Debian Bug report logs - #340352
otrs: Multiple SQL injection and Cross-Site-Scripting vulnerabilities

version graph

Package: otrs; Maintainer for otrs is Patrick Matthäi <pmatthaei@debian.org>; Source for otrs is src:otrs2.

Reported by: Moritz Muehlenhoff <jmm@inutil.org>

Date: Tue, 22 Nov 2005 22:33:06 UTC

Severity: grave

Tags: security

Fixed in versions otrs/2.0.4p01-1, otrs/1.3.2p01-6

Done: Torsten Werner <twerner@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>, Torsten Werner <twerner@debian.org>:
Bug#340352; Package otrs. Full text and rfc822 format available.

Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>, Torsten Werner <twerner@debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Moritz Muehlenhoff <jmm@inutil.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: otrs: Multiple SQL injection and Cross-Site-Scripting vulnerabilities
Date: Tue, 22 Nov 2005 23:23:07 +0100
Package: otrs
Severity: grave
Tags: security
Justification: user security hole

OTRS is vulnerable to several SQL injection and Cross-Site-Scripting
vulnerabilities. Please see here for more information:
http://otrs.org/advisory/OSA-2005-01-en/
http://moritz-naumann.com/adv/0007/otrsmulti/0007.txt

The new upstream version 1.3.3 fixes all these problems.

Cheers,
        Moritz

-- System Information:
Debian Release: testing/unstable
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.14-2-686
Locale: LANG=C, LC_CTYPE=de_DE.ISO-8859-15@euro (charmap=ISO-8859-15)



Information stored:
Bug#340352; Package otrs. Full text and rfc822 format available.

Acknowledgement sent to Torsten Werner <email@twerner42.de>:
Extra info received and filed, but not forwarded. Full text and rfc822 format available.

Message #10 received at 340352-quiet@bugs.debian.org (full text, mbox):

From: Torsten Werner <email@twerner42.de>
To: Moritz Muehlenhoff <jmm@inutil.org>, 340352-quiet@bugs.debian.org
Subject: Re: Bug#340352: otrs: Multiple SQL injection and Cross-Site-Scripting vulnerabilities
Date: Tue, 22 Nov 2005 23:38:34 +0100
Moritz Muehlenhoff schrieb:
> OTRS is vulnerable to several SQL injection and Cross-Site-Scripting
> vulnerabilities. Please see here for more information:
> http://otrs.org/advisory/OSA-2005-01-en/
> http://moritz-naumann.com/adv/0007/otrsmulti/0007.txt
> 
> The new upstream version 1.3.3 fixes all these problems.

I know that already. The upstream author is preparing a patch for 1.3.2-01.


Regards,
Torsten



Reply sent to Torsten Werner <email@twerner42.de>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Moritz Muehlenhoff <jmm@inutil.org>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #15 received at 340352-close@bugs.debian.org (full text, mbox):

From: Torsten Werner <email@twerner42.de>
To: 340352-close@bugs.debian.org
Subject: Re: Bug#340352: otrs: Multiple SQL injection and Cross-Site-Scripting vulnerabilities
Date: Tue, 22 Nov 2005 23:45:41 +0100
Source: otrs
Source-Version: 2.0.4p01-1

Moritz Muehlenhoff schrieb:
> OTRS is vulnerable to several SQL injection and Cross-Site-Scripting
> vulnerabilities. Please see here for more information:
> http://otrs.org/advisory/OSA-2005-01-en/
> http://moritz-naumann.com/adv/0007/otrsmulti/0007.txt
> 
> The new upstream version 1.3.3 fixes all these problems.


It is fixed in unstable's version.


Torsten



Information stored:
Bug#340352; Package otrs. Full text and rfc822 format available.

Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>:
Extra info received and filed, but not forwarded. Full text and rfc822 format available.

Message #20 received at 340352-quiet@bugs.debian.org (full text, mbox):

From: Moritz Muehlenhoff <jmm@inutil.org>
To: Torsten Werner <email@twerner42.de>
Cc: Moritz Muehlenhoff <jmm@inutil.org>, 340352-quiet@bugs.debian.org
Subject: Re: Bug#340352: otrs: Multiple SQL injection and Cross-Site-Scripting vulnerabilities
Date: Fri, 10 Feb 2006 17:59:20 +0100
Torsten Werner wrote:
> > OTRS is vulnerable to several SQL injection and Cross-Site-Scripting
> > vulnerabilities. Please see here for more information:
> > http://otrs.org/advisory/OSA-2005-01-en/
> > http://moritz-naumann.com/adv/0007/otrsmulti/0007.txt
> > 
> > The new upstream version 1.3.3 fixes all these problems.
> 
> I know that already. The upstream author is preparing a patch for 1.3.2-01.

What's the status of an update for stable?

Cheers,
        Moritz



Information stored:
Bug#340352; Package otrs. Full text and rfc822 format available.

Acknowledgement sent to Torsten Werner <email@twerner42.de>:
Extra info received and filed, but not forwarded. Full text and rfc822 format available.

