Your message dated Fri, 27 Dec 2019 10:26:45 +0000
with message-id <e1ikmpr-0007hu...@fasolo.debian.org>
and subject line Bug#945251: fixed in otrs2 6.0.24-1
has caused the Debian Bug report #945251,
regarding otrs2: CVE-2019-18179 CVE-2019-18180
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
945251: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=945251
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: otrs2
Version: 6.0.23-2
Severity: grave
Tags: security upstream
Justification: user security hole
Hi,
The following vulnerabilities were published for otrs2
CVE-2019-18179[0] and CVE-2019-18180[1].
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2019-18179
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18179
https://community.otrs.com/security-advisory-2019-14-security-update-for-otrs-framework/
[1] https://security-tracker.debian.org/tracker/CVE-2019-18180
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18180
https://community.otrs.com/security-advisory-2019-15-security-update-for-otrs-framework/
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: otrs2
Source-Version: 6.0.24-1
We believe that the bug you reported is fixed in the latest version of
otrs2, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 945...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Patrick Matthäi <pmatth...@debian.org> (supplier of updated otrs2 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Fri, 27 Dec 2019 10:51:52 +0100
Source: otrs2
Architecture: source
Version: 6.0.24-1
Distribution: unstable
Urgency: high
Maintainer: Patrick Matthäi <pmatth...@debian.org>
Changed-By: Patrick Matthäi <pmatth...@debian.org>
Closes: 945251
Changes:
otrs2 (6.0.24-1) unstable; urgency=high
.
* New upstream release.
- Fixes CVE-2019-18179, also known as OSA-2019-14: An attacker who is
logged
into OTRS as an agent is able to list tickets assigned to other agents,
which are in the queue where attacker doesn’t have permissions.
- Fixes CVE-2019-18180, also known as OSA-2019-15: OTRS can be put into an
endless loop by providing filenames with overly long extensions. This
applies to the PostMaster (sending in email) and also upload (attaching
files to mails, for example).
Closes: #945251
* Add dependency on package libcpan-audit-perl.
* Use the new debhelper-compat notation, and drop the d/compat file.
Checksums-Sha1:
0895760238be4c5f6b7f4bacbe622ed8a73ed1d5 1817 otrs2_6.0.24-1.dsc
ad90df5cec9ee59d3e6a32e542b7957f95adcaa9 25547206 otrs2_6.0.24.orig.tar.bz2
797f243fcc63b66259da0b1965c5e3dfefb9343e 30372 otrs2_6.0.24-1.debian.tar.xz
635df4d5673d7fd55b50ea0545582ba403fc09e6 5608 otrs2_6.0.24-1_source.buildinfo
Checksums-Sha256:
6c53b95c209df8b21e9b466ee773f0cc2f84f5c42b5c29ece27cc2cb53776e6d 1817
otrs2_6.0.24-1.dsc
c5c1486fa3090b5fe4293f710cb4a19905b1b52f0eecb6de4063be6fac9012e2 25547206
otrs2_6.0.24.orig.tar.bz2
6e3ff079b620bd7e23d304165650e0c588da6e9fe05dac0c4cb6629b51ceb21f 30372
otrs2_6.0.24-1.debian.tar.xz
23b1bfa868683dcc4b0f1d01507b8fa63ba9fcdaa123c1d65214f3e0d71a2993 5608
otrs2_6.0.24-1_source.buildinfo
Files:
3e85cb3820609f57206e15d5d7e86e51 1817 non-free/web optional otrs2_6.0.24-1.dsc
ca1e79f82db15889ff4ace75e56a9897 25547206 non-free/web optional
otrs2_6.0.24.orig.tar.bz2
fc0e843d6f18659d50591f9b350a34bb 30372 non-free/web optional
otrs2_6.0.24-1.debian.tar.xz
834afdc6f4d8b31998236a79b3bfd1c2 5608 non-free/web optional
otrs2_6.0.24-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEWKA9xYJCWk3IuQ4TEtmwSpDL2OQFAl4F1TEACgkQEtmwSpDL
2OQiFg/9EWILVoJsHpFkmpVcH9P4UrjXthj297w2c+HGqNRSlC0HgYHqbVtvGTxl
6DZSHICS7HXpg1RBLmu2MfwCP70+2ob1gsq4g3zP0mGVIWVunU+xGbrjzGST+Osc
sKOu1++R1zRC9le6kLyabb6cTQNXuCxqGpWbITs7D8PUW0RsMqjvaVJq1yacNmk5
4OnRl09lkwhvc4VUvwI/Jf0TB0m184T5BFt4s0rLYRQiDLx6jJZiYbAIeXYnmbr0
DURYiRQ17tUuR2qpNqSd/A+mfCpz5tgpNvbiXQ5lmNyKXoapxbzMWpwKg5HPp+4G
myq2gR7VsX1lDaM4/gG3yO6RDAxcvtYnXYk9wpkkDRFp4yo5GbVZCxwIXWJryxR3
t+uUgtrq3nRjKdlEZOK4sty4W6s4EbNxJcFVvlyZPDVYo0qgmHHzwi9Cvx4/sI4z
IYsseWMU+m0zB81YWHFV7E0Go9JIz0IEplCEO0n6IZgOlqA5AAjom82wbjr3CDzE
nW07K/AGSmd7JlG2CNdc+pdnZDIoNhXhb4tKnX4w8jBDlYRaSJFbMxn0Pjfh2ggt
cHoKsJB7j73GlEiPhxkh5bHejnv7bQNQMSbNkxbUeVHNNdUasjL8F+shpugj8xqP
TOd7ptmps9lR3dgBkn7WYA71sqx1+AxNJRq/gBXibJkYKW2EQvw=
=E6Xx
-----END PGP SIGNATURE-----
--- End Message ---