker who is logged into OTRS as an agent user with appropriate permissions may try to import carefully crafted Report Statistics XML that will result in reading of arbitrary files on the OTRS filesystem."

URL: https://community.otrs.com/security-advisory-2019-04-security-update-for-otrs-framework/
Comment 3 GLSAMaker/CVETool Bot gentoo-dev 2020-05-01 02:56:05 UTC
CVE-2020-1774 (https://nvd.nist.gov/vuln/detail/CVE-2020-1774):
  When user downloads PGP or S/MIME keys/certificates, exported file has same
  name for private and public keys. Therefore it's possible to mix them and to
  send private key to the third-party instead of public key. This issue
  affects ((OTRS)) Community Edition: 5.0.42 and prior versions, 6.0.27 and
  prior versions. OTRS: 7.0.16 and prior versions.

CVE-2020-1768 (https://nvd.nist.gov/vuln/detail/CVE-2020-1768):
  The external frontend system uses numerous background calls to the backend.
  Each background request is treated as user activity so the
  SessionMaxIdleTime will not be reached. This issue affects: OTRS 7.0.x
  version 7.0.14 and prior versions.

CVE-2019-9892 (https://nvd.nist.gov/vuln/detail/CVE-2019-9892):
  An issue was discovered in Open Ticket Request System (OTRS) 5.x through
  5.0.34, 6.x through 6.0.17, and 7.x through 7.0.6. An attacker who is logged
  into OTRS as an agent user with appropriate permissions may try to import
  carefully crafted Report Statistics XML that will result in reading of
  arbitrary files on the OTRS filesystem.

CVE-2019-18180 (https://nvd.nist.gov/vuln/detail/CVE-2019-18180):
  Improper Check for filenames with overly long extensions in PostMaster
  (sending in email) or uploading files (e.g. attaching files to mails) of
  ((OTRS)) Community Edition and OTRS allows an remote attacker to cause an
  endless loop. This issue affects: OTRS AG: ((OTRS)) Community Edition 5.0.x
  version 5.0.38 and prior versions; 6.0.x version 6.0.23 and prior versions.
  OTRS AG: OTRS 7.0.x version 7.0.12 and prior versions.

CVE-2019-12497 (https://nvd.nist.gov/vuln/detail/CVE-2019-12497):
  An issue was discovered in Open Ticket Request System (OTRS) 7.0.x through
  7.0.8, Community Edition 6.0.x through 6.0.19, and Community Edition 5.0.x
  through 5.0.36. In the customer or external frontend, personal information
  of agents (e.g., Name and mail address) can be disclosed in external notes.

CVE-2019-12248 (https://nvd.nist.gov/vuln/detail/CVE-2019-12248):
  An issue was discovered in Open Ticket Request System (OTRS) 7.0.x through
  7.0.7, Community Edition 6.0.x through 6.0.19, and Community Edition 5.0.x
  through 5.0.36. An attacker could send a malicious email to an OTRS system.
  If a logged-in agent user quotes it, the email could cause the browser to
  load external image resources.
Comment 4 GLSAMaker/CVETool Bot gentoo-dev 2020-05-01 02:56:32 UTC
CVE-2019-18179 (https://nvd.nist.gov/vuln/detail/CVE-2019-18179):
  An issue was discovered in Open Ticket Request System (OTRS) 7.0.x through
  7.0.12, and Community Edition 5.0.x through 5.0.38 and 6.0.x through 6.0.23.
  An attacker who is logged into OTRS as an agent is able to list tickets
  assigned to other agents, even tickets in a queue where the attacker doesn't
  have permissions.
Comment 5 Sam James gentoo-dev Security 2020-05-01 03:26:34 UTC
@maintainer(s), this really needs a bump or just last rites if you are not interested in the package.
Comment 6 Larry the Git Cow gentoo-dev 2020-06-04 19:14:51 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=aa950e734b5caed317ac64dff518b8b33b797ba0

commit aa950e734b5caed317ac64dff518b8b33b797ba0
Author:     Sam James (sam_c) <sam@cmpct.info>
AuthorDate: 2020-06-04 18:25:22 +0000
Commit:     Thomas Deutschmann <whissi@gentoo.org>
CommitDate: 2020-06-04 19:14:37 +0000

    www-apps/otrs: Last rites
    
    Bug: https://bugs.gentoo.org/692398
    Bug: https://bugs.gentoo.org/664326
    Signed-off-by: Sam James (sam_c) <sam@cmpct.info>
    Closes: https://github.com/gentoo/gentoo/pull/15907
    Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>

 profiles/package.mask | 6 ++++++
 1 file changed, 6 insertions(+)
Comment 7 Larry the Git Cow gentoo-dev 2020-07-09 12:43:25 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=934a47e2dfc9eb2ff6a38198622584ef458f028d

commit 934a47e2dfc9eb2ff6a38198622584ef458f028d
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2020-07-09 12:41:39 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2020-07-09 12:43:17 +0000

    www-apps/otrs: remove last-rited package
    
    www-apps/otrs had a large number of vulnerabilities
    and was unmaintained within Gentoo.
    
    Bug: https://bugs.gentoo.org/692398
    Bug: https://bugs.gentoo.org/664326
    Signed-off-by: Sam James <sam@gentoo.org>

 profiles/base/package.use.stable.mask |   1 -
 profiles/package.mask                 |   6 --
 www-apps/otrs/Manifest                |   5 --
 www-apps/otrs/files/otrs.service      |  13 ---
 www-apps/otrs/metadata.xml            |  11 ---
 www-apps/otrs/otrs-5.0.25.ebuild      | 154 ---------------------------------
 www-apps/otrs/otrs-6.0.3.ebuild       | 156 ---------------------------------
 www-apps/otrs/otrs-6.0.4.ebuild       | 156 ---------------------------------
 www-apps/otrs/otrs-6.0.5.ebuild       | 156 ---------------------------------
 www-apps/otrs/otrs-6.0.7.ebuild       | 157 ----------------------------------
 10 files changed, 815 deletions(-)
Comment 8 Sam James gentoo-dev Security 2020-07-09 12:47:54 UTC
Tree is now clean. Package was ~ so noglsa. Closing.