Message #25 received at 340352-quiet@bugs.debian.org (full text, mbox):

From: Torsten Werner <email@twerner42.de>
To: Moritz Muehlenhoff <jmm@inutil.org>
Cc: 340352-quiet@bugs.debian.org, joey@infodrom.org
Subject: Re: Bug#340352: otrs: Multiple SQL injection and Cross-Site-Scripting vulnerabilities
Date: Mon, 13 Feb 2006 21:29:06 +0100
[Message part 1 (text/plain, inline)]
Moritz Muehlenhoff wrote:
> What's the status of an update for stable?


I have provide a fix over 2 months ago but I did not hear anything from
the security team.

Regards,
Torsten

[email.vcf (text/x-vcard, attachment)]

Information stored:
Bug#340352; Package otrs. Full text and rfc822 format available.

Acknowledgement sent to Martin Schulze <joey@infodrom.org>:
Extra info received and filed, but not forwarded. Full text and rfc822 format available.

Message #30 received at 340352-quiet@bugs.debian.org (full text, mbox):

From: Martin Schulze <joey@infodrom.org>
To: Torsten Werner <email@twerner42.de>
Cc: 340352-quiet@bugs.debian.org, Debian Security Team <team@security.debian.org>
Subject: Re: Bug#340352: otrs: Multiple SQL injection and Cross-Site-Scripting vulnerabilities
Date: Mon, 13 Feb 2006 23:59:06 +0100
Torsten Werner wrote:
> Moritz Muehlenhoff wrote:
> > What's the status of an update for stable?
> 
> 
> I have provide a fix over 2 months ago but I did not hear anything from
> the security team.

Hmm.  I only find my complaints but no response from you.

However, the packages on master are better now.

However^2, I accidently found:

+-      SoryBy => 'Age',         # Owner|CustomerID|State|Ticket|Queue|Priority|Age
++      SortBy => 'Age',         # Owner|CustomerID|State|Ticket|Queue|Priority|Age

Could you... err... explain the change?

I'll accept the package nevertheless, though, since it's only this
and the last hunk of the changelog change.

Regards,

	Joey

-- 
Life is too short to run proprietary software.  -- Bdale Garbee

Please always Cc to me when replying to me on the lists.



Information stored:
Bug#340352; Package otrs. Full text and rfc822 format available.

Acknowledgement sent to Torsten Werner <email@twerner42.de>:
Extra info received and filed, but not forwarded. Full text and rfc822 format available.

Message #35 received at 340352-quiet@bugs.debian.org (full text, mbox):

From: Torsten Werner <email@twerner42.de>
To: Martin Schulze <joey@infodrom.org>
Cc: 340352-quiet@bugs.debian.org, Debian Security Team <team@security.debian.org>
Subject: Re: Bug#340352: otrs: Multiple SQL injection and Cross-Site-Scripting vulnerabilities
Date: Tue, 14 Feb 2006 21:06:26 +0100
[Message part 1 (text/plain, inline)]
Hi Martin,

Martin Schulze wrote:
> +-      SoryBy => 'Age',         # Owner|CustomerID|State|Ticket|Queue|Priority|Age
> ++      SortBy => 'Age',         # Owner|CustomerID|State|Ticket|Queue|Priority|Age
> 
> Could you... err... explain the change?

I have obviously missed that change. I do not have time to recheck the
package now, sorry.


Regards,
Torsten

[email.vcf (text/x-vcard, attachment)]

Reply sent to Torsten Werner <twerner@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Moritz Muehlenhoff <jmm@inutil.org>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #40 received at 340352-close@bugs.debian.org (full text, mbox):

From: Torsten Werner <twerner@debian.org>
To: 340352-close@bugs.debian.org
Subject: Bug#340352: fixed in otrs 1.3.2p01-6
Date: Wed, 15 Feb 2006 00:02:18 -0800
Source: otrs
Source-Version: 1.3.2p01-6

We believe that the bug you reported is fixed in the latest version of
otrs, which is due to be installed in the Debian FTP archive:

