Hi all,
There are 2 different security issues.
https://www.otrs.com/security-advisory-2017-03-security-update-otrs-versions/
// CVE-2017-9324 // https://security-tracker.debian.org/tracker/CVE-2017-9324
This one is patched afaik with commit:
https://github.com/OTRS/otrs/commit/aeadb28008f1c53b2ef8891e274d0f04c0da550b
The tracker lists a commit, this commit is linked to the 3.3 version seems to
be the same but could break on merge.
The other issue is
https://www.otrs.com/security-advisory-2017-02-security-update-otrs-versions/
sounds like: https://security-tracker.debian.org/tracker/CVE-2017-9299
This one seems to be patched with:
https://github.com/OTRS/otrs/commit/68c953c5131d393733846fed58cbe6901ad3a5e7
Cheers,
Thomas
-Oorspronkelijk bericht-
Van: Salvatore Bonaccorso [mailto:salvatore.bonacco...@gmail.com] Namens
Salvatore Bonaccorso
Verzonden: woensdag 7 juni 2017 09:06
Aan: Patrick Matthäi
CC: Moritz Muehlenhoff; 864...@bugs.debian.org; Debian Security Team;
debian-rele...@lists.debian.org
Onderwerp: Bug#864319: CVE-2017-9324
Hi Patrick,
On Wed, Jun 07, 2017 at 09:01:17AM +0200, Patrick Matthäi wrote:
> Am 06.06.2017 um 22:37 schrieb Moritz Muehlenhoff:
> > Package: otrs
> > Severity: grave
> > Tags: security
> >
> > Hi,
> > details are sparse on this one, could you get in touch with upstream
> > to isolate this to the change in question?
> > https://www.otrs.com/security-advisory-2017-03-security-update-otrs-
> > versions/
> >
> > Cheers,
> > Moritz
>
> I will try. On which way should I fix Stretch? stretch-security
> updates or direct upload to Stretch?
otrs2 in stretch is not covered/supported by security, since non-free.
That will need to go in a future stretch point release (unless we want to make
an exception here).
Regards,
Salvatore