[Secure-testing-commits] r52359 - in data: . CVE

Tue, 06 Jun 2017 13:15:12 -0700 

Author: opal
Date: 2017-06-06 20:14:52 +0000 (Tue, 06 Jun 2017)
New Revision: 52359

Modified:
   data/CVE/list
   data/dla-needed.txt
Log:
Found otrs2 to be vulnerable to something. However it is not fully clear what 
the problem is.

Modified: data/CVE/list
===================================================================
--- data/CVE/list       2017-06-06 18:57:17 UTC (rev 52358)
+++ data/CVE/list       2017-06-06 20:14:52 UTC (rev 52359)
@@ -362,6 +362,19 @@
        RESERVED
        - otrs2 <unfixed>
        NOTE: 
https://www.otrs.com/security-advisory-2017-03-security-update-otrs-versions/
+       NOTE: The security advisory is not very specific about the problem.
+       NOTE: From the CHANGES.md file in 3.3.17 it is likely to be this problem
+       NOTE: that have been dealt with:
+       NOTE: 2017-05-31 Improved SecureMode detection in Installer.
+       NOTE: Suspected file changes in 3.3.17 are the following:
+       NOTE: bin/otrs.PackageManager.pl (good change but unknown security 
impact)
+       NOTE: bin/otrs.SetPermissions.pl (looks like a security improvement at 
least)
+       NOTE: bin/otrs.CheckModules.pl (probably not security related)
+       NOTE: Kernel/Modules/Installer.pm (this is clearly a security fault!!!)
+       NOTE: Kernel/Config/Files/Framework.xml (may be a security issue)
+       NOTE: Kernel/System/SupportDataCollector.pm (may be a security issue)
+       NOTE: It is clear that the package is vulnerable to something. Further
+       NOTE: investigation is needed to pinpoint the exact vulnerability.
 CVE-2017-9323
        RESERVED
 CVE-2017-9322

Modified: data/dla-needed.txt
===================================================================
--- data/dla-needed.txt 2017-06-06 18:57:17 UTC (rev 52358)
+++ data/dla-needed.txt 2017-06-06 20:14:52 UTC (rev 52359)
@@ -79,6 +79,8 @@
 mysql-workbench
   NOTE: maintainer contacted 20170429
 --
+otrs2
+--
 postgresql-9.1 (Christoph Berg)
   NOTE: maintainer will give it a try tomorrow (2017-05-28)
 --


_______________________________________________
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

Reply via email to