otrs-doc-de_1.3.2p01-6_all.deb
  to pool/main/o/otrs/otrs-doc-de_1.3.2p01-6_all.deb
otrs-doc-en_1.3.2p01-6_all.deb
  to pool/main/o/otrs/otrs-doc-en_1.3.2p01-6_all.deb
otrs_1.3.2p01-6.diff.gz
  to pool/main/o/otrs/otrs_1.3.2p01-6.diff.gz
otrs_1.3.2p01-6.dsc
  to pool/main/o/otrs/otrs_1.3.2p01-6.dsc
otrs_1.3.2p01-6_all.deb
  to pool/main/o/otrs/otrs_1.3.2p01-6_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 340352@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Torsten Werner <twerner@debian.org> (supplier of updated otrs package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Wed, 30 Nov 2005 20:29:55 +0100
Source: otrs
Binary: otrs otrs-doc-de otrs-doc-en
Architecture: source all
Version: 1.3.2p01-6
Distribution: stable-security
Urgency: low
Maintainer: Torsten Werner <twerner@debian.org>
Changed-By: Torsten Werner <twerner@debian.org>
Description: 
 otrs       - Open Ticket Request System
 otrs-doc-de - Open Ticket Request System - German documentation
 otrs-doc-en - Open Ticket Request System - English documentation
Closes: 340352
Changes: 
 otrs (1.3.2p01-6) stable-security; urgency=low
 .
   * fixes a security problem described at
     http://otrs.org/advisory/OSA-2005-01-en/ and in
     CVE-2005-3893 (also BID15537), CVE-2005-3895 (also BID15537),
     CVE-2005-3894 (also BID15537),
     it closes: #340352
Files: 
 0dd0acec3580502a8f9ecf061ed931de 600 web optional otrs_1.3.2p01-6.dsc
 8861ace308c6f058b331fbd0e8437f0c 6639786 web optional otrs_1.3.2p01.orig.tar.gz
 f94589b636198b60b76d36ce074dc04f 15917 web optional otrs_1.3.2p01-6.diff.gz
 c29a6b599e31d7b5a847f2f74b658a3c 920580 web optional otrs_1.3.2p01-6_all.deb
 2cd8499682e6b4a5fd3ad7472329a3da 2312748 web optional otrs-doc-en_1.3.2p01-6_all.deb
 9783133f230474fabdca9b6fa30ea1d9 3005222 web optional otrs-doc-de_1.3.2p01-6_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFDjf7EfY3dicTPjsMRAuKCAJ9sT/HGzSBIDka58R7qrd8wydjyFQCeOkX3
skwo7AZ1DoSXzsivf59CDgQ=
=n98D
-----END PGP SIGNATURE-----




Reply sent to Torsten Werner <twerner@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Moritz Muehlenhoff <jmm@inutil.org>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #45 received at 340352-close@bugs.debian.org (full text, mbox):

From: Torsten Werner <twerner@debian.org>
To: 340352-close@bugs.debian.org
Subject: Bug#340352: fixed in otrs 1.3.2p01-6
Date: Mon, 17 Apr 2006 17:41:26 -0700
Source: otrs
Source-Version: 1.3.2p01-6

We believe that the bug you reported is fixed in the latest version of
otrs, which is due to be installed in the Debian FTP archive:

otrs-doc-de_1.3.2p01-6_all.deb
  to pool/main/o/otrs/otrs-doc-de_1.3.2p01-6_all.deb
otrs-doc-en_1.3.2p01-6_all.deb
  to pool/main/o/otrs/otrs-doc-en_1.3.2p01-6_all.deb
otrs_1.3.2p01-6.diff.gz
  to pool/main/o/otrs/otrs_1.3.2p01-6.diff.gz
otrs_1.3.2p01-6.dsc
  to pool/main/o/otrs/otrs_1.3.2p01-6.dsc
otrs_1.3.2p01-6_all.deb
  to pool/main/o/otrs/otrs_1.3.2p01-6_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 340352@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Torsten Werner <twerner@debian.org> (supplier of updated otrs package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Wed, 30 Nov 2005 20:29:55 +0100
Source: otrs
Binary: otrs otrs-doc-de otrs-doc-en
Architecture: source all
Version: 1.3.2p01-6
Distribution: stable-security
Urgency: low
Maintainer: Torsten Werner <twerner@debian.org>
Changed-By: Torsten Werner <twerner@debian.org>
Description: 
 otrs       - Open Ticket Request System
 otrs-doc-de - Open Ticket Request System - German documentation
 otrs-doc-en - Open Ticket Request System - English documentation
Closes: 340352
Changes: 
 otrs (1.3.2p01-6) stable-security; urgency=low
 .
   * fixes a security problem described at
     http://otrs.org/advisory/OSA-2005-01-en/ and in
     CVE-2005-3893 (also BID15537), CVE-2005-3895 (also BID15537),
     CVE-2005-3894 (also BID15537),
     it closes: #340352
Files: 
 0dd0acec3580502a8f9ecf061ed931de 600 web optional otrs_1.3.2p01-6.dsc
 8861ace308c6f058b331fbd0e8437f0c 6639786 web optional otrs_1.3.2p01.orig.tar.gz
 f94589b636198b60b76d36ce074dc04f 15917 web optional otrs_1.3.2p01-6.diff.gz
 c29a6b599e31d7b5a847f2f74b658a3c 920580 web optional otrs_1.3.2p01-6_all.deb
 2cd8499682e6b4a5fd3ad7472329a3da 2312748 web optional otrs-doc-en_1.3.2p01-6_all.deb
 9783133f230474fabdca9b6fa30ea1d9 3005222 web optional otrs-doc-de_1.3.2p01-6_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFDjf7EfY3dicTPjsMRAuKCAJ9sT/HGzSBIDka58R7qrd8wydjyFQCeOkX3
skwo7AZ1DoSXzsivf59CDgQ=
=n98D
-----END PGP SIGNATURE-----




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 25 Jun 2007 20:31:16 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Mon Apr 21 00:04:05 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.